Auth bypass in Apache Activemq

CVE-2013-3060

The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests.

Vulnerability class: Broken Authentication

EPSS: 0.010 (77.6th percentile) — read the EPSS interpretation.

Affected products

Apache Activemq — versions 4.0, 4.0.1, 4.0.2
N/a — versions n/a

Weakness classification (CWE)

CWE-287 — Improper Authentication

References

RHSA-2013:1029 (x_refsource_REDHAT, vendor-advisory)
[dev] 20121022 [DISCUSS] - ActiveMQ out of the box - Should not include the demos (mailing-list, x_refsource_MLIST)
cve@mitre.org (x_refsource_CONFIRM)
59402 (vdb-entry, x_refsource_BID)
cve@mitre.org (x_refsource_CONFIRM)
cve@mitre.org (x_refsource_CONFIRM)
RHSA-2013:1221 (x_refsource_REDHAT, vendor-advisory)
cve@mitre.org (x_refsource_CONFIRM)