CVE-2020-13931: Remote code execution in Apache TomEE

February 9, 2022

If Apache TomEE - - - - is configured to use the embedded ActiveMQ broker, and the broker config is misconfigured, a JMX port is opened on TCP port, which does not include authentication. CVE-2020-11969 previously addressed the creation of the JMX management interface, however the incomplete fix does not cover this edge case.

References

nvd.nist.gov/vuln/detail/CVE-2020-13931

Detect and mitigate CVE-2020-13931 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →