[MAVEN:GHSA-836G-5FR5-FGCR] Missing Authentication for Critical Function in Apache TomEE
Severity
High
Affected Packages
4
Fixed Packages
4
CVEs
1
If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker URI includes the useJMX=true parameter, a JMX port is opened on TCP port 1099, which does not include authentication. This affects Apache TomEE 8.0.0-M1 - 8.0.1, Apache TomEE 7.1.0 - 7.1.2, Apache TomEE 7.0.0-M1 - 7.0.7, Apache TomEE 1.0.0 - 1.7.5.
Package | Affected Version |
---|---|
pkg:maven/org.apache.tomee/tomee | >= 1.0.0, <= 1.7.5 |
pkg:maven/org.apache.tomee/tomee | >= 7.0.0-M1, <= 7.0.7 |
pkg:maven/org.apache.tomee/tomee | >= 7.1.0, <= 7.1.2 |
pkg:maven/org.apache.tomee/tomee | >= 8.0.0-M1, <= 8.0.1 |
Package | Fixed Version |
---|---|
pkg:maven/org.apache.tomee/tomee | = 1.7.6 |
pkg:maven/org.apache.tomee/tomee | = 7.0.8 |
pkg:maven/org.apache.tomee/tomee | = 7.1.3 |
pkg:maven/org.apache.tomee/tomee | = 8.0.2 |
- ID
- MAVEN:GHSA-836G-5FR5-FGCR
- Severity
- high
- URL
- https://github.com/advisories/GHSA-836g-5fr5-fgcr
- Published
-
2022-02-10T23:07:37
(2 years ago) - Modified
-
2023-02-01T05:05:43
(19 months ago) - Rights
- Maven Security Team
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:maven/org.apache.tomee/tomee | org.apache.tomee | tomee | >= 1.0.0 <= 1.7.5 | |||
Fixed | pkg:maven/org.apache.tomee/tomee | org.apache.tomee | tomee | = 1.7.6 | |||
Affected | pkg:maven/org.apache.tomee/tomee | org.apache.tomee | tomee | >= 7.0.0-M1 <= 7.0.7 | |||
Fixed | pkg:maven/org.apache.tomee/tomee | org.apache.tomee | tomee | = 7.0.8 | |||
Affected | pkg:maven/org.apache.tomee/tomee | org.apache.tomee | tomee | >= 7.1.0 <= 7.1.2 | |||
Fixed | pkg:maven/org.apache.tomee/tomee | org.apache.tomee | tomee | = 7.1.3 | |||
Affected | pkg:maven/org.apache.tomee/tomee | org.apache.tomee | tomee | >= 8.0.0-M1 <= 8.0.1 | |||
Fixed | pkg:maven/org.apache.tomee/tomee | org.apache.tomee | tomee | = 8.0.2 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |