Improper access control in ActiveMQ Artemis - CVE-2021-26118

 

Improper access control in ActiveMQ Artemis - CVE-2021-26118

Published: January 27, 2021 / Updated: January 28, 2021


Vulnerability identifier: #VU50074
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-26118
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Apache Foundation
Affected software:
ActiveMQ Artemis

Detailed vulnerability description

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. The creation of advisory messages in the OpenWire protocol head of Apache ActiveMQ Artemis bypasses policy based access control for the entire session. A remote user can bypass implemented security restrictions.


How to mitigate CVE-2021-26118

Install updates from vendor's website.

Sources