GHSA-72m6-23ff-7q26

Suggest an improvement
Source
https://github.com/advisories/GHSA-72m6-23ff-7q26
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-72m6-23ff-7q26/GHSA-72m6-23ff-7q26.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-72m6-23ff-7q26
Aliases
Published
2022-05-14T01:14:52Z
Modified
2024-12-07T05:24:15.755745Z
Summary
Improper Authentication in Apache WSS4J
Details

The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. NOTE: this identifier has been SPLIT per ADT2 due to different vulnerability types. See CVE-2015-6524 for the use of wildcard operators in usernames.

Database specific 
{
    "nvd_published_at": "2015-08-24T14:59:00Z",
    "cwe_ids": [
        "CWE-287"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-07T22:34:06Z"
}
References

Affected packages

Maven / org.apache.activemq:activemq-broker

Package

Name
org.apache.activemq:activemq-broker
View open source insights on deps.dev
Purl
pkg:maven/org.apache.activemq/activemq-broker

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.10.1

Affected versions

5.*

5.8.0
5.9.0
5.9.1
5.10.0

Maven / org.apache.activemq:activemq-jaas

Package

Name
org.apache.activemq:activemq-jaas
View open source insights on deps.dev
Purl
pkg:maven/org.apache.activemq/activemq-jaas

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.10.1

Affected versions

5.*

5.0.0
5.1.0
5.2.0
5.3.0
5.3.1
5.3.2
5.4.0
5.4.1
5.4.2
5.4.3
5.5.0
5.5.1
5.6.0
5.7.0
5.8.0
5.9.0
5.9.1
5.10.0