CVE-2020-10727
Description
A flaw was found in ActiveMQ Artemis management API from version 2.7.0 up until 2.12.0, where a user inadvertently stores passwords in plaintext in the Artemis shadow file (etc/artemis-users.properties file) when executing the resetUsers operation. A local attacker can use this flaw to read the contents of the Artemis shadow file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ActiveMQ Artemis management API's resetUsers operation stores user passwords in plaintext, allowing local attackers to read credentials.
Vulnerability
Overview
A flaw exists in the ActiveMQ Artemis management API from version 2.7.0 up to 2.12.0, where executing the resetUsers operation inadvertently stores the new password in plaintext in the Artemis shadow file (etc/artemis-users.properties). This occurs because the operation fails to hash or encrypt the password before writing it to disk [1][2].
Attack
Vector
To exploit this vulnerability, an attacker must have local access to the system running ActiveMQ Artemis. No authentication is required beyond being able to read the file system where the broker's configuration resides. The attacker can simply read the contents of the etc/artemis-users.properties file to retrieve plaintext passwords of all users that were reset using the management API [1][2].
Potential
Impact
A local attacker can leverage the exposed plaintext passwords to gain unauthorized access to the messaging broker, potentially intercepting, modifying, or disrupting message flows. This could lead to further compromise of connected systems and data exposure [1][2].
Mitigation
Status
The issue has been addressed in Red Hat AMQ via RHSA-2020:2751 [2]. Users are advised to upgrade to a fixed version (2.12.0 or later). As a workaround, administrators can use the broker instance CLI command /bin/artemis user reset, which is not affected by this flaw [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.activemq:artemis-commonsMaven | >= 2.7.0, < 2.13.0 | 2.13.0 |
Affected products
3>=2.7.0, <=2.12.0+ 1 more
- (no CPE)range: >=2.7.0, <=2.12.0
- (no CPE)range: version 2.7.0 up until 2.12.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-q9g8-9hpp-xc82ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-10727ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
- issues.redhat.com/browse/ENTMQBR-3435ghsax_refsource_MISCWEB
- security.netapp.com/advisory/ntap-20210827-0001ghsaWEB
- security.netapp.com/advisory/ntap-20210827-0001/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.