{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2012-10-22T00:00:00", "descriptions": [{"lang": "en", "value": "The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-11-25T19:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "RHSA-2013:1029", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-1029.html"}, {"name": "[dev] 20121022 [DISCUSS] - ActiveMQ out of the box - Should not include the demos", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://activemq.2283324.n4.nabble.com/DISCUSS-ActiveMQ-out-of-the-box-Should-not-include-the-demos-tc4658044.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://fisheye6.atlassian.com/changelog/activemq?cs=1404998"}, {"name": "59402", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/59402"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://activemq.apache.org/activemq-580-release.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12323282"}, {"name": "RHSA-2013:1221", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-1221.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://issues.apache.org/jira/browse/AMQ-4124"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2013-3060", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "RHSA-2013:1029", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2013-1029.html"}, {"name": "[dev] 20121022 [DISCUSS] - ActiveMQ out of the box - Should not include the demos", "refsource": "MLIST", "url": "http://activemq.2283324.n4.nabble.com/DISCUSS-ActiveMQ-out-of-the-box-Should-not-include-the-demos-tc4658044.html"}, {"name": "https://fisheye6.atlassian.com/changelog/activemq?cs=1404998", "refsource": "CONFIRM", "url": "https://fisheye6.atlassian.com/changelog/activemq?cs=1404998"}, {"name": "59402", "refsource": "BID", "url": "http://www.securityfocus.com/bid/59402"}, {"name": "http://activemq.apache.org/activemq-580-release.html", "refsource": "CONFIRM", "url": "http://activemq.apache.org/activemq-580-release.html"}, {"name": "https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12323282", "refsource": "CONFIRM", "url": "https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12323282"}, {"name": "RHSA-2013:1221", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2013-1221.html"}, {"name": "https://issues.apache.org/jira/browse/AMQ-4124", "refsource": "CONFIRM", "url": "https://issues.apache.org/jira/browse/AMQ-4124"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T16:00:09.506Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2013:1029", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2013-1029.html"}, {"name": "[dev] 20121022 [DISCUSS] - ActiveMQ out of the box - Should not include the demos", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://activemq.2283324.n4.nabble.com/DISCUSS-ActiveMQ-out-of-the-box-Should-not-include-the-demos-tc4658044.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://fisheye6.atlassian.com/changelog/activemq?cs=1404998"}, {"name": "59402", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/59402"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://activemq.apache.org/activemq-580-release.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12323282"}, {"name": "RHSA-2013:1221", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2013-1221.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://issues.apache.org/jira/browse/AMQ-4124"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2013-3060", "datePublished": "2013-04-21T21:00:00", "dateReserved": "2013-04-15T00:00:00", "dateUpdated": "2024-08-06T16:00:09.506Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*", "matchCriteriaId": "DA0C6D29-FFCF-4D59-A2D3-2C226F3F679A", "versionEndIncluding": "5.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "AA1D17FC-EE96-4E59-A655-541DD4C01822", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:4.0:m4:*:*:*:*:*:*", "matchCriteriaId": "D5CCD470-62EA-4E53-80BA-D92E74298577", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:4.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "01145606-6FD6-482F-9F76-4D9C7E452E2F", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:4.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "B741D677-63F9-4B31-8E68-3084815F9BF6", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:4.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "BF5D8AFE-B431-482E-892E-C038A96D5FEA", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:4.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "BCC189C2-95A8-4CA0-8FEF-39857F079425", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:4.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "1B850F6F-0605-411F-9A98-4B8147DEAD3A", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "436F59B9-507A-4B4E-A9F3-022616866151", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "F58D9E69-CBF2-4FB6-B062-ED21F83CBCCB", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "05D6EC30-88DC-4424-BF86-D9C0DA5E191C", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "82ACD6BA-257F-49D0-8944-0991FB038533", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "C43FD7A1-FC03-47BC-B6C6-02C0F1466762", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "A7A8D571-2925-4F61-B3F0-8F4A3776F6EA", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "47B31CD9-A3BB-427C-A631-2E8168DD1985", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "6B904806-6796-4947-BDF4-EEA5681147E8", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.4.2:*:*:*:*:*:*:*", "matchCriteriaId": "61B4A1EE-7F62-4602-A102-8AD8E9FD528F", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "623530FC-12E9-480B-AFA0-C19FCFFA5D36", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "C5755A41-0DBE-4F54-A1C1-4F65DCC6ACD2", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "11AADFBF-AC60-4535-892C-BE90BE858172", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests."}, {"lang": "es", "value": "La consola web de Apache ActiveMQ anterior a v5.8.0 no requiere autenticaci\u00f3n, lo que permite a atacantes remotos obtener informaci\u00f3n sensible o causar una denegaci\u00f3n de servicio a trav\u00e9s de peticiones HTTP."}], "id": "CVE-2013-3060", "lastModified": "2016-11-28T19:09:14.513", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-04-21T21:55:01.143", "references": [{"source": "cve@mitre.org", "url": "http://activemq.2283324.n4.nabble.com/DISCUSS-ActiveMQ-out-of-the-box-Should-not-include-the-demos-tc4658044.html"}, {"source": "cve@mitre.org", "url": "http://activemq.apache.org/activemq-580-release.html"}, {"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2013-1029.html"}, {"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2013-1221.html"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/59402"}, {"source": "cve@mitre.org", "url": "https://fisheye6.atlassian.com/changelog/activemq?cs=1404998"}, {"source": "cve@mitre.org", "url": "https://issues.apache.org/jira/browse/AMQ-4124"}, {"source": "cve@mitre.org", "url": "https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12323282"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2013:1221", "cpe": "cpe:/a:redhat:fuse_message_broker:5.5.1", "product_name": "Fuse Message Broker 5.5.1", "release_date": "2013-09-09T00:00:00Z"}, {"advisory": "RHSA-2013:1029", "cpe": "cpe:/a:redhat:fuse_mq_enterprise:7.1.0", "product_name": "Fuse MQ Enterprise 7.1.0", "release_date": "2013-07-09T00:00:00Z"}], "bugzilla": {"description": "activemq: Unauthenticated access to web console", "id": "955908", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=955908"}, "csaw": false, "cvss": {"cvss_base_score": "7.5", "cvss_scoring_vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "verified"}, "cwe": "CWE-306", "details": ["The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests."], "name": "CVE-2013-3060", "package_state": [{"cpe": "cpe:/a:redhat:openshift:1", "fix_state": "Affected", "package_name": "activemq", "product_name": "OpenShift Enterprise 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Not affected", "package_name": "amq", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Not affected", "package_name": "fuse-6.0", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Not affected", "package_name": "fuse-esb-7.1", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Affected", "package_name": "fuse-mb-5.5.1", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Not affected", "package_name": "fuse-mc-7.1.0", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Not affected", "package_name": "fuse-mq-7.1", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Will not fix", "package_name": "fuse-others", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Not affected", "package_name": "others", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:4.3", "fix_state": "Will not fix", "package_name": "activemq", "product_name": "Red Hat JBoss SOA Platform 4.3"}], "public_date": "2012-11-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2013-3060\nhttps://nvd.nist.gov/vuln/detail/CVE-2013-3060"], "statement": "Fuse ESB Enterprise 7.1.0, Fuse MQ Enterprise 7.1.1, JBoss Fuse 6.0.0 and JBoss A-MQ 6.0.0 all contain the Apache ActiveMQ web console, but it is not deployed by default. The documentation for deploying the web console covers the configuration needed to ensure authentication is enabled, therefore these products are not affected by this flaw. In a future update to these products, the web console will be configured so that authentication is automatically enabled if the web console is deployed, eliminating the need to manually configure it.\nA future update may address this flaw in Fuse Message Broker 5.5.1.", "threat_severity": "Important"}