Lucene search

[email protected]CVE-2021-26117

HistoryJan 27, 2021 - 7:15 p.m.

CVE-2021-26117

2021-01-2719:15:00

CWE-287

[email protected]

web.nvd.nist.gov

103

cve

2021

26117

activemq

ldap

anonymous access

security vulnerability

nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.4 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

53.5%

JSON

The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions 5.16.1 and 5.15.14, the anonymous context is used to verify a valid users password in error, resulting in no check on the password.

CPENameOperatorVersion
apache:activemqapache activemqlt5.15.14
apache:activemqapache activemqlt5.16.1
apache:activemq_artemisapache activemq artemislt2.16.0
netapp:oncommand_workflow_automationnetapp oncommand workflow automationeq-
debian:debian_linuxdebian debian linuxeq9.0
oracle:flexcube_private_bankingoracle flexcube private bankingeq12.1.0
oracle:flexcube_private_bankingoracle flexcube private bankingeq12.0.0
oracle:communications_session_report_manageroracle communications session report managerle8.2.2
oracle:communications_element_manageroracle communications element managerle8.2.4.0
oracle:communications_session_route_manageroracle communications session route managerle8.2.2

CPE	Name	Operator	Version
apache:activemq	apache activemq	lt	5.15.14
apache:activemq	apache activemq	lt	5.16.1
apache:activemq_artemis	apache activemq artemis	lt	2.16.0
netapp:oncommand_workflow_automation	netapp oncommand workflow automation	eq	-
debian:debian_linux	debian debian linux	eq	9.0
oracle:flexcube_private_banking	oracle flexcube private banking	eq	12.1.0
oracle:flexcube_private_banking	oracle flexcube private banking	eq	12.0.0
oracle:communications_session_report_manager	oracle communications session report manager	le	8.2.2
oracle:communications_element_manager	oracle communications element manager	le	8.2.4.0
oracle:communications_session_route_manager	oracle communications session route manager	le	8.2.2

References

lists.apache.org/thread.html/r110cacfa754471361234965ffe851a046e302ff2693b055f49f47b02%40%3Cissues.activemq.apache.org%3E

lists.apache.org/thread.html/r22cdc0fb45e223ac92bc2ceff7af92f1193dfc614c8b248534456229%40%3Cissues.activemq.apache.org%3E

lists.apache.org/thread.html/r3341d96d8f956e878fb7b463b08d57ca1d58fec9c970aee929b58e0d%40%3Cissues.activemq.apache.org%3E

lists.apache.org/thread.html/r519bfafd67091d0b91243efcb1c49b1eea27321355ba5594f679277d%40%3Cissues.activemq.apache.org%3E

lists.apache.org/thread.html/r5899ece90bcae5805ad6142fdb05c58595cff19cb2e98cc58a91f55b%40%3Cgitbox.activemq.apache.org%3E

lists.apache.org/thread.html/r70389648227317bdadcdecbd9f238571a6047469d156bd72bb0ca2f7%40%3Cgitbox.activemq.apache.org%3E

lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7%40%3Ccommits.activemq.apache.org%3E

lists.apache.org/thread.html/ra255ddfc8b613b80e9fa22ff3e106168b245f38a22316bfb54d21159%40%3Cissues.activemq.apache.org%3E

lists.apache.org/thread.html/raea451de09baed76950d6a60cc4bb1b74476c505e03205a3c68c9808%40%3Cissues.activemq.apache.org%3E

lists.apache.org/thread.html/rd05b1c9d61dbd220664d559aa0e2b55e5830f006a09e82057f3f7863%40%3Cissues.activemq.apache.org%3E

lists.apache.org/thread.html/rd75600cee29cb248d548edcf6338fe296466d63a69e2ed0afc439ec7%40%3Cissues.activemq.apache.org%3E

lists.apache.org/thread.html/re1b98da90a5f2e1c2e2d50e31c12e2578d61fe01c0737f9d0bd8de99%40%3Cannounce.apache.org%3E

lists.apache.org/thread.html/rec93794f8aeddf8a5f1a643d264b4e66b933f06fd72a38f31448f0ac%40%3Cgitbox.activemq.apache.org%3E

lists.apache.org/thread.html/rffa5cd05d01c4c9853b17f3004d80ea6eb8856c422a8545c5f79b1a6%40%3Ccommits.activemq.apache.org%3E

lists.debian.org/debian-lts-announce/2021/03/msg00005.html

lists.debian.org/debian-lts-announce/2023/11/msg00013.html

mail-archives.apache.org/mod_mbox/activemq-users/202101.mbox/%3cCAH+vQmMeUEiKN4wYX9nLBbqmFZFPXqajNvBKmzb2V8QZANcSTA%40mail.gmail.com%3e

security.netapp.com/advisory/ntap-20210304-0008/

www.oracle.com//security-alerts/cpujul2021.html

www.oracle.com/security-alerts/cpuApr2021.html

www.oracle.com/security-alerts/cpuoct2021.html

Social References

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.4 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

53.5%

JSON

Related for CVE-2021-26117

osv5 github1 prion1 ubuntucve1 redhatcve1 debiancve1 veracode1 openvas3 nessus3 redhat3 debian2 oracle3