apache tomee vulnerabilities and exploits

(subscribe to this query)

If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker URI includes the useJMX=true parameter, a JMX port is opened on TCP port 1099, which does not include authentication. This affects Apache TomEE 8.0.0-M1 - 8.0.1, Apache TomEE 7.1.0 - 7.1.2, Apache T...

Apache Tomee Apache Tomee 7.0.0 Apache Tomee 8.0.0

If Apache TomEE 8.0.0-M1 - 8.0.3, 7.1.0 - 7.1.3, 7.0.0-M1 - 7.0.8, 1.0.0 - 1.7.5 is configured to use the embedded ActiveMQ broker, and the broker config is misconfigured, a JMX port is opened on TCP port 1099, which does not include authentication. CVE-2020-11969 previously addr...

Apache Tomee Apache Tomee 7.0.0 Apache Tomee 8.0.0

The EjbObjectInputStream class in Apache TomEE prior to 1.7.4 and 7.x prior to 7.0.0-M3 allows remote malicious users to execute arbitrary code via a crafted serialized object.

Apache Tomee Apache Tomee 7.0.0

The Apache TomEE console (tomee-webapp) has a XSS vulnerability which could allow javascript to be executed if the user is given a malicious URL. This web application is typically used to add TomEE features to a Tomcat installation. The TomEE bundles do not ship with this applica...

A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an malicious user to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions before 3.4.4; Apach...

Apache Cxf Apache Tomee 8.0.6 Oracle Business Intelligence 5.5.0.0.0 Oracle Business Intelligence 5.9.0.0.0 Oracle Business Intelligence 12.2.1.3.0 Oracle Business Intelligence 12.2.1.4.0 Oracle Communications Element Manager 8.2.2 Oracle Communications Messaging Server 8.1

The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.

Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.63 Apache Tomee 7.0.7 Apache Tomee 7.1.2 Apache Tomee 8.0.1 Netapp Active Iq Unified Manager Netapp Oncommand Api Services -Netapp Oncommand Workflow Automation -Netapp Service Level Manager -Oracle Business Process Management Suite 12.2.1.3.0 Oracle Business Process Management Suite 12.2.1.4.0 Oracle Communications Convergence Oracle Communications Diameter Signaling Router

The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomca...

Apache Tomcat Apache Tomee 7.0.7 Opensuse Leap 15.1 Netapp Data Availability Services -Netapp Oncommand System Manager Debian Debian Linux 9.0 Debian Debian Linux 10.0 Oracle Agile Engineering Data Management 6.2.1.0 Oracle Agile Plm 9.3.3 Oracle Agile Plm 9.3.5 Oracle Agile Plm 9.3.6 Oracle Communications Instant Messaging Server 10.0.1.4.0

All versions of Apache Santuario - XML Security for Java before 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an malicious user to abuse an XP...

Apache Santuario Xml Security For Java Apache Cxf 3.4.4 Apache Tomee Debian Debian Linux 9.0 Debian Debian Linux 10.0 Debian Debian Linux 11.0 Oracle Agile Plm 9.3.6 Oracle Commerce Guided Search 11.3.2 Oracle Commerce Platform 11.3.2 Oracle Communications Diameter Intelligence Hub Oracle Communications Messaging Server 8.1 Oracle Flexcube Private Banking 12.1.0

2 Github repositories

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ign...

Apache Tomcat Apache Tomee 8.0.6 Debian Debian Linux 9.0 Debian Debian Linux 10.0 Oracle Agile Plm 9.3.6 Oracle Communications Cloud Native Core Policy 1.14.0 Oracle Communications Cloud Native Core Service Communication Proxy 1.14.0 Oracle Communications Diameter Signaling Router Oracle Communications Instant Messaging Server 10.0.1.5.0 Oracle Communications Policy Management 12.5.0 Oracle Communications Pricing Design Center 12.0.0.3.0 Oracle Communications Session Report Manager

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler up to and including 2.3.0 allows XXE attacks via a job description.

Softwareag Quartz Oracle Apache Batik Mapviewer 12.2.0.1 Oracle Apache Batik Mapviewer 18c Oracle Apache Batik Mapviewer 19c Oracle Banking Enterprise Originations 2.7.0 Oracle Banking Enterprise Originations 2.8.0 Oracle Banking Enterprise Product Manufacturing 2.7.0 Oracle Banking Enterprise Product Manufacturing 2.8.0 Oracle Banking Payments Oracle Communications Ip Service Activator 7.3.0 Oracle Communications Ip Service Activator 7.4.0 Oracle Communications Session Route Manager

2 Github repositories

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook