CVE-2020-11969

Published Jun 15, 2020

Last updated a year ago

CVSS critical 9.8

Overview

Description: If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker URI includes the useJMX=true parameter, a JMX port is opened on TCP port 1099, which does not include authentication. This affects Apache TomEE 8.0.0-M1 - 8.0.1, Apache TomEE 7.1.0 - 7.1.2, Apache TomEE 7.0.0-M1 - 7.0.7, Apache TomEE 1.0.0 - 1.7.5.
Source: security@apache.org
NVD status: Modified

Risk scores

CVSS 3.1

Type: Primary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

CVSS 2.0

Type: Primary
Base score: 6.8
Impact score: 6.4
Exploitability score: 8.6
Vector string: AV:N/AC:M/Au:N/C:P/I:P/A:P

Weaknesses

nvd@nist.gov: CWE-306

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:apache:tomee:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9836083A-FD7C-4E1B-91B1-7E41933345F1",
            "versionEndIncluding": "1.7.5",
            "versionStartIncluding": "1.0.0"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomee:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "55193DEA-47A2-45D1-9A0E-675A6D09C7EB",
            "versionEndIncluding": "7.0.7",
            "versionStartIncluding": "7.0.0"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomee:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7EA64B9D-C9A7-4576-A3E6-872D81EF79E4",
            "versionEndIncluding": "7.1.2",
            "versionStartIncluding": "7.1.0"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomee:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "DEA94E5D-827D-45E5-9561-5435564A3086",
            "versionEndIncluding": "8.0.1",
            "versionStartIncluding": "8.0.0"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomee:7.0.0:m1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "CF7BA078-B944-4A03-BC12-2DB95BD474A3"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomee:7.0.0:m2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9E520207-5DC0-4B93-8A66-D9396EB64559"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomee:7.0.0:m3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "19027673-1DF2-47D6-90F2-FD59DD2E690B"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomee:8.0.0:m1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "AADB1D64-64A7-44C8-B433-550AA6A0E6A8"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

CVSS 2.0

Weaknesses

Social media

Configurations

References