Description

The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows wildcard operators in usernames, which allows remote attackers to obtain credentials via a brute force attack. NOTE: this identifier was SPLIT from CVE-2014-3612 per ADT2 due to different vulnerability types.

Remediation

References

http://activemq.apache.org/security-advisories.data/CVE-2014-3612-announcement.txt

http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168094.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168651.html

Related Vulnerabilities

CVE-2019-10392 Vulnerability in maven package org.jenkins-ci.plugins:git-client

CVE-2021-28092 Vulnerability in npm package is-svg

CVE-2022-44645 Vulnerability in maven package org.apache.linkis:linkis-metadata-query-service-jdbc

CVE-2023-1784 Vulnerability in maven package org.jeecgframework.boot:jeecg-boot-parent

CVE-2023-36542 Vulnerability in maven package org.apache.nifi:nifi-record-serialization-services

Severity

Critical

Classification

CWE-255

Tags

Vendor Advisory Third Party Advisory