{"containers": {"cna": {"affected": [{"product": "ActiveMQ Artemis", "vendor": "Red Hat", "versions": [{"status": "affected", "version": "version 2.7.0 up until 2.12.0"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in ActiveMQ Artemis management API from version 2.7.0 up until 2.12.0, where a user inadvertently stores passwords in plaintext in the Artemis shadow file (etc/artemis-users.properties file) when executing the `resetUsers` operation. A local attacker can use this flaw to read the contents of the Artemis shadow file."}], "problemTypes": [{"descriptions": [{"description": "Insufficiently Protected Credentials", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-08-27T06:07:16", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://issues.redhat.com/browse/ENTMQBR-3435"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1827200"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20210827-0001/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2020-10727", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ActiveMQ Artemis", "version": {"version_data": [{"version_value": "version 2.7.0 up until 2.12.0"}]}}]}, "vendor_name": "Red Hat"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was found in ActiveMQ Artemis management API from version 2.7.0 up until 2.12.0, where a user inadvertently stores passwords in plaintext in the Artemis shadow file (etc/artemis-users.properties file) when executing the `resetUsers` operation. A local attacker can use this flaw to read the contents of the Artemis shadow file."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Insufficiently Protected Credentials"}]}]}, "references": {"reference_data": [{"name": "https://issues.redhat.com/browse/ENTMQBR-3435", "refsource": "MISC", "url": "https://issues.redhat.com/browse/ENTMQBR-3435"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1827200", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1827200"}, {"name": "https://security.netapp.com/advisory/ntap-20210827-0001/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210827-0001/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:14:14.722Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://issues.redhat.com/browse/ENTMQBR-3435"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1827200"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20210827-0001/"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2020-10727", "datePublished": "2020-06-26T15:38:13", "dateReserved": "2020-03-20T00:00:00", "dateUpdated": "2024-08-04T11:14:14.722Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:activemq_artemis:*:*:*:*:*:*:*:*", "matchCriteriaId": "30C14643-7B9F-480E-A93A-484C0D49A1C4", "versionEndIncluding": "2.12.0", "versionStartIncluding": "2.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", "matchCriteriaId": "5735E553-9731-4AAC-BCFF-989377F817B3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in ActiveMQ Artemis management API from version 2.7.0 up until 2.12.0, where a user inadvertently stores passwords in plaintext in the Artemis shadow file (etc/artemis-users.properties file) when executing the `resetUsers` operation. A local attacker can use this flaw to read the contents of the Artemis shadow file."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en la API de administraci\u00f3n de ActiveMQ Artemis desde versiones 2.7.0 hasta 2.12.0, donde un usuario almacena inadvertidamente contrase\u00f1as en texto plano en el archivo shadow de Artemis (etc/artemis-users.properties) al ejecutar la operaci\u00f3n \"resetUsers\". Un atacante local puede usar este fallo para leer el contenido del archivo shadow de Artemis"}], "id": "CVE-2020-10727", "lastModified": "2024-11-21T04:55:56.620", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-06-26T16:15:12.063", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1827200"}, {"source": "secalert@redhat.com", "tags": ["Permissions Required"], "url": "https://issues.redhat.com/browse/ENTMQBR-3435"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210827-0001/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1827200"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required"], "url": "https://issues.redhat.com/browse/ENTMQBR-3435"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210827-0001/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-312"}, {"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Justin Bertram (Reporter) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2020:2751", "cpe": "cpe:/a:redhat:amq_broker:7", "package": "broker", "product_name": "Red Hat AMQ", "release_date": "2020-06-25T00:00:00Z"}, {"advisory": "RHSA-2020:3133", "cpe": "cpe:/a:redhat:amq_broker:7", "package": "broker", "product_name": "Red Hat AMQ", "release_date": "2020-07-23T00:00:00Z"}], "bugzilla": {"description": "broker: resetUsers operation stores password in plain text", "id": "1827200", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1827200"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-522", "details": ["A flaw was found in ActiveMQ Artemis management API from version 2.7.0 up until 2.12.0, where a user inadvertently stores passwords in plaintext in the Artemis shadow file (etc/artemis-users.properties file) when executing the `resetUsers` operation. A local attacker can use this flaw to read the contents of the Artemis shadow file.", "A flaw was found in ActiveMQ Artemis management API from version 2.7.0 up until 2.12.0, where a user inadvertently stores passwords in plaintext in the Artemis shadow file (etc/artemis-users.properties file) when executing the `resetUsers` operation. A local attacker can use this flaw to read the contents of the Artemis shadow file."], "mitigation": {"lang": "en:us", "value": "When resetting a user an alternative is to use the broker instance CLI `/bin/artemis user reset` which is not affected by the flaw"}, "name": "CVE-2020-10727", "public_date": "2020-06-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-10727\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-10727\nhttps://issues.redhat.com/browse/ENTMQBR-3435"], "threat_severity": "Moderate"}