Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2013-3060
Vulnerability from cvelistv5
Published
2013-04-21 21:00
Modified
2024-08-06 16:00
Severity ?
EPSS score ?
Summary
The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:00:09.506Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2013:1029",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1029.html"
},
{
"name": "[dev] 20121022 [DISCUSS] - ActiveMQ out of the box - Should not include the demos",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://activemq.2283324.n4.nabble.com/DISCUSS-ActiveMQ-out-of-the-box-Should-not-include-the-demos-tc4658044.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://fisheye6.atlassian.com/changelog/activemq?cs=1404998"
},
{
"name": "59402",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/59402"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://activemq.apache.org/activemq-580-release.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210\u0026version=12323282"
},
{
"name": "RHSA-2013:1221",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1221.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.apache.org/jira/browse/AMQ-4124"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-10-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-11-25T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "RHSA-2013:1029",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1029.html"
},
{
"name": "[dev] 20121022 [DISCUSS] - ActiveMQ out of the box - Should not include the demos",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://activemq.2283324.n4.nabble.com/DISCUSS-ActiveMQ-out-of-the-box-Should-not-include-the-demos-tc4658044.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://fisheye6.atlassian.com/changelog/activemq?cs=1404998"
},
{
"name": "59402",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/59402"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://activemq.apache.org/activemq-580-release.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210\u0026version=12323282"
},
{
"name": "RHSA-2013:1221",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1221.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.apache.org/jira/browse/AMQ-4124"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-3060",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2013:1029",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1029.html"
},
{
"name": "[dev] 20121022 [DISCUSS] - ActiveMQ out of the box - Should not include the demos",
"refsource": "MLIST",
"url": "http://activemq.2283324.n4.nabble.com/DISCUSS-ActiveMQ-out-of-the-box-Should-not-include-the-demos-tc4658044.html"
},
{
"name": "https://fisheye6.atlassian.com/changelog/activemq?cs=1404998",
"refsource": "CONFIRM",
"url": "https://fisheye6.atlassian.com/changelog/activemq?cs=1404998"
},
{
"name": "59402",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/59402"
},
{
"name": "http://activemq.apache.org/activemq-580-release.html",
"refsource": "CONFIRM",
"url": "http://activemq.apache.org/activemq-580-release.html"
},
{
"name": "https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210\u0026version=12323282",
"refsource": "CONFIRM",
"url": "https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210\u0026version=12323282"
},
{
"name": "RHSA-2013:1221",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1221.html"
},
{
"name": "https://issues.apache.org/jira/browse/AMQ-4124",
"refsource": "CONFIRM",
"url": "https://issues.apache.org/jira/browse/AMQ-4124"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-3060",
"datePublished": "2013-04-21T21:00:00",
"dateReserved": "2013-04-15T00:00:00",
"dateUpdated": "2024-08-06T16:00:09.506Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2013-3060\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2013-04-21T21:55:01.143\",\"lastModified\":\"2024-11-21T01:52:55.037\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests.\"},{\"lang\":\"es\",\"value\":\"La consola web de Apache ActiveMQ anterior a v5.8.0 no requiere autenticaci\u00f3n, lo que permite a atacantes remotos obtener informaci\u00f3n sensible o causar una denegaci\u00f3n de servicio a trav\u00e9s de peticiones HTTP.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:P\",\"baseScore\":6.4,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"5.7.0\",\"matchCriteriaId\":\"DA0C6D29-FFCF-4D59-A2D3-2C226F3F679A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:activemq:4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AA1D17FC-EE96-4E59-A655-541DD4C01822\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:activemq:4.0:m4:*:*:*:*:*:*\",\"matchCriteriaId\":\"D5CCD470-62EA-4E53-80BA-D92E74298577\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:activemq:4.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"01145606-6FD6-482F-9F76-4D9C7E452E2F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:activemq:4.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B741D677-63F9-4B31-8E68-3084815F9BF6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:activemq:4.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BF5D8AFE-B431-482E-892E-C038A96D5FEA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:activemq:4.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BCC189C2-95A8-4CA0-8FEF-39857F079425\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:activemq:4.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1B850F6F-0605-411F-9A98-4B8147DEAD3A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:activemq:5.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"436F59B9-507A-4B4E-A9F3-022616866151\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:activemq:5.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F58D9E69-CBF2-4FB6-B062-ED21F83CBCCB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:activemq:5.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"05D6EC30-88DC-4424-BF86-D9C0DA5E191C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:activemq:5.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"82ACD6BA-257F-49D0-8944-0991FB038533\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:activemq:5.3.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C43FD7A1-FC03-47BC-B6C6-02C0F1466762\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:activemq:5.3.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A7A8D571-2925-4F61-B3F0-8F4A3776F6EA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:activemq:5.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"47B31CD9-A3BB-427C-A631-2E8168DD1985\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:activemq:5.4.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6B904806-6796-4947-BDF4-EEA5681147E8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:activemq:5.4.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"61B4A1EE-7F62-4602-A102-8AD8E9FD528F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:activemq:5.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"623530FC-12E9-480B-AFA0-C19FCFFA5D36\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:activemq:5.5.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C5755A41-0DBE-4F54-A1C1-4F65DCC6ACD2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:activemq:5.6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"11AADFBF-AC60-4535-892C-BE90BE858172\"}]}]}],\"references\":[{\"url\":\"http://activemq.2283324.n4.nabble.com/DISCUSS-ActiveMQ-out-of-the-box-Should-not-include-the-demos-tc4658044.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://activemq.apache.org/activemq-580-release.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1029.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1221.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/bid/59402\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://fisheye6.atlassian.com/changelog/activemq?cs=1404998\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://issues.apache.org/jira/browse/AMQ-4124\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210\u0026version=12323282\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://activemq.2283324.n4.nabble.com/DISCUSS-ActiveMQ-out-of-the-box-Should-not-include-the-demos-tc4658044.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://activemq.apache.org/activemq-580-release.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1029.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1221.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/59402\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://fisheye6.atlassian.com/changelog/activemq?cs=1404998\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://issues.apache.org/jira/browse/AMQ-4124\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210\u0026version=12323282\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
fkie_cve-2013-3060
Vulnerability from fkie_nvd
Published
2013-04-21 21:55
Modified
2024-11-21 01:52
Severity ?
Summary
The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | activemq | * | |
| apache | activemq | 4.0 | |
| apache | activemq | 4.0 | |
| apache | activemq | 4.0 | |
| apache | activemq | 4.0.1 | |
| apache | activemq | 4.0.2 | |
| apache | activemq | 4.1.0 | |
| apache | activemq | 4.1.1 | |
| apache | activemq | 5.0.0 | |
| apache | activemq | 5.1.0 | |
| apache | activemq | 5.2.0 | |
| apache | activemq | 5.3.0 | |
| apache | activemq | 5.3.1 | |
| apache | activemq | 5.3.2 | |
| apache | activemq | 5.4.0 | |
| apache | activemq | 5.4.1 | |
| apache | activemq | 5.4.2 | |
| apache | activemq | 5.5.0 | |
| apache | activemq | 5.5.1 | |
| apache | activemq | 5.6.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DA0C6D29-FFCF-4D59-A2D3-2C226F3F679A",
"versionEndIncluding": "5.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:activemq:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AA1D17FC-EE96-4E59-A655-541DD4C01822",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:activemq:4.0:m4:*:*:*:*:*:*",
"matchCriteriaId": "D5CCD470-62EA-4E53-80BA-D92E74298577",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:activemq:4.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "01145606-6FD6-482F-9F76-4D9C7E452E2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:activemq:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B741D677-63F9-4B31-8E68-3084815F9BF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:activemq:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "BF5D8AFE-B431-482E-892E-C038A96D5FEA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:activemq:4.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BCC189C2-95A8-4CA0-8FEF-39857F079425",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:activemq:4.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1B850F6F-0605-411F-9A98-4B8147DEAD3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:activemq:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "436F59B9-507A-4B4E-A9F3-022616866151",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:activemq:5.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F58D9E69-CBF2-4FB6-B062-ED21F83CBCCB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:activemq:5.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "05D6EC30-88DC-4424-BF86-D9C0DA5E191C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:activemq:5.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "82ACD6BA-257F-49D0-8944-0991FB038533",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:activemq:5.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C43FD7A1-FC03-47BC-B6C6-02C0F1466762",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:activemq:5.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A7A8D571-2925-4F61-B3F0-8F4A3776F6EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:activemq:5.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "47B31CD9-A3BB-427C-A631-2E8168DD1985",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:activemq:5.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6B904806-6796-4947-BDF4-EEA5681147E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:activemq:5.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "61B4A1EE-7F62-4602-A102-8AD8E9FD528F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:activemq:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "623530FC-12E9-480B-AFA0-C19FCFFA5D36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:activemq:5.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C5755A41-0DBE-4F54-A1C1-4F65DCC6ACD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:activemq:5.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "11AADFBF-AC60-4535-892C-BE90BE858172",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests."
