CVE-2021-26117

CWE-287Improper Authentication10 documents8 sources
Severity
7.5HIGH
EPSS
9.9%
top 6.97%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
8
Apache Software Foundation Apache ActivemqApache ActivemqApache Activemq Artemis+5 more
Timeline
PublishedJan 27
Latest updateJul 23

Description

The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions 5.16.1 and 5.15.14, the anonymous context is used to verify a valid users password in error, resulting in no check on the password.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages10 packages

NVDapache/activemq5.15.05.15.14+1
Mavenorg.apache.activemq:activemq-parent5.16.05.16.1+1
CVEListV5apache_software_foundation/apache_activemqApache ActiveMQ Artemis2.16.0+1

Also affects: Debian Linux 9.0

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
OSV
Improper Authentication in Apache ActiveMQ and Apache Artemis2021-06-16
GHSA
Improper Authentication in Apache ActiveMQ and Apache Artemis2021-06-16
OSV
CVE-2021-26117: The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server2021-01-27
CVEList
ActiveMQ: LDAP-Authentication does not verify passwords on servers with anonymous bind2021-01-27

📋Vendor Advisories

5
Ubuntu
Apache ActiveMQ vulnerabilities2024-07-23
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: General (Apache ActiveMQ) — CVE-2021-261172023-07-15
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Financial Planning (Apache ActiveMQ) — CVE-2021-261172021-07-15
Debian
CVE-2021-26117: activemq - The optional ActiveMQ LDAP login module can be configured to use anonymous acces...2021
Red Hat
activemq: LDAP authentication bypass with anonymous bind2020-09-07