Description

While investigating ARTEMIS-2964 it was found that the creation of advisory messages in the OpenWire protocol head of Apache ActiveMQ Artemis 2.15.0 bypassed policy based access control for the entire session. Production of advisory messages was not subject to access control in error.

Remediation

References

https://lists.apache.org/thread.html/rafd5d7cf303772a0118865262946586921a65ebd98fc24f56c812574%40%3Cannounce.apache.org%3E

https://mail-archives.apache.org/mod_mbox/activemq-users/202101.mbox/%3CCAH%2BvQmMUNnkiXv2-d3ucdErWOsdnLi6CgnK%2BVfixyJvTgTuYig%40mail.gmail.com%3E

https://security.netapp.com/advisory/ntap-20210827-0002/

Related Vulnerabilities

CVE-2023-26473 Vulnerability in maven package org.xwiki.platform:xwiki-platform-query-manager

CVE-2019-20330 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2023-43494 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2022-36921 Vulnerability in maven package org.jenkins-ci.plugins:coverity

CVE-2022-22984 Vulnerability in npm package snyk-docker-plugin

Severity

High

Classification

CWE-284 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Mailing List Vendor Advisory Third Party Advisory