},
{
"lang": "es",
"value": "La consola web de Apache ActiveMQ anterior a v5.8.0 no requiere autenticaci\u00f3n, lo que permite a atacantes remotos obtener informaci\u00f3n sensible o causar una denegaci\u00f3n de servicio a trav\u00e9s de peticiones HTTP."
}
],
"id": "CVE-2013-3060",
"lastModified": "2024-11-21T01:52:55.037",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-04-21T21:55:01.143",
"references": [
{
"source": "cve@mitre.org",
"url": "http://activemq.2283324.n4.nabble.com/DISCUSS-ActiveMQ-out-of-the-box-Should-not-include-the-demos-tc4658044.html"
},
{
"source": "cve@mitre.org",
"url": "http://activemq.apache.org/activemq-580-release.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1029.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1221.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/59402"
},
{
"source": "cve@mitre.org",
"url": "https://fisheye6.atlassian.com/changelog/activemq?cs=1404998"
},
{
"source": "cve@mitre.org",
"url": "https://issues.apache.org/jira/browse/AMQ-4124"
},
{
"source": "cve@mitre.org",
"url": "https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210\u0026version=12323282"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://activemq.2283324.n4.nabble.com/DISCUSS-ActiveMQ-out-of-the-box-Should-not-include-the-demos-tc4658044.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://activemq.apache.org/activemq-580-release.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1029.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1221.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/59402"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://fisheye6.atlassian.com/changelog/activemq?cs=1404998"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://issues.apache.org/jira/browse/AMQ-4124"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210\u0026version=12323282"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
rhsa-2013_1221
Vulnerability from csaf_redhat
Published
2013-09-09 16:54
Modified
2024-11-22 07:05
Summary
Red Hat Security Advisory: Fuse Message Broker 5.5.1 security update
Notes
Topic
An update for the Apache ActiveMQ component of Fuse Message Broker 5.5.1
that fixes one security issue is now available from the Red Hat Customer
Portal.
The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.
Details
Fuse Message Broker is a messaging platform based on Apache ActiveMQ that
provides SOA infrastructure to connect processes across heterogeneous
systems.
It was found that, by default, the Apache ActiveMQ web console did not
require authentication. A remote attacker could use this flaw to modify the
state of the Apache ActiveMQ environment, obtain sensitive information, or
cause a denial of service. (CVE-2013-3060)
This update delivers a README file which describes how to manually
configure an XML properties file to fix this flaw. Back up existing Fuse
Message Broker configuration files before making changes.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the Apache ActiveMQ component of Fuse Message Broker 5.5.1\nthat fixes one security issue is now available from the Red Hat Customer\nPortal.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Fuse Message Broker is a messaging platform based on Apache ActiveMQ that\nprovides SOA infrastructure to connect processes across heterogeneous\nsystems.\n\nIt was found that, by default, the Apache ActiveMQ web console did not\nrequire authentication. A remote attacker could use this flaw to modify the\nstate of the Apache ActiveMQ environment, obtain sensitive information, or\ncause a denial of service. (CVE-2013-3060)\n\nThis update delivers a README file which describes how to manually\nconfigure an XML properties file to fix this flaw. Back up existing Fuse\nMessage Broker configuration files before making changes.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:1221",
"url": "https://access.redhat.com/errata/RHSA-2013:1221"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.message.apache\u0026downloadType=securityPatches\u0026version=5.5.1-fuse-10",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.message.apache\u0026downloadType=securityPatches\u0026version=5.5.1-fuse-10"
},
{
"category": "external",
"summary": "955908",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=955908"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1221.json"
}
],
"title": "Red Hat Security Advisory: Fuse Message Broker 5.5.1 security update",
"tracking": {
"current_release_date": "2024-11-22T07:05:09+00:00",
"generator": {
"date": "2024-11-22T07:05:09+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2013:1221",
"initial_release_date": "2013-09-09T16:54:00+00:00",
"revision_history": [
{
"date": "2013-09-09T16:54:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-09-09T16:55:25+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T07:05:09+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Fuse Message Broker 5.5.1",
"product": {
"name": "Fuse Message Broker 5.5.1",
"product_id": "Fuse Message Broker 5.5.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:fuse_message_broker:5.5.1"
}
}
}
],
"category": "product_family",
"name": "Fuse Enterprise Middleware"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2013-3060",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"discovery_date": "2013-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "955908"
}
],
"notes": [
{
"category": "description",
"text": "The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "activemq: Unauthenticated access to web console",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Fuse ESB Enterprise 7.1.0, Fuse MQ Enterprise 7.1.1, JBoss Fuse 6.0.0 and JBoss A-MQ 6.0.0 all contain the Apache ActiveMQ web console, but it is not deployed by default. The documentation for deploying the web console covers the configuration needed to ensure authentication is enabled, therefore these products are not affected by this flaw. In a future update to these products, the web console will be configured so that authentication is automatically enabled if the web console is deployed, eliminating the need to manually configure it.\n\nA future update may address this flaw in Fuse Message Broker 5.5.1.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Fuse Message Broker 5.5.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-3060"
},
{
"category": "external",
"summary": "RHBZ#955908",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=955908"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-3060",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-3060"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-3060",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-3060"
}
],
"release_date": "2012-11-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-09-09T16:54:00+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Back up existing Fuse Message Broker\nconfiguration files before making changes.",
"product_ids": [
"Fuse Message Broker 5.5.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1221"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Fuse Message Broker 5.5.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "activemq: Unauthenticated access to web console"
}
]
}
rhsa-2013:1221
Vulnerability from csaf_redhat
Published
2013-09-09 16:54
Modified
2024-11-22 07:05
Summary
Red Hat Security Advisory: Fuse Message Broker 5.5.1 security update
Notes
Topic
An update for the Apache ActiveMQ component of Fuse Message Broker 5.5.1
that fixes one security issue is now available from the Red Hat Customer
Portal.
The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.
Details
Fuse Message Broker is a messaging platform based on Apache ActiveMQ that
provides SOA infrastructure to connect processes across heterogeneous
systems.
It was found that, by default, the Apache ActiveMQ web console did not
require authentication. A remote attacker could use this flaw to modify the
state of the Apache ActiveMQ environment, obtain sensitive information, or
cause a denial of service. (CVE-2013-3060)
This update delivers a README file which describes how to manually
configure an XML properties file to fix this flaw. Back up existing Fuse
Message Broker configuration files before making changes.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the Apache ActiveMQ component of Fuse Message Broker 5.5.1\nthat fixes one security issue is now available from the Red Hat Customer\nPortal.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Fuse Message Broker is a messaging platform based on Apache ActiveMQ that\nprovides SOA infrastructure to connect processes across heterogeneous\nsystems.\n\nIt was found that, by default, the Apache ActiveMQ web console did not\nrequire authentication. A remote attacker could use this flaw to modify the\nstate of the Apache ActiveMQ environment, obtain sensitive information, or\ncause a denial of service. (CVE-2013-3060)\n\nThis update delivers a README file which describes how to manually\nconfigure an XML properties file to fix this flaw. Back up existing Fuse\nMessage Broker configuration files before making changes.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:1221",
"url": "https://access.redhat.com/errata/RHSA-2013:1221"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.message.apache\u0026downloadType=securityPatches\u0026version=5.5.1-fuse-10",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.message.apache\u0026downloadType=securityPatches\u0026version=5.5.1-fuse-10"
},
{
"category": "external",
"summary": "955908",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=955908"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1221.json"
}
],
"title": "Red Hat Security Advisory: Fuse Message Broker 5.5.1 security update",
"tracking": {
"current_release_date": "2024-11-22T07:05:09+00:00",
"generator": {
"date": "2024-11-22T07:05:09+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2013:1221",
"initial_release_date": "2013-09-09T16:54:00+00:00",
"revision_history": [
{
"date": "2013-09-09T16:54:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-09-09T16:55:25+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T07:05:09+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Fuse Message Broker 5.5.1",
"product": {
"name": "Fuse Message Broker 5.5.1",
"product_id": "Fuse Message Broker 5.5.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:fuse_message_broker:5.5.1"
}
}
}
],
"category": "product_family",
"name": "Fuse Enterprise Middleware"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2013-3060",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"discovery_date": "2013-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "955908"
}
],
"notes": [
{
"category": "description",
"text": "The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "activemq: Unauthenticated access to web console",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Fuse ESB Enterprise 7.1.0, Fuse MQ Enterprise 7.1.1, JBoss Fuse 6.0.0 and JBoss A-MQ 6.0.0 all contain the Apache ActiveMQ web console, but it is not deployed by default. The documentation for deploying the web console covers the configuration needed to ensure authentication is enabled, therefore these products are not affected by this flaw. In a future update to these products, the web console will be configured so that authentication is automatically enabled if the web console is deployed, eliminating the need to manually configure it.\n\nA future update may address this flaw in Fuse Message Broker 5.5.1.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Fuse Message Broker 5.5.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-3060"
},
{
"category": "external",
"summary": "RHBZ#955908",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=955908"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-3060",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-3060"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-3060",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-3060"
}
],
"release_date": "2012-11-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-09-09T16:54:00+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Back up existing Fuse Message Broker\nconfiguration files before making changes.",
"product_ids": [
"Fuse Message Broker 5.5.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1221"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Fuse Message Broker 5.5.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "activemq: Unauthenticated access to web console"
}
]
}
rhsa-2013_1029
Vulnerability from csaf_redhat
Published
2013-07-09 17:51
Modified
2024-11-22 07:28
Summary
Red Hat Security Advisory: Fuse MQ Enterprise 7.1.0 update
Notes
Topic
Fuse MQ Enterprise 7.1.0 roll up patch 1, which fixes multiple security
issues and various bugs, is now available from the Red Hat Customer Portal.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details
Fuse MQ Enterprise, based on Apache ActiveMQ, is a standards compliant
messaging system that is tailored for use in mission critical applications.
This release of Fuse MQ Enterprise 7.1.0 roll up patch 1 is an update to
Fuse MQ Enterprise 7.1.0 and includes bug fixes. Refer to the readme file
included with the patch files for information about the bug fixes.
The following security issues are also fixed with this release:
It was found that, by default, the Apache ActiveMQ web console did not
require authentication. A remote attacker could use this flaw to modify the
state of the Apache ActiveMQ environment, obtain sensitive information, or
cause a denial of service. (CVE-2013-3060)
Multiple cross-site scripting (XSS) flaws were found in the Apache ActiveMQ
demo web applications. A remote attacker could use these flaws to inject
arbitrary web script or HTML on pages displayed by the demo web
applications. (CVE-2012-6092)
It was found that a sample Apache ActiveMQ application was deployed by
default. A remote attacker could use this flaw to send the sample
application requests, allowing them to consume all available broker
resources. (CVE-2012-6551)
A stored cross-site scripting (XSS) flaw was found in the way Apache
ActiveMQ handled cron jobs. A remote attacker could use this flaw to
perform an XSS attack against users viewing the scheduled.jsp page.
(CVE-2013-1879)
A reflected cross-site scripting (XSS) flaw was found in the
portfolioPublish servlet of the Apache ActiveMQ demo web applications. A
remote attacker could use this flaw to inject arbitrary web script or
HTML. (CVE-2013-1880)
Note: All of the above flaws only affected the distribution of Apache
ActiveMQ included in the extras directory of the Fuse MQ Enterprise
distribution. The Fuse MQ Enterprise product itself was not affected by any
of the above flaws.
The HawtJNI Library class wrote native libraries to a predictable file name
in /tmp/ when the native libraries were bundled in a JAR file, and no
custom library path was specified. A local attacker could overwrite these
native libraries with malicious versions during the window between when
HawtJNI writes them and when they are executed. (CVE-2013-2035)
The CVE-2013-2035 issue was discovered by Florian Weimer of the Red Hat
Product Security Team.
All users of Fuse MQ Enterprise 7.1.0 as provided from the Red Hat Customer
Portal are advised to upgrade to Fuse MQ Enterprise 7.1.0 roll up patch 1.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Fuse MQ Enterprise 7.1.0 roll up patch 1, which fixes multiple security\nissues and various bugs, is now available from the Red Hat Customer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Fuse MQ Enterprise, based on Apache ActiveMQ, is a standards compliant\nmessaging system that is tailored for use in mission critical applications.\n\nThis release of Fuse MQ Enterprise 7.1.0 roll up patch 1 is an update to\nFuse MQ Enterprise 7.1.0 and includes bug fixes. Refer to the readme file\nincluded with the patch files for information about the bug fixes.\n\nThe following security issues are also fixed with this release:\n\nIt was found that, by default, the Apache ActiveMQ web console did not\nrequire authentication. A remote attacker could use this flaw to modify the\nstate of the Apache ActiveMQ environment, obtain sensitive information, or\ncause a denial of service. (CVE-2013-3060)\n\nMultiple cross-site scripting (XSS) flaws were found in the Apache ActiveMQ\ndemo web applications. A remote attacker could use these flaws to inject\narbitrary web script or HTML on pages displayed by the demo web\napplications. (CVE-2012-6092)\n\nIt was found that a sample Apache ActiveMQ application was deployed by\ndefault. A remote attacker could use this flaw to send the sample\napplication requests, allowing them to consume all available broker\nresources. (CVE-2012-6551)\n\nA stored cross-site scripting (XSS) flaw was found in the way Apache\nActiveMQ handled cron jobs. A remote attacker could use this flaw to\nperform an XSS attack against users viewing the scheduled.jsp page.\n(CVE-2013-1879)\n\nA reflected cross-site scripting (XSS) flaw was found in the\nportfolioPublish servlet of the Apache ActiveMQ demo web applications. A\nremote attacker could use this flaw to inject arbitrary web script or\nHTML. (CVE-2013-1880)\n\nNote: All of the above flaws only affected the distribution of Apache\nActiveMQ included in the extras directory of the Fuse MQ Enterprise\ndistribution. The Fuse MQ Enterprise product itself was not affected by any\nof the above flaws.\n\nThe HawtJNI Library class wrote native libraries to a predictable file name\nin /tmp/ when the native libraries were bundled in a JAR file, and no\ncustom library path was specified. A local attacker could overwrite these\nnative libraries with malicious versions during the window between when\nHawtJNI writes them and when they are executed. (CVE-2013-2035)\n\nThe CVE-2013-2035 issue was discovered by Florian Weimer of the Red Hat\nProduct Security Team.\n\nAll users of Fuse MQ Enterprise 7.1.0 as provided from the Red Hat Customer\nPortal are advised to upgrade to Fuse MQ Enterprise 7.1.0 roll up patch 1.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:1029",
"url": "https://access.redhat.com/errata/RHSA-2013:1029"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.mq.enterprise\u0026downloadType=securityPatches\u0026version=7.1.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.mq.enterprise\u0026downloadType=securityPatches\u0026version=7.1.0"
},
{
"category": "external",
"summary": "924446",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=924446"
},
{
"category": "external",
"summary": "924447",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=924447"
},
{
"category": "external",
"summary": "955906",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=955906"
},
{
"category": "external",
"summary": "955907",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=955907"
},
{
"category": "external",
"summary": "955908",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=955908"
},
{
"category": "external",
"summary": "958618",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=958618"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1029.json"
}
],
"title": "Red Hat Security Advisory: Fuse MQ Enterprise 7.1.0 update",
"tracking": {
"current_release_date": "2024-11-22T07:28:40+00:00",
"generator": {
"date": "2024-11-22T07:28:40+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2013:1029",
"initial_release_date": "2013-07-09T17:51:00+00:00",
"revision_history": [
{
"date": "2013-07-09T17:51:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-07-09T17:56:11+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T07:28:40+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Fuse MQ Enterprise 7.1.0",
"product": {
"name": "Fuse MQ Enterprise 7.1.0",
"product_id": "Fuse MQ Enterprise 7.1.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:fuse_mq_enterprise:7.1.0"
}
}
}
],
"category": "product_family",
"name": "Fuse Enterprise Middleware"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2012-6092",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2013-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "955906"
}
],
"notes": [
{
"category": "description",
"text": "Multiple cross-site scripting (XSS) vulnerabilities in the web demos in Apache ActiveMQ before 5.8.0 allow remote attackers to inject arbitrary web script or HTML via (1) the refresh parameter to PortfolioPublishServlet.java (aka demo/portfolioPublish or Market Data Publisher), or vectors involving (2) debug logs or (3) subscribe messages in webapp/websocket/chat.js. NOTE: AMQ-4124 is covered by CVE-2012-6551.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "activemq: Multiple XSS flaws in web demos",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Fuse MQ Enterprise 7.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-6092"
},
{
"category": "external",
"summary": "RHBZ#955906",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=955906"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-6092",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6092"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-6092",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6092"
}
],
"release_date": "2012-10-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-09T17:51:00+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Fuse MQ Enterprise 7.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"Fuse MQ Enterprise 7.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "activemq: Multiple XSS flaws in web demos"
},
{
"cve": "CVE-2012-6551",
"discovery_date": "2013-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "955907"
}
],
"notes": [
{
"category": "description",
"text": "The default configuration of Apache ActiveMQ before 5.8.0 enables a sample web application, which allows remote attackers to cause a denial of service (broker resource consumption) via HTTP requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "activemq: DoS by resource consumption via HTTP requests to sample webapp",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Fuse MQ Enterprise 7.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-6551"
},
{
"category": "external",
"summary": "RHBZ#955907",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=955907"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-6551",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6551"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-6551",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6551"
}
],
"release_date": "2012-11-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-09T17:51:00+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Fuse MQ Enterprise 7.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"Fuse MQ Enterprise 7.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "activemq: DoS by resource consumption via HTTP requests to sample webapp"
},
{
"cve": "CVE-2013-1879",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2013-03-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "924446"
}
],
"notes": [
{
"category": "description",
"text": "Cross-site scripting (XSS) vulnerability in scheduled.jsp in Apache ActiveMQ 5.8.0 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors involving the \"cron of a message.\"",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ActiveMQ: XSS vulnerability in scheduled.jsp",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Fuse MQ Enterprise 7.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-1879"
},
{
"category": "external",
"summary": "RHBZ#924446",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=924446"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-1879",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1879"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-1879",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1879"
}
],
"release_date": "2013-03-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-09T17:51:00+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Fuse MQ Enterprise 7.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"Fuse MQ Enterprise 7.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "ActiveMQ: XSS vulnerability in scheduled.jsp"
},
{
"cve": "CVE-2013-1880",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2013-03-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "924447"
}
],
"notes": [
{
"category": "description",
"text": "Cross-site scripting (XSS) vulnerability in the Portfolio publisher servlet in the demo web application in Apache ActiveMQ before 5.9.0 allows remote attackers to inject arbitrary web script or HTML via the refresh parameter to demo/portfolioPublish, a different vulnerability than CVE-2012-6092.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ActiveMQ: XSS vulnerability in portfolioPublish demo application",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Fuse MQ Enterprise 7.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-1880"
},
{
"category": "external",
"summary": "RHBZ#924447",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=924447"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-1880",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1880"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-1880",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1880"
}
],
"release_date": "2013-03-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-09T17:51:00+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Fuse MQ Enterprise 7.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"Fuse MQ Enterprise 7.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "ActiveMQ: XSS vulnerability in portfolioPublish demo application"
},
{
"acknowledgments": [
{
"names": [
"Florian Weimer"
],
"organization": "Red Hat Product Security Team",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2013-2035",
"cwe": {
"id": "CWE-377",
"name": "Insecure Temporary File"
},
"discovery_date": "2013-04-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "958618"
}
],
"notes": [
{
"category": "description",
"text": "The HawtJNI Library class wrote native libraries to a predictable file name in /tmp when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "HawtJNI: predictable temporary file name leading to local arbitrary code execution",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Fuse MQ Enterprise 7.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-2035"
},
{
"category": "external",
"summary": "RHBZ#958618",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=958618"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-2035",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-2035"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2035",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2035"
}
],
"release_date": "2013-05-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-09T17:51:00+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Fuse MQ Enterprise 7.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"products": [
"Fuse MQ Enterprise 7.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "HawtJNI: predictable temporary file name leading to local arbitrary code execution"
},
{
"cve": "CVE-2013-3060",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"discovery_date": "2013-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "955908"
}
],
"notes": [
{
"category": "description",
"text": "The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "activemq: Unauthenticated access to web console",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Fuse ESB Enterprise 7.1.0, Fuse MQ Enterprise 7.1.1, JBoss Fuse 6.0.0 and JBoss A-MQ 6.0.0 all contain the Apache ActiveMQ web console, but it is not deployed by default. The documentation for deploying the web console covers the configuration needed to ensure authentication is enabled, therefore these products are not affected by this flaw. In a future update to these products, the web console will be configured so that authentication is automatically enabled if the web console is deployed, eliminating the need to manually configure it.\n\nA future update may address this flaw in Fuse Message Broker 5.5.1.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Fuse MQ Enterprise 7.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-3060"
},
{
"category": "external",
"summary": "RHBZ#955908",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=955908"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-3060",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-3060"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-3060",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-3060"
}
],
"release_date": "2012-11-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-09T17:51:00+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Fuse MQ Enterprise 7.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Fuse MQ Enterprise 7.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "activemq: Unauthenticated access to web console"
}
]
}
RHSA-2013:1221
Vulnerability from csaf_redhat
Published
2013-09-09 16:54
Modified
2024-11-22 07:05
Summary
Red Hat Security Advisory: Fuse Message Broker 5.5.1 security update
Notes
Topic
An update for the Apache ActiveMQ component of Fuse Message Broker 5.5.1
that fixes one security issue is now available from the Red Hat Customer
Portal.
The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.
Details
Fuse Message Broker is a messaging platform based on Apache ActiveMQ that
provides SOA infrastructure to connect processes across heterogeneous
systems.
