Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.5
CVSSv2

CVE-2014-3612

Published: 24/08/2015 Updated: 13/02/2023
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Activemq

Vulnerability Summary

The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x prior to 5.10.1 allows remote malicious users to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. NOTE: this identifier has been SPLIT per ADT2 due to different vulnerability types. See CVE-2015-6524 for the use of wildcard operators in usernames.

Vulnerable Product Search on Vulmon Subscribe to Product

apache activemq 5.3.0

apache activemq 5.8.0

apache activemq 5.4.3

apache activemq 5.4.0

apache activemq 5.5.1

apache activemq 5.4.1

apache activemq 5.9.0

apache activemq 5.3.1

apache activemq 5.2.0

apache activemq 5.7.0

apache activemq 5.0.0

apache activemq 5.10.0

apache activemq 5.1.0

apache activemq 5.5.0

apache activemq 5.3.2

apache activemq 5.9.1

apache activemq 5.6.0

apache activemq 5.4.2

Vendor Advisories

Red Hat: Important: Fuse ESB Enterprise/Fuse MQ Enterprise 7.1.0 security update
Synopsis Important: Fuse ESB Enterprise/Fuse MQ Enterprise 710 security update Type/Severity Security Advisory: Important Topic Fuse ESB Enterprise/MQ Enterprise 710 R1 P8 (Patch 8 on Rollup Patch 1),which fixes two security issues, is now available from the Red Hat CustomerPortalRed Hat Product Securi ...
Debian CVElist Bug Report Logs: CVE-2014-3576
Debian Bug report logs - #792857 CVE-2014-3576 Package: src:activemq; Maintainer for src:activemq is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Moritz Muehlenhoff <jmm@debianorg> Date: Sun, 19 Jul 2015 12:48:01 UTC Severity: grave Tags: jessie, security, sid, stretch, wheezy ...
Debian CVElist Bug Report Logs: activemq: CVE-2014-8110 CVE-2014-3612 CVE-2014-3600
Debian Bug report logs - #777196 activemq: CVE-2014-8110 CVE-2014-3612 CVE-2014-3600 Package: activemq; Maintainer for activemq is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Source for activemq is src:activemq (PTS, buildd, popcon) Reported by: Moritz Muehlenhoff <jmm@inutilorg> Date: Fr ...
Red Hat: CVE-2014-3612
It was found that if a configured LDAP server supported the unauthenticated authentication mechanism (as described by RFC 4513), the LDAPLoginModule implementation, provided by ActiveMQ Java Authentication and Authorization Service (JAAS), would consider an authentication attempt to be successful for a valid user that provided an empty password A ...

References

CWE-287http://rhn.redhat.com/errata/RHSA-2015-0137.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0138.htmlhttp://activemq.apache.org/security-advisories.data/CVE-2014-3612-announcement.txthttp://seclists.org/oss-sec/2015/q1/427http://www.securityfocus.com/bid/72513https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3Ehttps://access.redhat.com/errata/RHSA-2015:0138https://nvd.nist.govhttps://access.redhat.com/security/cve/cve-2014-3612
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
hardcodedarbitrary codeCVE-2024-2404CVE-2024-21111CVE-2024-28627CVE-2024-4073information disclosureCVE-2024-32780CVE-2024-4040
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook