GHSA-mp28-rq7g-qx62
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mp28-rq7g-qx62
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-mp28-rq7g-qx62/GHSA-mp28-rq7g-qx62.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-mp28-rq7g-qx62
- Aliases
- Published
- 2022-02-09T22:44:38Z
- Modified
- 2023-11-08T04:02:22.832603Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Remote code execution in Apache TomEE
- Details
-
If Apache TomEE 8.0.0-M1 - 8.0.3, 7.1.0 - 7.1.3, 7.0.0-M1 - 7.0.8, 1.0.0 - 1.7.5 is configured to use the embedded ActiveMQ broker, and the broker config is misconfigured, a JMX port is opened on TCP port 1099, which does not include authentication. CVE-2020-11969 previously addressed the creation of the JMX management interface, however the incomplete fix did not cover this edge case.
- Database specific
{ "nvd_published_at": "2020-12-18T00:15:00Z", "cwe_ids": [ "CWE-306" ], "severity": "CRITICAL", "github_reviewed_at": "2021-04-08T20:55:45Z", "github_reviewed": true }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-13931
- https://lists.apache.org/thread.html/r7f98907165b355dc65f28a57f15103a06173ce03261115fa46d569b4@%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r85b87478f8aa4751aa3a06e88622e80ffabae376ee7283e147ee56b9@%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/ref088c4732e1a8dd0bbbb96e13ffafcfe65f984238ffa55f438d78fe%40%3Cdev.tomee.apache.org%3E
Affected packages
Maven / org.apache.tomee:apache-tomee
Package
- Name
- org.apache.tomee:apache-tomee
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.tomee/apache-tomee
Maven / org.apache.tomee:apache-tomee
Package
- Name
- org.apache.tomee:apache-tomee
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.tomee/apache-tomee
Maven / org.apache.tomee:apache-tomee
Package
- Name
- org.apache.tomee:apache-tomee
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.tomee/apache-tomee