It was found that, by default, the Apache ActiveMQ web console did not
require authentication. A remote attacker could use this flaw to modify the
state of the Apache ActiveMQ environment, obtain sensitive information, or
cause a denial of service. (CVE-2013-3060)
This update delivers a README file which describes how to manually
configure an XML properties file to fix this flaw. Back up existing Fuse
Message Broker configuration files before making changes.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the Apache ActiveMQ component of Fuse Message Broker 5.5.1\nthat fixes one security issue is now available from the Red Hat Customer\nPortal.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Fuse Message Broker is a messaging platform based on Apache ActiveMQ that\nprovides SOA infrastructure to connect processes across heterogeneous\nsystems.\n\nIt was found that, by default, the Apache ActiveMQ web console did not\nrequire authentication. A remote attacker could use this flaw to modify the\nstate of the Apache ActiveMQ environment, obtain sensitive information, or\ncause a denial of service. (CVE-2013-3060)\n\nThis update delivers a README file which describes how to manually\nconfigure an XML properties file to fix this flaw. Back up existing Fuse\nMessage Broker configuration files before making changes.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:1221",
"url": "https://access.redhat.com/errata/RHSA-2013:1221"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.message.apache\u0026downloadType=securityPatches\u0026version=5.5.1-fuse-10",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.message.apache\u0026downloadType=securityPatches\u0026version=5.5.1-fuse-10"
},
{
"category": "external",
"summary": "955908",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=955908"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1221.json"
}
],
"title": "Red Hat Security Advisory: Fuse Message Broker 5.5.1 security update",
"tracking": {
"current_release_date": "2024-11-22T07:05:09+00:00",
"generator": {
"date": "2024-11-22T07:05:09+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2013:1221",
"initial_release_date": "2013-09-09T16:54:00+00:00",
"revision_history": [
{
"date": "2013-09-09T16:54:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-09-09T16:55:25+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T07:05:09+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Fuse Message Broker 5.5.1",
"product": {
"name": "Fuse Message Broker 5.5.1",
"product_id": "Fuse Message Broker 5.5.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:fuse_message_broker:5.5.1"
}
}
}
],
"category": "product_family",
"name": "Fuse Enterprise Middleware"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2013-3060",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"discovery_date": "2013-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "955908"
}
],
"notes": [
{
"category": "description",
"text": "The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "activemq: Unauthenticated access to web console",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Fuse ESB Enterprise 7.1.0, Fuse MQ Enterprise 7.1.1, JBoss Fuse 6.0.0 and JBoss A-MQ 6.0.0 all contain the Apache ActiveMQ web console, but it is not deployed by default. The documentation for deploying the web console covers the configuration needed to ensure authentication is enabled, therefore these products are not affected by this flaw. In a future update to these products, the web console will be configured so that authentication is automatically enabled if the web console is deployed, eliminating the need to manually configure it.\n\nA future update may address this flaw in Fuse Message Broker 5.5.1.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Fuse Message Broker 5.5.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-3060"
},
{
"category": "external",
"summary": "RHBZ#955908",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=955908"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-3060",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-3060"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-3060",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-3060"
}
],
"release_date": "2012-11-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-09-09T16:54:00+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Back up existing Fuse Message Broker\nconfiguration files before making changes.",
"product_ids": [
"Fuse Message Broker 5.5.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1221"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Fuse Message Broker 5.5.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "activemq: Unauthenticated access to web console"
}
]
}
RHSA-2013:1029
Vulnerability from csaf_redhat
Published
2013-07-09 17:51
Modified
2024-11-22 07:28
Summary
Red Hat Security Advisory: Fuse MQ Enterprise 7.1.0 update
Notes
Topic
Fuse MQ Enterprise 7.1.0 roll up patch 1, which fixes multiple security
issues and various bugs, is now available from the Red Hat Customer Portal.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details
Fuse MQ Enterprise, based on Apache ActiveMQ, is a standards compliant
messaging system that is tailored for use in mission critical applications.
This release of Fuse MQ Enterprise 7.1.0 roll up patch 1 is an update to
Fuse MQ Enterprise 7.1.0 and includes bug fixes. Refer to the readme file
included with the patch files for information about the bug fixes.
The following security issues are also fixed with this release:
It was found that, by default, the Apache ActiveMQ web console did not
require authentication. A remote attacker could use this flaw to modify the
state of the Apache ActiveMQ environment, obtain sensitive information, or
cause a denial of service. (CVE-2013-3060)
Multiple cross-site scripting (XSS) flaws were found in the Apache ActiveMQ
demo web applications. A remote attacker could use these flaws to inject
arbitrary web script or HTML on pages displayed by the demo web
applications. (CVE-2012-6092)
It was found that a sample Apache ActiveMQ application was deployed by
default. A remote attacker could use this flaw to send the sample
application requests, allowing them to consume all available broker
resources. (CVE-2012-6551)
A stored cross-site scripting (XSS) flaw was found in the way Apache
ActiveMQ handled cron jobs. A remote attacker could use this flaw to
perform an XSS attack against users viewing the scheduled.jsp page.
(CVE-2013-1879)
A reflected cross-site scripting (XSS) flaw was found in the
portfolioPublish servlet of the Apache ActiveMQ demo web applications. A
remote attacker could use this flaw to inject arbitrary web script or
HTML. (CVE-2013-1880)
Note: All of the above flaws only affected the distribution of Apache
ActiveMQ included in the extras directory of the Fuse MQ Enterprise
distribution. The Fuse MQ Enterprise product itself was not affected by any
of the above flaws.
The HawtJNI Library class wrote native libraries to a predictable file name
in /tmp/ when the native libraries were bundled in a JAR file, and no
custom library path was specified. A local attacker could overwrite these
native libraries with malicious versions during the window between when
HawtJNI writes them and when they are executed. (CVE-2013-2035)
The CVE-2013-2035 issue was discovered by Florian Weimer of the Red Hat
Product Security Team.
All users of Fuse MQ Enterprise 7.1.0 as provided from the Red Hat Customer
Portal are advised to upgrade to Fuse MQ Enterprise 7.1.0 roll up patch 1.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Fuse MQ Enterprise 7.1.0 roll up patch 1, which fixes multiple security\nissues and various bugs, is now available from the Red Hat Customer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Fuse MQ Enterprise, based on Apache ActiveMQ, is a standards compliant\nmessaging system that is tailored for use in mission critical applications.\n\nThis release of Fuse MQ Enterprise 7.1.0 roll up patch 1 is an update to\nFuse MQ Enterprise 7.1.0 and includes bug fixes. Refer to the readme file\nincluded with the patch files for information about the bug fixes.\n\nThe following security issues are also fixed with this release:\n\nIt was found that, by default, the Apache ActiveMQ web console did not\nrequire authentication. A remote attacker could use this flaw to modify the\nstate of the Apache ActiveMQ environment, obtain sensitive information, or\ncause a denial of service. (CVE-2013-3060)\n\nMultiple cross-site scripting (XSS) flaws were found in the Apache ActiveMQ\ndemo web applications. A remote attacker could use these flaws to inject\narbitrary web script or HTML on pages displayed by the demo web\napplications. (CVE-2012-6092)\n\nIt was found that a sample Apache ActiveMQ application was deployed by\ndefault. A remote attacker could use this flaw to send the sample\napplication requests, allowing them to consume all available broker\nresources. (CVE-2012-6551)\n\nA stored cross-site scripting (XSS) flaw was found in the way Apache\nActiveMQ handled cron jobs. A remote attacker could use this flaw to\nperform an XSS attack against users viewing the scheduled.jsp page.\n(CVE-2013-1879)\n\nA reflected cross-site scripting (XSS) flaw was found in the\nportfolioPublish servlet of the Apache ActiveMQ demo web applications. A\nremote attacker could use this flaw to inject arbitrary web script or\nHTML. (CVE-2013-1880)\n\nNote: All of the above flaws only affected the distribution of Apache\nActiveMQ included in the extras directory of the Fuse MQ Enterprise\ndistribution. The Fuse MQ Enterprise product itself was not affected by any\nof the above flaws.\n\nThe HawtJNI Library class wrote native libraries to a predictable file name\nin /tmp/ when the native libraries were bundled in a JAR file, and no\ncustom library path was specified. A local attacker could overwrite these\nnative libraries with malicious versions during the window between when\nHawtJNI writes them and when they are executed. (CVE-2013-2035)\n\nThe CVE-2013-2035 issue was discovered by Florian Weimer of the Red Hat\nProduct Security Team.\n\nAll users of Fuse MQ Enterprise 7.1.0 as provided from the Red Hat Customer\nPortal are advised to upgrade to Fuse MQ Enterprise 7.1.0 roll up patch 1.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:1029",
"url": "https://access.redhat.com/errata/RHSA-2013:1029"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.mq.enterprise\u0026downloadType=securityPatches\u0026version=7.1.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.mq.enterprise\u0026downloadType=securityPatches\u0026version=7.1.0"
},
{
"category": "external",
"summary": "924446",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=924446"
},
{
"category": "external",
"summary": "924447",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=924447"
},
{
"category": "external",
"summary": "955906",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=955906"
},
{
"category": "external",
"summary": "955907",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=955907"
},
{
"category": "external",
"summary": "955908",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=955908"
},
{
"category": "external",
"summary": "958618",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=958618"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1029.json"
}
],
"title": "Red Hat Security Advisory: Fuse MQ Enterprise 7.1.0 update",
"tracking": {
"current_release_date": "2024-11-22T07:28:40+00:00",
"generator": {
"date": "2024-11-22T07:28:40+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2013:1029",
"initial_release_date": "2013-07-09T17:51:00+00:00",
"revision_history": [
