CVE-2021-26118

Flaw in ActiveMQ Artemis OpenWire support

EPSS 4.0%CWE-284

Vexday Risk Score

3Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS —EPSS 4.0%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

27 Jan 2021Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

While investigating ARTEMIS-2964 it was found that the creation of advisory messages in the OpenWire protocol head of Apache ActiveMQ Artemis 2.15.0 bypassed policy based access control for the entire session. Production of advisory messages was not subject to access control in error.

Affected products

Apache Software Foundation · Apache ActiveMQ Artemis

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://lists.apache.org/thread.html/rafd5d7cf303772a0118865262946586921a65ebd98fc24f56c812574%40%3Cannounce.apache.org%3E https://mail-archives.apache.org/mod_mbox/activemq-users/202101.mbox/%3CCAH%2BvQmMUNnkiXv2-d3ucdErWOsdnLi6CgnK%2BVfixyJvTgTuYig%40mail.gmail.com%3E https://security.netapp.com/advisory/ntap-20210827-0002/