Vulnerability Details : CVE-2020-11969
If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker URI includes the useJMX=true parameter, a JMX port is opened on TCP port 1099, which does not include authentication. This affects Apache TomEE 8.0.0-M1 - 8.0.1, Apache TomEE 7.1.0 - 7.1.2, Apache TomEE 7.0.0-M1 - 7.0.7, Apache TomEE 1.0.0 - 1.7.5.
Products affected by CVE-2020-11969
- cpe:2.3:a:apache:tomee:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomee:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomee:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomee:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomee:7.0.0:m1:*:*:*:*:*:*
- cpe:2.3:a:apache:tomee:7.0.0:m2:*:*:*:*:*:*
- cpe:2.3:a:apache:tomee:7.0.0:m3:*:*:*:*:*:*
- cpe:2.3:a:apache:tomee:8.0.0:m1:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-11969
4.00%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 92 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-11969
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2020-11969
-
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-11969
-
https://lists.apache.org/thread.html/ref088c4732e1a8dd0bbbb96e13ffafcfe65f984238ffa55f438d78fe@%3Cusers.tomee.apache.org%3E
[SECURITY] CVE-2020-13931 Apache TomEE - Incorrect config on JMS Resource Adapter can lead to JMX being enabled - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r85b87478f8aa4751aa3a06e88622e80ffabae376ee7283e147ee56b9@%3Cdev.tomee.apache.org%3E
Re: CVE-2020-13931 is Fake vulnerability - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rbd23418646dedda70a546331ea1c1d115b8975b7e7dc452d10e2e773%40%3Cdev.tomee.apache.org%3E
CVE-2020-11969 Apache TomEE - useJMX attribute on ActiveMQ resource adapter URI causes authenticated JMX port to be open - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/ref088c4732e1a8dd0bbbb96e13ffafcfe65f984238ffa55f438d78fe@%3Cdev.tomee.apache.org%3E
[SECURITY] CVE-2020-13931 Apache TomEE - Incorrect config on JMS Resource Adapter can lead to JMX being enabled - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rbd23418646dedda70a546331ea1c1d115b8975b7e7dc452d10e2e773@%3Cannounce.apache.org%3E
CVE-2020-11969 Apache TomEE - useJMX attribute on ActiveMQ resource adapter URI causes authenticated JMX port to be open - Pony MailMailing List;Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2020/12/16/2
oss-security - CVE-2020-13931 Apache TomEE - Incorrect config on JMS Resource Adapter can lead to JMX being enabledMailing List;Third Party Advisory
Jump to