{
"date": "2013-07-09T17:51:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-07-09T17:56:11+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T07:28:40+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Fuse MQ Enterprise 7.1.0",
"product": {
"name": "Fuse MQ Enterprise 7.1.0",
"product_id": "Fuse MQ Enterprise 7.1.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:fuse_mq_enterprise:7.1.0"
}
}
}
],
"category": "product_family",
"name": "Fuse Enterprise Middleware"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2012-6092",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2013-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "955906"
}
],
"notes": [
{
"category": "description",
"text": "Multiple cross-site scripting (XSS) vulnerabilities in the web demos in Apache ActiveMQ before 5.8.0 allow remote attackers to inject arbitrary web script or HTML via (1) the refresh parameter to PortfolioPublishServlet.java (aka demo/portfolioPublish or Market Data Publisher), or vectors involving (2) debug logs or (3) subscribe messages in webapp/websocket/chat.js. NOTE: AMQ-4124 is covered by CVE-2012-6551.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "activemq: Multiple XSS flaws in web demos",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Fuse MQ Enterprise 7.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-6092"
},
{
"category": "external",
"summary": "RHBZ#955906",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=955906"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-6092",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6092"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-6092",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6092"
}
],
"release_date": "2012-10-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-09T17:51:00+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Fuse MQ Enterprise 7.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"Fuse MQ Enterprise 7.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "activemq: Multiple XSS flaws in web demos"
},
{
"cve": "CVE-2012-6551",
"discovery_date": "2013-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "955907"
}
],
"notes": [
{
"category": "description",
"text": "The default configuration of Apache ActiveMQ before 5.8.0 enables a sample web application, which allows remote attackers to cause a denial of service (broker resource consumption) via HTTP requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "activemq: DoS by resource consumption via HTTP requests to sample webapp",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Fuse MQ Enterprise 7.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-6551"
},
{
"category": "external",
"summary": "RHBZ#955907",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=955907"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-6551",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6551"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-6551",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6551"
}
],
"release_date": "2012-11-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-09T17:51:00+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Fuse MQ Enterprise 7.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"Fuse MQ Enterprise 7.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "activemq: DoS by resource consumption via HTTP requests to sample webapp"
},
{
"cve": "CVE-2013-1879",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2013-03-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "924446"
}
],
"notes": [
{
"category": "description",
"text": "Cross-site scripting (XSS) vulnerability in scheduled.jsp in Apache ActiveMQ 5.8.0 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors involving the \"cron of a message.\"",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ActiveMQ: XSS vulnerability in scheduled.jsp",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Fuse MQ Enterprise 7.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-1879"
},
{
"category": "external",
"summary": "RHBZ#924446",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=924446"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-1879",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1879"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-1879",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1879"
}
],
"release_date": "2013-03-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-09T17:51:00+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Fuse MQ Enterprise 7.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"Fuse MQ Enterprise 7.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "ActiveMQ: XSS vulnerability in scheduled.jsp"
},
{
"cve": "CVE-2013-1880",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2013-03-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "924447"
}
],
"notes": [
{
"category": "description",
"text": "Cross-site scripting (XSS) vulnerability in the Portfolio publisher servlet in the demo web application in Apache ActiveMQ before 5.9.0 allows remote attackers to inject arbitrary web script or HTML via the refresh parameter to demo/portfolioPublish, a different vulnerability than CVE-2012-6092.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ActiveMQ: XSS vulnerability in portfolioPublish demo application",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Fuse MQ Enterprise 7.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-1880"
},
{
"category": "external",
"summary": "RHBZ#924447",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=924447"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-1880",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1880"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-1880",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1880"
}
],
"release_date": "2013-03-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-09T17:51:00+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Fuse MQ Enterprise 7.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"Fuse MQ Enterprise 7.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "ActiveMQ: XSS vulnerability in portfolioPublish demo application"
},
{
"acknowledgments": [
{
"names": [
"Florian Weimer"
],
"organization": "Red Hat Product Security Team",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2013-2035",
"cwe": {
"id": "CWE-377",
"name": "Insecure Temporary File"
},
"discovery_date": "2013-04-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "958618"
}
],
"notes": [
{
"category": "description",
"text": "The HawtJNI Library class wrote native libraries to a predictable file name in /tmp when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "HawtJNI: predictable temporary file name leading to local arbitrary code execution",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Fuse MQ Enterprise 7.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-2035"
},
{
"category": "external",
"summary": "RHBZ#958618",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=958618"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-2035",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-2035"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2035",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2035"
}
],
"release_date": "2013-05-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-09T17:51:00+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Fuse MQ Enterprise 7.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"products": [
"Fuse MQ Enterprise 7.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "HawtJNI: predictable temporary file name leading to local arbitrary code execution"
},
{
"cve": "CVE-2013-3060",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"discovery_date": "2013-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "955908"
}
],
"notes": [
{
"category": "description",
"text": "The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "activemq: Unauthenticated access to web console",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Fuse ESB Enterprise 7.1.0, Fuse MQ Enterprise 7.1.1, JBoss Fuse 6.0.0 and JBoss A-MQ 6.0.0 all contain the Apache ActiveMQ web console, but it is not deployed by default. The documentation for deploying the web console covers the configuration needed to ensure authentication is enabled, therefore these products are not affected by this flaw. In a future update to these products, the web console will be configured so that authentication is automatically enabled if the web console is deployed, eliminating the need to manually configure it.\n\nA future update may address this flaw in Fuse Message Broker 5.5.1.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Fuse MQ Enterprise 7.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-3060"
},
{
"category": "external",
"summary": "RHBZ#955908",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=955908"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-3060",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-3060"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-3060",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-3060"
}
],
"release_date": "2012-11-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-09T17:51:00+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Fuse MQ Enterprise 7.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Fuse MQ Enterprise 7.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "activemq: Unauthenticated access to web console"
}
]
}
rhsa-2013:1029
Vulnerability from csaf_redhat
Published
2013-07-09 17:51
Modified
2024-11-22 07:28
Summary
Red Hat Security Advisory: Fuse MQ Enterprise 7.1.0 update
Notes
Topic
Fuse MQ Enterprise 7.1.0 roll up patch 1, which fixes multiple security
issues and various bugs, is now available from the Red Hat Customer Portal.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details
Fuse MQ Enterprise, based on Apache ActiveMQ, is a standards compliant
messaging system that is tailored for use in mission critical applications.
This release of Fuse MQ Enterprise 7.1.0 roll up patch 1 is an update to
Fuse MQ Enterprise 7.1.0 and includes bug fixes. Refer to the readme file
included with the patch files for information about the bug fixes.
The following security issues are also fixed with this release:
It was found that, by default, the Apache ActiveMQ web console did not
require authentication. A remote attacker could use this flaw to modify the
state of the Apache ActiveMQ environment, obtain sensitive information, or
cause a denial of service. (CVE-2013-3060)
Multiple cross-site scripting (XSS) flaws were found in the Apache ActiveMQ
demo web applications. A remote attacker could use these flaws to inject
arbitrary web script or HTML on pages displayed by the demo web
applications. (CVE-2012-6092)
It was found that a sample Apache ActiveMQ application was deployed by
default. A remote attacker could use this flaw to send the sample
application requests, allowing them to consume all available broker
resources. (CVE-2012-6551)
A stored cross-site scripting (XSS) flaw was found in the way Apache
ActiveMQ handled cron jobs. A remote attacker could use this flaw to
perform an XSS attack against users viewing the scheduled.jsp page.
(CVE-2013-1879)
A reflected cross-site scripting (XSS) flaw was found in the
portfolioPublish servlet of the Apache ActiveMQ demo web applications. A
remote attacker could use this flaw to inject arbitrary web script or
HTML. (CVE-2013-1880)
Note: All of the above flaws only affected the distribution of Apache
ActiveMQ included in the extras directory of the Fuse MQ Enterprise
distribution. The Fuse MQ Enterprise product itself was not affected by any
of the above flaws.
