CVE-2021-26118

Published: Jan 27, 2021Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

While investigating ARTEMIS-2964 it was found that the creation of advisory messages in the OpenWire protocol head of Apache ActiveMQ Artemis 2.15.0 bypassed policy based access control for the entire session. Production of advisory messages was not subject to access control in error.

Affected (2)

Products: Apache: Activemq Artemis · Netapp: Oncommand Workflow Automation

1 product

Activemq Artemis

1 product

Oncommand Workflow Automation

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apache Activemq Artemis	Version 2.15.0

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Netapp Oncommand Workflow Automation	All versions

Related CWEs

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (6)

https://lists.apache.org/thread.html/rafd5d7cf303772a0118865262946586921a65ebd98fc24f56c812574%40%3Cannounce.apache.org%3E

Source: security@apache.org

https://mail-archives.apache.org/mod_mbox/activemq-users/202101.mbox/%3CCAH%2BvQmMUNnkiXv2-d3ucdErWOsdnLi6CgnK%2BVfixyJvTgTuYig%40mail.gmail.com%3E

Source: security@apache.org

Mailing ListVendor Advisory

https://security.netapp.com/advisory/ntap-20210827-0002/

Source: security@apache.org

Third Party Advisory

https://lists.apache.org/thread.html/rafd5d7cf303772a0118865262946586921a65ebd98fc24f56c812574%40%3Cannounce.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://mail-archives.apache.org/mod_mbox/activemq-users/202101.mbox/%3CCAH%2BvQmMUNnkiXv2-d3ucdErWOsdnLi6CgnK%2BVfixyJvTgTuYig%40mail.gmail.com%3E

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListVendor Advisory

https://security.netapp.com/advisory/ntap-20210827-0002/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.