Description

While investigating ARTEMIS-2964 it was found that the creation of advisory messages in the OpenWire protocol head of Apache ActiveMQ Artemis 2.15.0 bypassed policy based access control for the entire session. Production of advisory messages was not subject to access control in error.

Remediation

References

https://lists.apache.org/thread.html/rafd5d7cf303772a0118865262946586921a65ebd98fc24f56c812574%40%3Cannounce.apache.org%3E

https://mail-archives.apache.org/mod_mbox/activemq-users/202101.mbox/%3CCAH%2BvQmMUNnkiXv2-d3ucdErWOsdnLi6CgnK%2BVfixyJvTgTuYig%40mail.gmail.com%3E

https://security.netapp.com/advisory/ntap-20210827-0002/

Related Vulnerabilities

CVE-2023-31453 Vulnerability in maven package org.apache.inlong:manager-service

CVE-2023-6393 Vulnerability in maven package io.quarkus:quarkus-cache

CVE-2022-46363 Vulnerability in maven package org.apache.cxf:cxf-rt-transports-http

CVE-2023-29205 Vulnerability in maven package org.xwiki.platform:xwiki-platform-rendering-xwiki

CVE-2022-31943 Vulnerability in maven package net.mingsoft:ms-mcms

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Mailing List Vendor Advisory Third Party Advisory NVD-CWE-Other