GHSA-836g-5fr5-fgcr

Suggest an improvement
Source
https://github.com/advisories/GHSA-836g-5fr5-fgcr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-836g-5fr5-fgcr/GHSA-836g-5fr5-fgcr.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-836g-5fr5-fgcr
Aliases
Published
2022-02-10T23:07:37Z
Modified
2023-11-01T04:51:33.666217Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Missing Authentication for Critical Function in Apache TomEE
Details

If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker URI includes the useJMX=true parameter, a JMX port is opened on TCP port 1099, which does not include authentication. This affects Apache TomEE 8.0.0-M1 - 8.0.1, Apache TomEE 7.1.0 - 7.1.2, Apache TomEE 7.0.0-M1 - 7.0.7, Apache TomEE 1.0.0 - 1.7.5.

Database specific
{
    "nvd_published_at": "2020-06-15T20:15:00Z",
    "github_reviewed_at": "2021-05-12T15:57:39Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-306"
    ]
}
References

Affected packages

Maven / org.apache.tomee:tomee

Package

Name
org.apache.tomee:tomee
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomee/tomee

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.0.0-M1
Fixed
8.0.2

Affected versions

8.*

8.0.0-M1
8.0.0-M2
8.0.0-M3
8.0.0
8.0.1

Database specific

{
    "last_known_affected_version_range": "<= 8.0.1"
}

Maven / org.apache.tomee:tomee

Package

Name
org.apache.tomee:tomee
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomee/tomee

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.1.0
Fixed
7.1.3

Affected versions

7.*

7.1.0
7.1.1
7.1.2

Database specific

{
    "last_known_affected_version_range": "<= 7.1.2"
}

Maven / org.apache.tomee:tomee

Package

Name
org.apache.tomee:tomee
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomee/tomee

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0.0-M1
Fixed
7.0.8

Affected versions

7.*

7.0.0-M1
7.0.0-M2
7.0.0-M3
7.0.0
7.0.1
7.0.2
7.0.3
7.0.4
7.0.5
7.0.6
7.0.7

Database specific

{
    "last_known_affected_version_range": "<= 7.0.7"
}

Maven / org.apache.tomee:tomee

Package

Name
org.apache.tomee:tomee
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomee/tomee

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0.0
Fixed
1.7.6

Database specific

{
    "last_known_affected_version_range": "<= 1.7.5"
}