CVE-2021-26118

CWE-284 — Improper Access Control CWE-285 CWE-287 — Improper Authentication7 documents6 sources

Severity

7.5HIGH

EPSS

1.0%

top 22.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Activemq Artemis Apache Activemq Artemis

Timeline

PublishedJan 27

Latest updateJun 16

Description

While investigating ARTEMIS-2964 it was found that the creation of advisory messages in the OpenWire protocol head of Apache ActiveMQ Artemis 2.15.0 bypassed policy based access control for the entire session. Production of advisory messages was not subject to access control in error.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.apache.activemq:artemis-openwire-protocol< 2.16.0

▶CVEListV5apache_software_foundation/apache_activemq_artemisunspecified — 2.16.0

▶NVDapache/activemq_artemis2.15.0

🔴Vulnerability Details

OSV

Apache ActiveMQ Artemis vulnerable to Improper Access Control↗2021-06-16

▶

GHSA

Apache ActiveMQ Artemis vulnerable to Improper Access Control↗2021-06-16

▶

OSV

CVE-2021-26118: While investigating ARTEMIS-2964 it was found that the creation of advisory messages in the OpenWire protocol head of Apache ActiveMQ Artemis 2↗2021-01-27

▶

CVEList

Flaw in ActiveMQ Artemis OpenWire support↗2021-01-27

▶

📋Vendor Advisories

Red Hat

7: OpenWire can create destinations with an unpriviledged user↗2020-10-28

▶

💬Community

Bugzilla

CVE-2021-26118 AMQ Broker 7: OpenWire can create destinations with an unpriviledged user↗2020-10-28

▶