CVE-2014-3612

CVSS V2 High 7.5 CVSS V3 None
Description
The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. NOTE: this identifier has been SPLIT per ADT2 due to different vulnerability types. See CVE-2015-6524 for the use of wildcard operators in usernames.
Overview
  • CVE ID
  • CVE-2014-3612
  • Assigner
  • secalert@redhat.com
  • Vulnerability Status
  • Modified
  • Published Version
  • 2015-08-24T14:59:00
  • Last Modified Date
  • 2023-02-13T00:41:05
Weakness Enumerations
CWE URL
CWE-287 http://cwe.mitre.org/data/definitions/287.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:apache:activemq:5.0.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:activemq:5.1.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:activemq:5.2.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:activemq:5.3.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:activemq:5.3.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:activemq:5.3.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:activemq:5.4.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:activemq:5.4.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:activemq:5.4.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:activemq:5.4.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:activemq:5.5.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:activemq:5.5.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:activemq:5.6.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:activemq:5.7.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:activemq:5.8.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:activemq:5.9.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:activemq:5.9.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:activemq:5.10.0:*:*:*:*:*:*:* 1 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:L/Au:N/C:P/I:P/A:P
  • Access Vector
  • NETWORK
  • Access Compatibility
  • LOW
  • Authentication
  • NONE
  • Confidentiality Impact
  • PARTIAL
  • Integrity Impact
  • PARTIAL
  • Availability Impact
  • PARTIAL
  • Base Score
  • 7.5
  • Severity
  • HIGH
  • Exploitability Score
  • 10
  • Impact Score
  • 6.4
References
Reference URL Reference Tags
http://rhn.redhat.com/errata/RHSA-2015-0137.html
http://rhn.redhat.com/errata/RHSA-2015-0138.html
http://activemq.apache.org/security-advisories.data/CVE-2014-3612-announcement.txt Vendor Advisory
http://seclists.org/oss-sec/2015/q1/427
http://www.securityfocus.com/bid/72513
https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2@%3Ccommits.activemq.apache.org%3E
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2014-3612
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3612
History
Created Old Value New Value Data Type Notes
2022-05-10 17:44:57 Added to TrackCVE
2022-12-02 06:06:36 2015-08-24T14:59Z 2015-08-24T14:59:00 CVE Published Date updated
2022-12-02 06:06:37 2019-03-27T20:29:01 CVE Modified Date updated
2022-12-02 06:06:37 Modified Vulnerability Status updated
2023-02-13 01:06:04 2023-02-13T00:41:05 CVE Modified Date updated