VDB
CVE-2014-3612
CVE-2014-3612
PUBLISHED
The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. NOTE: this identifier has been SPLIT per ADT2 due to different vulnerability types. See CVE-2015-6524 for the use of wildcard operators in usernames.
EPSS 0.71% · 72.5th percentile
Risk Scores
EPSS Score
0.71%
72.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:14.04:LTS | activemq | 5.6.0+dfsg-1, 0 |
Exploit Intelligence
- 72513 (circl)
- [oss-security] 20150205 [ANNOUNCE] CVE-2014-3600, CVE-2014-3612 and CVE-2014-8110 - Apache ActiveMQ vulnerabilities (circl)
- http://activemq.apache.org/security-advisories.data/CVE-2014-3612-announcement.txt (circl)
- RHSA-2015:0137 (circl)
- RHSA-2015:0138 (circl)
- [activemq-commits] 20190327 svn commit: r1042639 - in /websites/production/activemq/content/activemq-website: ./ projects/artemis/download/ projects/classic/download/ projects/cms/download/ security-advisories.data/ (circl)
- Apache ActiveMQ 5.0.0 - 5.10.0 JAAS LDAPLoginModule empty password authentication Vulnerability (0day-today)
- Apache ActiveMQ 5.0.0 - 5.10.0 JAAS LDAPLoginModule empty password authentication Vulnerability (0day-today)
Timeline
- Aug 24, 2015 CVE Published
- Aug 27, 2015 PoC Published
- Feb 4, 2022 EPSS Score
- Mar 29, 2022 EPSS Score
- May 20, 2022 EPSS Score
- Jul 12, 2022 EPSS Score
- Sep 3, 2022 EPSS Score
- Dec 18, 2022 EPSS Score
- Feb 8, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 2, 2023 EPSS Score
- May 25, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2014-3612 third-party-advisory
- http://activemq.apache.org/security-advisories.data/CVE-2014-3612-announcement.txt third-party-advisory
- http://seclists.org/oss-sec/2015/q1/427 third-party-advisory
- http://rhn.redhat.com/errata/RHSA-2015-0137.html third-party-advisory
- http://rhn.redhat.com/errata/RHSA-2015-0138.html third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2014-3612 third-party-advisory