Description
While investigating ARTEMIS-2964 it was found that the creation of advisory messages in the OpenWire protocol head of Apache ActiveMQ Artemis 2.15.0 bypassed policy based access control for the entire session. Production of advisory messages was not subject to access control in error.
Remediation
References
https://lists.apache.org/thread.html/rafd5d7cf303772a0118865262946586921a65ebd98fc24f56c812574%40%3Cannounce.apache.org%3E
https://mail-archives.apache.org/mod_mbox/activemq-users/202101.mbox/%3CCAH%2BvQmMUNnkiXv2-d3ucdErWOsdnLi6CgnK%2BVfixyJvTgTuYig%40mail.gmail.com%3E
https://security.netapp.com/advisory/ntap-20210827-0002/
Related Vulnerabilities
CVE-2022-37616 Vulnerability in maven package org.webjars.npm:xmldom__xmldom
CVE-2023-23936 Vulnerability in npm package undici
CVE-2023-26486 Vulnerability in npm package vega-functions
CVE-2020-25633 Vulnerability in maven package org.jboss.resteasy:resteasy-client-api
CVE-2010-2076 Vulnerability in maven package org.apache.axis2:axis2-kernel