The HawtJNI Library class wrote native libraries to a predictable file name
in /tmp/ when the native libraries were bundled in a JAR file, and no
custom library path was specified. A local attacker could overwrite these
native libraries with malicious versions during the window between when
HawtJNI writes them and when they are executed. (CVE-2013-2035)
The CVE-2013-2035 issue was discovered by Florian Weimer of the Red Hat
Product Security Team.
All users of Fuse MQ Enterprise 7.1.0 as provided from the Red Hat Customer
Portal are advised to upgrade to Fuse MQ Enterprise 7.1.0 roll up patch 1.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Fuse MQ Enterprise 7.1.0 roll up patch 1, which fixes multiple security\nissues and various bugs, is now available from the Red Hat Customer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Fuse MQ Enterprise, based on Apache ActiveMQ, is a standards compliant\nmessaging system that is tailored for use in mission critical applications.\n\nThis release of Fuse MQ Enterprise 7.1.0 roll up patch 1 is an update to\nFuse MQ Enterprise 7.1.0 and includes bug fixes. Refer to the readme file\nincluded with the patch files for information about the bug fixes.\n\nThe following security issues are also fixed with this release:\n\nIt was found that, by default, the Apache ActiveMQ web console did not\nrequire authentication. A remote attacker could use this flaw to modify the\nstate of the Apache ActiveMQ environment, obtain sensitive information, or\ncause a denial of service. (CVE-2013-3060)\n\nMultiple cross-site scripting (XSS) flaws were found in the Apache ActiveMQ\ndemo web applications. A remote attacker could use these flaws to inject\narbitrary web script or HTML on pages displayed by the demo web\napplications. (CVE-2012-6092)\n\nIt was found that a sample Apache ActiveMQ application was deployed by\ndefault. A remote attacker could use this flaw to send the sample\napplication requests, allowing them to consume all available broker\nresources. (CVE-2012-6551)\n\nA stored cross-site scripting (XSS) flaw was found in the way Apache\nActiveMQ handled cron jobs. A remote attacker could use this flaw to\nperform an XSS attack against users viewing the scheduled.jsp page.\n(CVE-2013-1879)\n\nA reflected cross-site scripting (XSS) flaw was found in the\nportfolioPublish servlet of the Apache ActiveMQ demo web applications. A\nremote attacker could use this flaw to inject arbitrary web script or\nHTML. (CVE-2013-1880)\n\nNote: All of the above flaws only affected the distribution of Apache\nActiveMQ included in the extras directory of the Fuse MQ Enterprise\ndistribution. The Fuse MQ Enterprise product itself was not affected by any\nof the above flaws.\n\nThe HawtJNI Library class wrote native libraries to a predictable file name\nin /tmp/ when the native libraries were bundled in a JAR file, and no\ncustom library path was specified. A local attacker could overwrite these\nnative libraries with malicious versions during the window between when\nHawtJNI writes them and when they are executed. (CVE-2013-2035)\n\nThe CVE-2013-2035 issue was discovered by Florian Weimer of the Red Hat\nProduct Security Team.\n\nAll users of Fuse MQ Enterprise 7.1.0 as provided from the Red Hat Customer\nPortal are advised to upgrade to Fuse MQ Enterprise 7.1.0 roll up patch 1.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:1029",
"url": "https://access.redhat.com/errata/RHSA-2013:1029"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.mq.enterprise\u0026downloadType=securityPatches\u0026version=7.1.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.mq.enterprise\u0026downloadType=securityPatches\u0026version=7.1.0"
},
{
"category": "external",
"summary": "924446",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=924446"
},
{
"category": "external",
"summary": "924447",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=924447"
},
{
"category": "external",
"summary": "955906",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=955906"
},
{
"category": "external",
"summary": "955907",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=955907"
},
{
"category": "external",
"summary": "955908",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=955908"
},
{
"category": "external",
"summary": "958618",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=958618"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1029.json"
}
],
"title": "Red Hat Security Advisory: Fuse MQ Enterprise 7.1.0 update",
"tracking": {
"current_release_date": "2024-11-22T07:28:40+00:00",
"generator": {
"date": "2024-11-22T07:28:40+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2013:1029",
"initial_release_date": "2013-07-09T17:51:00+00:00",
"revision_history": [
{
"date": "2013-07-09T17:51:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-07-09T17:56:11+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T07:28:40+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Fuse MQ Enterprise 7.1.0",
"product": {
"name": "Fuse MQ Enterprise 7.1.0",
"product_id": "Fuse MQ Enterprise 7.1.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:fuse_mq_enterprise:7.1.0"
}
}
}
],
"category": "product_family",
"name": "Fuse Enterprise Middleware"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2012-6092",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2013-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "955906"
}
],
"notes": [
{
"category": "description",
"text": "Multiple cross-site scripting (XSS) vulnerabilities in the web demos in Apache ActiveMQ before 5.8.0 allow remote attackers to inject arbitrary web script or HTML via (1) the refresh parameter to PortfolioPublishServlet.java (aka demo/portfolioPublish or Market Data Publisher), or vectors involving (2) debug logs or (3) subscribe messages in webapp/websocket/chat.js. NOTE: AMQ-4124 is covered by CVE-2012-6551.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "activemq: Multiple XSS flaws in web demos",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Fuse MQ Enterprise 7.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-6092"
},
{
"category": "external",
"summary": "RHBZ#955906",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=955906"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-6092",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6092"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-6092",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6092"
}
],
"release_date": "2012-10-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-09T17:51:00+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Fuse MQ Enterprise 7.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"Fuse MQ Enterprise 7.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "activemq: Multiple XSS flaws in web demos"
},
{
"cve": "CVE-2012-6551",
"discovery_date": "2013-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "955907"
}
],
"notes": [
{
"category": "description",
"text": "The default configuration of Apache ActiveMQ before 5.8.0 enables a sample web application, which allows remote attackers to cause a denial of service (broker resource consumption) via HTTP requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "activemq: DoS by resource consumption via HTTP requests to sample webapp",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Fuse MQ Enterprise 7.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-6551"
},
{
"category": "external",
"summary": "RHBZ#955907",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=955907"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-6551",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6551"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-6551",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6551"
}
],
"release_date": "2012-11-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-09T17:51:00+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Fuse MQ Enterprise 7.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"Fuse MQ Enterprise 7.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "activemq: DoS by resource consumption via HTTP requests to sample webapp"
},
{
"cve": "CVE-2013-1879",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2013-03-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "924446"
}
],
"notes": [
{
"category": "description",
"text": "Cross-site scripting (XSS) vulnerability in scheduled.jsp in Apache ActiveMQ 5.8.0 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors involving the \"cron of a message.\"",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ActiveMQ: XSS vulnerability in scheduled.jsp",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Fuse MQ Enterprise 7.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-1879"
},
{
"category": "external",
"summary": "RHBZ#924446",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=924446"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-1879",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1879"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-1879",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1879"
}
],
"release_date": "2013-03-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-09T17:51:00+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Fuse MQ Enterprise 7.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"Fuse MQ Enterprise 7.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "ActiveMQ: XSS vulnerability in scheduled.jsp"
},
{
"cve": "CVE-2013-1880",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2013-03-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "924447"
}
],
"notes": [
{
"category": "description",
"text": "Cross-site scripting (XSS) vulnerability in the Portfolio publisher servlet in the demo web application in Apache ActiveMQ before 5.9.0 allows remote attackers to inject arbitrary web script or HTML via the refresh parameter to demo/portfolioPublish, a different vulnerability than CVE-2012-6092.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ActiveMQ: XSS vulnerability in portfolioPublish demo application",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Fuse MQ Enterprise 7.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-1880"
},
{
"category": "external",
"summary": "RHBZ#924447",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=924447"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-1880",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1880"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-1880",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1880"
}
],
"release_date": "2013-03-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-09T17:51:00+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Fuse MQ Enterprise 7.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"Fuse MQ Enterprise 7.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "ActiveMQ: XSS vulnerability in portfolioPublish demo application"
},
{
"acknowledgments": [
{
"names": [
"Florian Weimer"
],
