CVE-2014-3612
JAAS: LDAPLoginModule allows empty password authentication
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. NOTE: this identifier has been SPLIT per ADT2 due to different vulnerability types. See CVE-2015-6524 for the use of wildcard operators in usernames.
La implementación de LDAPLoginModule en el Java Authentication y Authorization Service (JAAS) en Apache ActiveMQ 5.x en versiones anteriores a 5.10.1 permite a atacantes remotos to eludir la autenticación iniciando sesión con una contraseña vacía y nombre de usuario válido, lo que desencadena un enlace no autenticado. NOTA: este identificador ha sido SEPARADO por ADT2 debido a diferentes tipos de vulnerabilidad. Ver CVE-2015-6524 para el uso de operadores comodín en nombres de usuario.
It was found that if a configured LDAP server supported the unauthenticated authentication mechanism (as described by RFC 4513), the LDAPLoginModule implementation, provided by ActiveMQ Java Authentication and Authorization Service (JAAS), would consider an authentication attempt to be successful for a valid user that provided an empty password. A remote attacker could use this flaw to bypass the authentication mechanism of an application using LDAPLoginModule, and assume a role of any valid user within that application.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2014-05-14 CVE Reserved
- 2015-02-05 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-287: Improper Authentication
- CWE-305: Authentication Bypass by Primary Weakness
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| http://seclists.org/oss-sec/2015/q1/427 | Mailing List |
|
| http://www.securityfocus.com/bid/72513 | Vdb Entry | |
| https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E | Mailing List |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://activemq.apache.org/security-advisories.data/CVE-2014-3612-announcement.txt | 2023-02-13 | |
| http://rhn.redhat.com/errata/RHSA-2015-0137.html | 2023-02-13 | |
| http://rhn.redhat.com/errata/RHSA-2015-0138.html | 2023-02-13 | |
| https://access.redhat.com/security/cve/CVE-2014-3612 | 2015-02-05 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1135912 | 2015-02-05 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Search vendor "Apache" | Activemq Search vendor "Apache" for product "Activemq" | 5.0.0 Search vendor "Apache" for product "Activemq" and version "5.0.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Activemq Search vendor "Apache" for product "Activemq" | 5.1.0 Search vendor "Apache" for product "Activemq" and version "5.1.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Activemq Search vendor "Apache" for product "Activemq" | 5.2.0 Search vendor "Apache" for product "Activemq" and version "5.2.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Activemq Search vendor "Apache" for product "Activemq" | 5.3.0 Search vendor "Apache" for product "Activemq" and version "5.3.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Activemq Search vendor "Apache" for product "Activemq" | 5.3.1 Search vendor "Apache" for product "Activemq" and version "5.3.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Activemq Search vendor "Apache" for product "Activemq" | 5.3.2 Search vendor "Apache" for product "Activemq" and version "5.3.2" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Activemq Search vendor "Apache" for product "Activemq" | 5.4.0 Search vendor "Apache" for product "Activemq" and version "5.4.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Activemq Search vendor "Apache" for product "Activemq" | 5.4.1 Search vendor "Apache" for product "Activemq" and version "5.4.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Activemq Search vendor "Apache" for product "Activemq" | 5.4.2 Search vendor "Apache" for product "Activemq" and version "5.4.2" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Activemq Search vendor "Apache" for product "Activemq" | 5.4.3 Search vendor "Apache" for product "Activemq" and version "5.4.3" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Activemq Search vendor "Apache" for product "Activemq" | 5.5.0 Search vendor "Apache" for product "Activemq" and version "5.5.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Activemq Search vendor "Apache" for product "Activemq" | 5.5.1 Search vendor "Apache" for product "Activemq" and version "5.5.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Activemq Search vendor "Apache" for product "Activemq" | 5.6.0 Search vendor "Apache" for product "Activemq" and version "5.6.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Activemq Search vendor "Apache" for product "Activemq" | 5.7.0 Search vendor "Apache" for product "Activemq" and version "5.7.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Activemq Search vendor "Apache" for product "Activemq" | 5.8.0 Search vendor "Apache" for product "Activemq" and version "5.8.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Activemq Search vendor "Apache" for product "Activemq" | 5.9.0 Search vendor "Apache" for product "Activemq" and version "5.9.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Activemq Search vendor "Apache" for product "Activemq" | 5.9.1 Search vendor "Apache" for product "Activemq" and version "5.9.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Activemq Search vendor "Apache" for product "Activemq" | 5.10.0 Search vendor "Apache" for product "Activemq" and version "5.10.0" | - |
Affected
| ||||||