Tomee Apache Tomee

Do you want an email whenever new security vulnerabilities are reported in Apache Tomee?

By the Year

In 2021 there have been 3 vulnerabilities in Apache Tomee with an average score of 6.8 out of ten. Last year Tomee had 2 security vulnerabilities published. That is, 1 more vulnerability have already been reported in 2021 as compared to last year. Last year, the average CVE base score was greater by 3.03

Year Vulnerabilities Average Score
2021 3 6.77
2020 2 9.80
2019 0 0.00
2018 1 6.10

It may take a day or so for new Tomee vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Apache Tomee Security Vulnerabilities

All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo

CVE-2021-40690 7.5 - High - September 19, 2021

All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

Information Disclosure

Apache Tomcat 10.0.0-M1 to 10.0.6

CVE-2021-33037 5.3 - Medium - July 12, 2021

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

HTTP Request Smuggling

A vulnerability in the JsonMapObjectReaderWriter of Apache CXF

CVE-2021-30468 7.5 - High - June 16, 2021

A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior to 3.3.11.

Resource Exhaustion

If Apache TomEE 8.0.0-M1 - 8.0.3, 7.1.0 - 7.1.3, 7.0.0-M1 - 7.0.8, 1.0.0 - 1.7.5 is configured to use the embedded ActiveMQ broker, and the broker config is misconfigured, a JMX port is opened on TCP port 1099

CVE-2020-13931 9.8 - Critical - December 18, 2020

If Apache TomEE 8.0.0-M1 - 8.0.3, 7.1.0 - 7.1.3, 7.0.0-M1 - 7.0.8, 1.0.0 - 1.7.5 is configured to use the embedded ActiveMQ broker, and the broker config is misconfigured, a JMX port is opened on TCP port 1099, which does not include authentication. CVE-2020-11969 previously addressed the creation of the JMX management interface, however the incomplete fix did not cover this edge case.

If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker URI includes the useJMX=true parameter, a JMX port is opened on TCP port 1099

CVE-2020-11969 9.8 - Critical - June 15, 2020

If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker URI includes the useJMX=true parameter, a JMX port is opened on TCP port 1099, which does not include authentication. This affects Apache TomEE 8.0.0-M1 - 8.0.1, Apache TomEE 7.1.0 - 7.1.2, Apache TomEE 7.0.0-M1 - 7.0.7, Apache TomEE 1.0.0 - 1.7.5.

authentification

The Apache TomEE console (tomee-webapp) has a XSS vulnerability which could

CVE-2018-8031 6.1 - Medium - July 23, 2018

The Apache TomEE console (tomee-webapp) has a XSS vulnerability which could allow javascript to be executed if the user is given a malicious URL. This web application is typically used to add TomEE features to a Tomcat installation. The TomEE bundles do not ship with this application included. This issue can be mitigated by removing the application after TomEE is setup (if using the application to install TomEE), using one of the provided pre-configured bundles, or by upgrading to TomEE 7.0.5. This issue is resolve in this commit: b8bbf50c23ce97dd64f3a5d77f78f84e47579863.

XSS

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Apache Tomee or by Apache? Click the Watch button to subscribe.

Apache
Vendor

Apache Tomee
Product

subscribe