Miggo Logo
Miggo Vulnerability Database
CVE-2021-26118

CVE-2021-26118:
Apache ActiveMQ Artemis vulnerable to Improper Access Control

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-26118
GHSA ID
GHSA-q7fr-vqhq-v5xr
EPSS Score
0.76106%
CWE
CWE-284
Published
6/16/2021
Updated
9/11/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.activemq:artemis-openwire-protocolmaven< 2.16.02.16.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from advisory messages being sent through an internal session that explicitly disabled security checks (via AMQSession.disableSecurity()). The fireAdvisory method leveraged this insecure session to bypass access control. The patch removed the special internal session handling and instead routed advisories through the normal post office with standard security checks. The removal of the 'internal' parameter in addSession and the advisorySession field in OpenWireConnection confirms these were the entry points for the bypass.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W*il* inv*sti**tin* *RT*MIS-**** it w*s *oun* t**t t** *r**tion o* **visory m*ss***s in t** Op*nWir* proto*ol **** o* *p**** **tiv*MQ *rt*mis *.**.* *yp*ss** poli*y **s** ****ss *ontrol *or t** *ntir* s*ssion. Pro*u*tion o* **visory m*ss***s w*s not

Reasoning

T** vuln*r**ility st*mm** *rom **visory m*ss***s **in* s*nt t*rou** *n int*rn*l s*ssion t**t *xpli*itly *is**l** s**urity ****ks (vi* `*MQS*ssion.*is**l*S**urity()`). T** `*ir***visory` m*t*o* l*v*r**** t*is ins**ur* s*ssion to *yp*ss ****ss *ontrol.