GHSA-23cr-5hr4-rgwv

Suggest an improvement
Source
https://github.com/advisories/GHSA-23cr-5hr4-rgwv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-23cr-5hr4-rgwv/GHSA-23cr-5hr4-rgwv.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-23cr-5hr4-rgwv
Aliases
Published
2022-05-17T03:22:06Z
Modified
2024-02-21T05:29:52.441399Z
Summary
Improper Input Validation in Apache ActiveMQ
Details

The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows wildcard operators in usernames, which allows remote attackers to obtain credentials via a brute force attack. NOTE: this identifier was SPLIT from CVE-2014-3612 per ADT2 due to different vulnerability types.

References

Affected packages

Maven / org.apache.activemq:activemq-broker

Package

Name
org.apache.activemq:activemq-broker
View open source insights on deps.dev
Purl
pkg:maven/org.apache.activemq/activemq-broker

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.10.2

Affected versions

5.*

5.8.0
5.9.0
5.9.1
5.10.0
5.10.1

Database specific

{
    "last_known_affected_version_range": "<= 5.10.1"
}

Maven / org.apache.activemq:activemq-jaas

Package

Name
org.apache.activemq:activemq-jaas
View open source insights on deps.dev
Purl
pkg:maven/org.apache.activemq/activemq-jaas

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.10.2

Affected versions

5.*

5.0.0
5.1.0
5.2.0
5.3.0
5.3.1
5.3.2
5.4.0
5.4.1
5.4.2
5.4.3
5.5.0
5.5.1
5.6.0
5.7.0
5.8.0
5.9.0
5.9.1
5.10.0
5.10.1

Database specific

{
    "last_known_affected_version_range": "<= 5.10.1"
}