{
  "threat_severity" : "Important",
  "public_date" : "2020-09-07T15:15:00Z",
  "bugzilla" : {
    "description" : "activemq: LDAP authentication bypass with anonymous bind",
    "id" : "1921126",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1921126"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-287",
  "details" : [ "The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions 5.16.1 and 5.15.14, the anonymous context is used to verify a valid users password in error, resulting in no check on the password.", "A flaw was found in activemq. When anonymous binds are enabled on the LDAP provider (zero length DN/password) and the LDAP module is configured to make use of these, client credentials are not correctly verified and authentication is effectively bypassed. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability." ],
  "affected_release" : [ {
    "product_name" : "Red Hat AMQ",
    "release_date" : "2020-10-01T00:00:00Z",
    "advisory" : "RHSA-2020:4154",
    "cpe" : "cpe:/a:redhat:amq_broker:7"
  }, {
    "product_name" : "Red Hat AMQ",
    "release_date" : "2020-12-08T00:00:00Z",
    "advisory" : "RHSA-2020:5365",
    "cpe" : "cpe:/a:redhat:amq_broker:7"
  }, {
    "product_name" : "Red Hat Fuse/AMQ 6.3.18",
    "release_date" : "2021-02-02T00:00:00Z",
    "advisory" : "RHSA-2021:0384",
    "cpe" : "cpe:/a:redhat:jboss_amq:6.3",
    "package" : "broker"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-26117\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-26117" ],
  "name" : "CVE-2021-26117",
  "mitigation" : {
    "value" : "There is currently no known mitigation for this issue.",
    "lang" : "en:us"
  },
  "csaw" : false
}