CVE-2020-10727

Name of the Vulnerable Software and Affected Versions ActiveMQ Artemis versions 2.7.0 through 2.12.0

Description A flaw in the ActiveMQ Artemis management API allows a user to inadvertently store passwords in plaintext in the Artemis shadow file (etc/artemis-users.properties file) when executing the resetUsers operation. This can be exploited by a local attacker to read the contents of the Artemis shadow file, potentially gaining unauthorized access to protected information.

Recommendations For versions 2.7.0 through 2.12.0, consider disabling the resetUsers operation until a patch is available to prevent storing passwords in plaintext. Restrict access to the etc/artemis-users.properties file to minimize the risk of exploitation. Avoid using the resetUsers operation in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.