Advisories for Maven/Org.apache.tomee/Openejb-Lite package

2021

Exposure of Sensitive Information to an Unauthorized Actor

All versions of Apache Santuario - XML Security for Java is vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

2020

Improper Authentication

If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker config is misconfigured, a JMX port is opened on a TCP port that does not include authentication.

Improper Authentication

If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker URI includes the useJMX=true parameter, a JMX port is opened on TCP port, which does not include authentication.