"organization": "Red Hat Product Security Team",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2013-2035",
"cwe": {
"id": "CWE-377",
"name": "Insecure Temporary File"
},
"discovery_date": "2013-04-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "958618"
}
],
"notes": [
{
"category": "description",
"text": "The HawtJNI Library class wrote native libraries to a predictable file name in /tmp when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "HawtJNI: predictable temporary file name leading to local arbitrary code execution",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Fuse MQ Enterprise 7.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-2035"
},
{
"category": "external",
"summary": "RHBZ#958618",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=958618"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-2035",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-2035"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2035",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2035"
}
],
"release_date": "2013-05-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-09T17:51:00+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Fuse MQ Enterprise 7.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"products": [
"Fuse MQ Enterprise 7.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "HawtJNI: predictable temporary file name leading to local arbitrary code execution"
},
{
"cve": "CVE-2013-3060",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"discovery_date": "2013-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "955908"
}
],
"notes": [
{
"category": "description",
"text": "The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "activemq: Unauthenticated access to web console",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Fuse ESB Enterprise 7.1.0, Fuse MQ Enterprise 7.1.1, JBoss Fuse 6.0.0 and JBoss A-MQ 6.0.0 all contain the Apache ActiveMQ web console, but it is not deployed by default. The documentation for deploying the web console covers the configuration needed to ensure authentication is enabled, therefore these products are not affected by this flaw. In a future update to these products, the web console will be configured so that authentication is automatically enabled if the web console is deployed, eliminating the need to manually configure it.\n\nA future update may address this flaw in Fuse Message Broker 5.5.1.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Fuse MQ Enterprise 7.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-3060"
},
{
"category": "external",
"summary": "RHBZ#955908",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=955908"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-3060",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-3060"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-3060",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-3060"
}
],
"release_date": "2012-11-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-07-09T17:51:00+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Fuse MQ Enterprise 7.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1029"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Fuse MQ Enterprise 7.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "activemq: Unauthenticated access to web console"
}
]
}
gsd-2013-3060
Vulnerability from gsd
Modified
2023-12-13 01:22
Details
The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-3060",
"description": "The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests.",
"id": "GSD-2013-3060",
"references": [
"https://access.redhat.com/errata/RHSA-2013:1221",
"https://access.redhat.com/errata/RHSA-2013:1029"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2013-3060"
],
"details": "The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests.",
"id": "GSD-2013-3060",
"modified": "2023-12-13T01:22:23.299236Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-3060",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2013:1029",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1029.html"
},
{
"name": "[dev] 20121022 [DISCUSS] - ActiveMQ out of the box - Should not include the demos",
"refsource": "MLIST",
"url": "http://activemq.2283324.n4.nabble.com/DISCUSS-ActiveMQ-out-of-the-box-Should-not-include-the-demos-tc4658044.html"
},
{
"name": "https://fisheye6.atlassian.com/changelog/activemq?cs=1404998",
"refsource": "CONFIRM",
"url": "https://fisheye6.atlassian.com/changelog/activemq?cs=1404998"
},
{
"name": "59402",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/59402"
},
{
"name": "http://activemq.apache.org/activemq-580-release.html",
"refsource": "CONFIRM",
"url": "http://activemq.apache.org/activemq-580-release.html"
},
{
"name": "https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210\u0026version=12323282",
"refsource": "CONFIRM",
"url": "https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210\u0026version=12323282"
},
{
"name": "RHSA-2013:1221",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1221.html"
},
{
"name": "https://issues.apache.org/jira/browse/AMQ-4124",
"refsource": "CONFIRM",
"url": "https://issues.apache.org/jira/browse/AMQ-4124"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "(,5.8.0)",
"affected_versions": "All versions before 5.8.0",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-287",
"CWE-937"
],
"date": "2022-07-08",
"description": "The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests.",
"fixed_versions": [
"5.8.0"
],
"identifier": "CVE-2013-3060",
"identifiers": [
"GHSA-p358-58jj-hp65",
"CVE-2013-3060"
],
"not_impacted": "All versions starting from 5.8.0",
"package_slug": "maven/org.apache.activemq/activemq-client",
"pubdate": "2022-05-17",
"solution": "Upgrade to version 5.8.0 or above.",
"title": "Improper Authentication",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2013-3060",
"https://fisheye6.atlassian.com/changelog/activemq?cs=1404998",
"https://issues.apache.org/jira/browse/AMQ-4124",
"https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210\u0026version=12323282",
"http://activemq.2283324.n4.nabble.com/DISCUSS-ActiveMQ-out-of-the-box-Should-not-include-the-demos-tc4658044.html",
"http://activemq.apache.org/activemq-580-release.html",
"http://rhn.redhat.com/errata/RHSA-2013-1029.html",
"http://rhn.redhat.com/errata/RHSA-2013-1221.html",
"https://github.com/advisories/GHSA-p358-58jj-hp65"
],
"uuid": "460f9639-2105-413f-ae98-e89c929693fb"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:activemq:5.4.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:activemq:5.3.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:activemq:4.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:activemq:4.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:activemq:5.4.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:activemq:5.4.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:activemq:4.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:activemq:4.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "5.7.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:activemq:5.6.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:activemq:5.3.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:activemq:5.3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:activemq:4.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:activemq:4.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:activemq:5.5.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:activemq:5.5.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:activemq:5.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:activemq:5.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:activemq:5.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:activemq:4.0:m4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-3060"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://activemq.apache.org/activemq-580-release.html",
"refsource": "CONFIRM",
"tags": [],
"url": "http://activemq.apache.org/activemq-580-release.html"
},
{
"name": "https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210\u0026version=12323282",
"refsource": "CONFIRM",
"tags": [],
"url": "https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210\u0026version=12323282"
},
{
"name": "[dev] 20121022 [DISCUSS] - ActiveMQ out of the box - Should not include the demos",
"refsource": "MLIST",
"tags": [],
"url": "http://activemq.2283324.n4.nabble.com/DISCUSS-ActiveMQ-out-of-the-box-Should-not-include-the-demos-tc4658044.html"
},
{
"name": "https://issues.apache.org/jira/browse/AMQ-4124",
"refsource": "CONFIRM",
"tags": [],
"url": "https://issues.apache.org/jira/browse/AMQ-4124"
},
{
"name": "https://fisheye6.atlassian.com/changelog/activemq?cs=1404998",
"refsource": "CONFIRM",
"tags": [],
"url": "https://fisheye6.atlassian.com/changelog/activemq?cs=1404998"
},
{
"name": "RHSA-2013:1221",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1221.html"
},
{
"name": "RHSA-2013:1029",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1029.html"
},
{
"name": "59402",
"refsource": "BID",
"tags": [],
"url": "http://www.securityfocus.com/bid/59402"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2016-11-28T19:09Z",
"publishedDate": "2013-04-21T21:55Z"
}
}
}
ghsa-p358-58jj-hp65
Vulnerability from github
Published
2022-05-17 03:46
Modified
2024-03-18 13:06
Summary
Improper Authentication in Apache ActiveMQ
Details
The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.activemq:activemq-client"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2013-3060"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-08T19:14:28Z",
"nvd_published_at": "2013-04-21T21:55:00Z",
"severity": "MODERATE"
},
"details": "The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests.",
"id": "GHSA-p358-58jj-hp65",
"modified": "2024-03-18T13:06:32Z",
"published": "2022-05-17T03:46:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-3060"
},
{
"type": "WEB",
"url": "https://github.com/apache/activemq/commit/22bc55b9487df98a3c3cb04f99f4618fcba364fe"
},
{
"type": "WEB",
"url": "https://github.com/apache/activemq/commit/437ea2f6e58d18837ae0e68dcd2fdadc1fff3723"
},
{
"type": "WEB",
"url": "https://github.com/apache/activemq/commit/ced33d2551a040813cb40bd6d36fdd322034fa73"
},
{
"type": "WEB",
"url": "https://fisheye6.atlassian.com/changelog/activemq?cs=1404998"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/activemq"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/AMQ-4124"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210\u0026version=12323282"
},
{
"type": "WEB",
"url": "http://activemq.2283324.n4.nabble.com/DISCUSS-ActiveMQ-out-of-the-box-Should-not-include-the-demos-tc4658044.html"
},
{
"type": "WEB",
"url": "http://activemq.apache.org/activemq-580-release.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1029.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1221.html"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Improper Authentication in Apache ActiveMQ"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.