2000654 – (CVE-2021-3763) CVE-2021-3763 AMQ Broker 7: Incorrect privilege in Management Console

Bug 2000654 (CVE-2021-3763) - CVE-2021-3763 AMQ Broker 7: Incorrect privilege in Management Console

Summary: CVE-2021-3763 AMQ Broker 7: Incorrect privilege in Management Console

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2021-3763
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2000517
TreeView+	depends on / blocked

Reported:	2021-09-02 15:57 UTC by Patrick Del Bello
Modified:	2021-10-11 15:18 UTC (History)
CC List:	5 users (show)
Fixed In Version:	amq-7.9.0
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Red Hat AMQ Broker management console in version 7.8 where an existing user is able to access some limited information even when the role the user is assigned to should not be allow access to the management console. The main impact is to confidentiality as this flaw means some role bindings are incorrectly checked, some privileged meta information such as queue names and configuration details are disclosed but the impact is limited as not all information is accessible and there is no affect to integrity.
Clone Of:
Environment:
Last Closed:	2021-09-30 12:21:27 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:3700	0	None	None	None	2021-09-30 09:58:19 UTC

Description Patrick Del Bello 2021-09-02 15:57:52 UTC

It was found, in AMQ broker, versions 7.8.0, 7.8.1 and 7.8.2, a vulnerability that allows users without a role set to bypass usual permissions checks, this can allow a privileged user to access some information in the management console.

Comment 5 errata-xmlrpc 2021-09-30 09:58:18 UTC

This issue has been addressed in the following products:

  Red Hat AMQ 7.9.0

Via RHSA-2021:3700 https://access.redhat.com/errata/RHSA-2021:3700

Comment 6 Product Security DevOps Team 2021-09-30 12:21:27 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3763

Note You need to log in before you can comment on or make changes to this bug.