Description
While investigating ARTEMIS-2964 it was found that the creation of advisory messages in the OpenWire protocol head of Apache ActiveMQ Artemis 2.15.0 bypassed policy based access control for the entire session. Production of advisory messages was not subject to access control in error.
Remediation
References
https://lists.apache.org/thread.html/rafd5d7cf303772a0118865262946586921a65ebd98fc24f56c812574%40%3Cannounce.apache.org%3E
https://mail-archives.apache.org/mod_mbox/activemq-users/202101.mbox/%3CCAH%2BvQmMUNnkiXv2-d3ucdErWOsdnLi6CgnK%2BVfixyJvTgTuYig%40mail.gmail.com%3E
https://security.netapp.com/advisory/ntap-20210827-0002/
Related Vulnerabilities
CVE-2022-28220 Vulnerability in maven package org.apache.james:james-server-protocols-managesieve
CVE-2023-29215 Vulnerability in maven package org.apache.linkis:linkis-common
CVE-2022-4493 Vulnerability in maven package io.scif:scifio
CVE-2020-2279 Vulnerability in maven package org.jenkins-ci.plugins:script-security