ViliusS commented on pull request #727: URL: https://github.com/apache/activemq/pull/727#issuecomment-977253379
Thank you for your reply. Your comment about the configuration control by Google is correct, however if they change the default password in their image it still doesn't solve issue regarding "user" role having administrative rights. Currently there is no way for others to know the risks of having "user" account enabled besides looking at ActiveMQ code. I'm not sure what is the status of your mentioned patch but I still expect this issue fixed ASAP. Even if it breaks access to API it is a less evil than having a security hole. IMHO, having https://issues.apache.org/jira/browse/AMQ-5388 open for so long is unacceptable and is a horror story waiting to happen. We were almost ready to deploying ActiveMQ in our SaaS application for thousands of clients and I only accidently stumbled on this vulnerability. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
