CVE-2020-11969

If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker URI includes the useJMX=true parameter, a JMX port is opened on TCP port 1099, which does not include authentication. This affects Apache TomEE 8.0.0-M1 - 8.0.1, Apache TomEE 7.1.0 - 7.1.2, Apache TomEE 7.0.0-M1 - 7.0.7, Apache TomEE 1.0.0 - 1.7.5.

Published: Jun 15, 2020
Updated: May 9, 2024
CVE: CVE-2020-11969
GHSA: GHSA-836g-5fr5-fgcr
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

CWEs:

CWE-306

Affected Software
References

Software	From	Fixed in
apache / tomee	7.0.0-m1	7.0.0-m1.x
apache / tomee	8.0.0-m1	8.0.0-m1.x
apache / tomee	8.0.0	8.0.1.x
apache / tomee	7.1.0	7.1.2.x
apache / tomee	7.0.0-m2	7.0.0-m2.x
apache / tomee	7.0.0-m3	7.0.0-m3.x
apache / tomee	7.0.0	7.0.7.x
apache / tomee	1.0.0	1.7.5.x
org.apache.tomee / tomee	8.0.0-M1	8.0.2
org.apache.tomee / tomee	7.1.0	7.1.3
org.apache.tomee / tomee	7.0.0-M1	7.0.8
org.apache.tomee / tomee	1.0.0	1.7.6

Vulnerability Database

289,599

CVE-2020-11969