CVE-2014-3612

Apache Activemq < 5.10.1 - Authentication Bypass

Title source: rule

Description

The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. NOTE: this identifier has been SPLIT per ADT2 due to different vulnerability types. See CVE-2015-6524 for the use of wildcard operators in usernames.

References (6)

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2015-0137.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2015-0138.html

[Vendor Advisory] http://activemq.apache.org/security-advisories.data/CVE-2014-3612-announcement.txt

[Mailing List] http://seclists.org/oss-sec/2015/q1/427

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/72513

[Mailing List] https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E

Scores

EPSS 0.0070

EPSS Percentile 71.8%

Classification

CWE

CWE-287

Status draft

Affected Products (20)

apache/activemq

apache/activemq

apache/activemq

apache/activemq

apache/activemq

apache/activemq

apache/activemq

apache/activemq

apache/activemq

apache/activemq

apache/activemq

apache/activemq

apache/activemq

apache/activemq

apache/activemq

... and 5 more

Timeline

Published Aug 24, 2015

Tracked Since Feb 18, 2026