{
  "threat_severity" : "Important",
  "public_date" : "2012-11-02T00:00:00Z",
  "bugzilla" : {
    "description" : "activemq: Unauthenticated access to web console",
    "id" : "955908",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=955908"
  },
  "cvss" : {
    "cvss_base_score" : "7.5",
    "cvss_scoring_vector" : "AV:N/AC:L/Au:N/C:P/I:P/A:P",
    "status" : "verified"
  },
  "cwe" : "CWE-306",
  "details" : [ "The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests." ],
  "statement" : "Fuse ESB Enterprise 7.1.0, Fuse MQ Enterprise 7.1.1, JBoss Fuse 6.0.0 and JBoss A-MQ 6.0.0 all contain the Apache ActiveMQ web console, but it is not deployed by default. The documentation for deploying the web console covers the configuration needed to ensure authentication is enabled, therefore these products are not affected by this flaw. In a future update to these products, the web console will be configured so that authentication is automatically enabled if the web console is deployed, eliminating the need to manually configure it.\nA future update may address this flaw in Fuse Message Broker 5.5.1.",
  "affected_release" : [ {
    "product_name" : "Fuse Message Broker 5.5.1",
    "release_date" : "2013-09-09T00:00:00Z",
    "advisory" : "RHSA-2013:1221",
    "cpe" : "cpe:/a:redhat:fuse_message_broker:5.5.1"
  }, {
    "product_name" : "Fuse MQ Enterprise 7.1.0",
    "release_date" : "2013-07-09T00:00:00Z",
    "advisory" : "RHSA-2013:1029",
    "cpe" : "cpe:/a:redhat:fuse_mq_enterprise:7.1.0"
  } ],
  "package_state" : [ {
    "product_name" : "OpenShift Enterprise 1",
    "fix_state" : "Affected",
    "package_name" : "activemq",
    "cpe" : "cpe:/a:redhat:openshift:1"
  }, {
    "product_name" : "Red Hat JBoss SOA Platform 4",
    "fix_state" : "Will not fix",
    "package_name" : "activemq",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_soa_platform:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2013-3060\nhttps://nvd.nist.gov/vuln/detail/CVE-2013-3060" ],
  "name" : "CVE-2013-3060",
  "csaw" : false
}