CVE-2021-26117 vulnerability in Apache and Other Products
Published on January 27, 2021
ActiveMQ: LDAP-Authentication does not verify passwords on servers with anonymous bind
The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions 5.16.1 and 5.15.14, the anonymous context is used to verify a valid users password in error, resulting in no check on the password.
Weakness Type
What is an authentification Vulnerability?
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
CVE-2021-26117 has been classified to as an authentification vulnerability or weakness.
Products Associated with CVE-2021-26117
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2021-26117 are published in these products:
Affected Versions
Apache Software Foundation Apache ActiveMQ:- Version Apache ActiveMQ Artemis and below 2.16.0 is affected.
- Version Apache ActiveMQ and below 5.16.1 is affected.
Exploit Probability
EPSS
9.94%
Percentile
92.93%
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.