Improper Authentication in Apache WSS4J

Description

The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. NOTE: this identifier has been SPLIT per ADT2 due to different vulnerability types. See CVE-2015-6524 for the use of wildcard operators in usernames.

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Source code
Browse source ↗
Published (advisory)
2022-05-14 01:14:52 UTC
Updated
2023-12-20 19:27:50 UTC
GitHub reviewed
2022-07-07 22:34:06 UTC
NVD published
2015-08-24

EPSS Score

Score Percentile
0.70% 71.59%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

CWEs

CWE id Name
CWE-287 Improper Authentication

Credits

  • sunSUNQ (analyst)

Affected packages (2)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
maven org.apache.activemq:activemq-broker >= 5.0.0, < 5.10.1 5.10.1
maven org.apache.activemq:activemq-jaas >= 5.0.0, < 5.10.1 5.10.1

References

cvelogic Threat Intelligence