CVE-2014-3612 Detail
Modified
This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided.
Current Description
The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. NOTE: this identifier has been SPLIT per ADT2 due to different vulnerability types. See CVE-2015-6524 for the use of wildcard operators in usernames.
Source:
MITRE
View Analysis Description
Analysis Description
The LDAPLoginModule implementation the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. NOTE: this identifier has been SPLIT per ADT2 due to different vulnerability types. See CVE-2015-6524 for the use of wildcard operators in usernames.
Source:
MITRE
Impact
CVSS v2.0 Severity and Metrics:
Base Score:
7.5 HIGH
Vector:
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
(V2 legend)
Impact Subscore:
6.4
Exploitability Subscore:
10.0
Access Vector (AV):
Network
Access Complexity (AC):
Low
Authentication (AU):
None
Confidentiality (C):
Partial
Integrity (I):
Partial
Availability (A):
Partial
Additional Information:
Allows unauthorized disclosure of information
Allows unauthorized modification
Allows disruption of service
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because
they may have information that would be of interest to you. No inferences should be drawn on account of other sites
being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose.
NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further,
NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about
this page to nvd@nist.gov.
Change History
6 change records found
- show changes
CVE Modified by MITRE -
3/27/2019 4:29:01 PM
| Action |
Type |
Old Value |
New Value |
| Added |
Reference |
|
https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2@%3Ccommits.activemq.apache.org%3E [No Types Assigned] |
CVE Translated -
5/12/2016 3:45:06 PM
| Action |
Type |
Old Value |
New Value |
| Added |
Translation |
|
La implementación de LDAPLoginModule en el Java Authentication y Authorization Service (JAAS) en Apache ActiveMQ 5.x en versiones anteriores a 5.10.1 permite a atacantes remotos to eludir la autenticación iniciando sesión con una contraseña vacía y nombre de usuario válido, lo que desencadena un enlace no autenticado. NOTA: este identificador ha sido SEPARADO por ADT2 debido a diferentes tipos de vulnerabilidad. Ver CVE-2015-6524 para el uso de operadores comodín en nombres de usuario. |
| Removed |
Translation |
Record truncated, showing 500 of 516 characters.
View Entire Change Record
Vulnerabilidad en la implementación LDAPLoginModule de Java Authentication and Authorization Service (JAAS) en Apache ActiveMQ 5.x en versiones anteriores a 5.10.1, permite a atacantes remotos eludir la autenticación por inicio de sesión con una contraseña vacía y un nombre de usuario válido, lo cual desencadena un enlace no autenticado. NOTA: este identificador ha sido SEPARADO por ADT2 debido a diferentes tipos de vulnerabilidades. Ver CVE-2015-6524 para el uso de operadores comodín en los nom |
|
CVE Modified by Source -
5/11/2016 9:59:08 PM
| Action |
Type |
Old Value |
New Value |
| Changed |
Description |
The LDAPLoginModule implementation the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. NOTE: this identifier has been SPLIT per ADT2 due to different vulnerability types. See CVE-2015-6524 for the use of wildcard operators in usernames. |
The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. NOTE: this identifier has been SPLIT per ADT2 due to different vulnerability types. See CVE-2015-6524 for the use of wildcard operators in usernames. |
Modified Analysis -
8/25/2015 1:37:45 PM
| Action |
Type |
Old Value |
New Value |
| Added |
CPE Configuration |
|
Record truncated, showing 500 of 1050 characters.
View Entire Change Record
Configuration 1
OR
*cpe:2.3:a:apache:activemq:5.0.0:*:*:*:*:*:*:*
*cpe:2.3:a:apache:activemq:5.1.0:*:*:*:*:*:*:*
*cpe:2.3:a:apache:activemq:5.10.0:*:*:*:*:*:*:*
*cpe:2.3:a:apache:activemq:5.2.0:*:*:*:*:*:*:*
*cpe:2.3:a:apache:activemq:5.3.0:*:*:*:*:*:*:*
*cpe:2.3:a:apache:activemq:5.3.1:*:*:*:*:*:*:*
*cpe:2.3:a:apache:activemq:5.3.2:*:*:*:*:*:*:*
*cpe:2.3:a:apache:activemq:5.4.0:*:*:*:*:*:*:*
*cpe:2.3: |
| Added |
CVSS V2 |
|
(AV:N/AC:L/Au:N/C:P/I:P/A:P) |
| Added |
CWE |
|
CWE-287 |
| Changed |
Reference Type |
http://activemq.apache.org/security-advisories.data/CVE-2014-3612-announcement.txt No Types Assigned |
http://activemq.apache.org/security-advisories.data/CVE-2014-3612-announcement.txt Advisory |
Initial CVE Analysis -
8/25/2015 8:25:15 AM
Initial CVE Analysis -
8/25/2015 8:24:44 AM
Quick Info
CVE Dictionary Entry:
CVE-2014-3612
NVD Published Date:
08/24/2015
NVD Last Modified:
03/27/2019
|