CVE-2021-26118
HIGHApache ActiveMQ Artemis < 2.16.0 - Improper Access Control via OpenWire Advisory Message Creation
Title source: llmDescription
While investigating ARTEMIS-2964 it was found that the creation of advisory messages in the OpenWire protocol head of Apache ActiveMQ Artemis 2.15.0 bypassed policy based access control for the entire session. Production of advisory messages was not subject to access control in error.
References (3)
Core 3
Core References
Mailing List, Vendor Advisory x_refsource_misc
https://mail-archives.apache.org/mod_mbox/activemq-users/202101.mbox/%3CCAH%2BvQmMUNnkiXv2-d3ucdErWOsdnLi6CgnK%2BVfixyJvTgTuYig%40mail.gmail.com%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rafd5d7cf303772a0118865262946586921a65ebd98fc24f56c812574%40%3Cannounce.apache.org%3E
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210827-0002/
Scores
CVSS v3
7.5
EPSS
0.0101
EPSS Percentile
77.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-284
Status
published
Products (3)
apache/activemq_artemis
2.15.0
netapp/oncommand_workflow_automation
org.apache.activemq/artemis-openwire-protocol
0 - 2.16.0Maven
Published
Jan 27, 2021
Tracked Since
Feb 18, 2026