CVE-2021-26118

While investigating ARTEMIS-2964 it was found that the creation of advisory messages in the OpenWire protocol head of Apache ActiveMQ Artemis 2.15.0 bypassed policy based access control for the entire session. Production of advisory messages was not subject to access control in error.

Published: Jan 27, 2021
Updated: Nov 8, 2023
CVE: CVE-2021-26118
GHSA: GHSA-q7fr-vqhq-v5xr
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

CWEs:

CWE-284
CWE-287

OWASP TOP 10:

A5 - Broken Access Control
A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
apache / activemq_artemis	2.15.0	2.15.0.x
org.apache.activemq / apache-artemis	-	2.16.0

https://lists.apache.org/thread.html/rafd5d7cf303772a0118865262946586921a65ebd98fc24f56c812574@%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/rafd5d7cf303772a0118865262946586921a65ebd98fc24f56c812574%40%3Cannounce.apache.org%3E
https://mail-archives.apache.org/mod_mbox/activemq-users/202101.mbox/%3CCAH%2BvQmMUNnkiXv2-d3ucdErWOsdnLi6CgnK%2BVfixyJvTgTuYig%40mail.gmail.com%3E
https://security.netapp.com/advisory/ntap-20210827-0002/

Vulnerability Database

289,697

CVE-2021-26118