Sign-up

ID

VAR-202006-0356


CVE

CVE-2020-11969


TITLE

Apache TomEE Authentication vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2020-006814

DESCRIPTION

If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker URI includes the useJMX=true parameter, a JMX port is opened on TCP port 1099, which does not include authentication. This affects Apache TomEE 8.0.0-M1 - 8.0.1, Apache TomEE 7.1.0 - 7.1.2, Apache TomEE 7.0.0-M1 - 7.0.7, Apache TomEE 1.0.0 - 1.7.5. Apache TomEE There is an authentication vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Apache TomEE is a lightweight Java EE application server from the Apache Software Foundation. An authorization issue vulnerability exists in Apache TomEE. Attackers can use this vulnerability to open the JMX port by sending a specially crafted request using the ‘useJMX=true’ parameter

Trust: 2.16

sources: NVD: CVE-2020-11969 // JVNDB: JVNDB-2020-006814 // CNVD: CNVD-2021-22176

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-22176

AFFECTED PRODUCTS

vendor:apachemodel:tomeescope:lteversion:8.0.1

Trust: 1.0

vendor:apachemodel:tomeescope:gteversion:1.0.0

Trust: 1.0

vendor:apachemodel:tomeescope:lteversion:1.7.5

Trust: 1.0

vendor:apachemodel:tomeescope:gteversion:7.1.0

Trust: 1.0

vendor:apachemodel:tomeescope:lteversion:7.0.7

Trust: 1.0

vendor:apachemodel:tomeescope:gteversion:8.0.0

Trust: 1.0

vendor:apachemodel:tomeescope:lteversion:7.1.2

Trust: 1.0

vendor:apachemodel:tomeescope:eqversion:8.0.0

Trust: 1.0

vendor:apachemodel:tomeescope:gteversion:7.0.0

Trust: 1.0

vendor:apachemodel:tomeescope:eqversion:7.0.0

Trust: 1.0

vendor:apachemodel:tomeescope:eqversion:1.0.0 から 1.7.5

Trust: 0.8

vendor:apachemodel:tomeescope:eqversion:7.0.0-m1 から 7.0.7

Trust: 0.8

vendor:apachemodel:tomeescope:eqversion:7.1.0 から 7.1.2

Trust: 0.8

vendor:apachemodel:tomeescope:eqversion:8.0.0-m1 から 8.0.1

Trust: 0.8

vendor:apachemodel:tomeescope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2021-22176 // JVNDB: JVNDB-2020-006814 // NVD: CVE-2020-11969

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-11969
value: CRITICAL

Trust: 1.0

NVD: JVNDB-2020-006814
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2021-22176
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202006-1047
value: CRITICAL

Trust: 0.6

nvd@nist.gov: CVE-2020-11969
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-006814
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2021-22176
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2020-11969
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-006814
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2021-22176 // JVNDB: JVNDB-2020-006814 // CNNVD: CNNVD-202006-1047 // NVD: CVE-2020-11969

PROBLEMTYPE DATA

problemtype:CWE-306

Trust: 1.0

problemtype:CWE-287

Trust: 0.8

sources: JVNDB: JVNDB-2020-006814 // NVD: CVE-2020-11969

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202006-1047

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202006-1047

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-006814

PATCH
title:CVE-2020-11969 Apache TomEE - useJMX attribute on ActiveMQ resource adapter URI causes authenticated JMX port to be openurl:https://lists.apache.org/thread.html/rbd23418646dedda70a546331ea1c1d115b8975b7e7dc452d10e2e773%40%3Cdev.tomee.apache.org%3E
Trust: 0.8
title:Patch for Apache TomEE authorization issue vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/254726
Trust: 0.6
title:Apache TomEE Remediation measures for authorization problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=122498
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2021-22176 // 
            
            
            
            JVNDB: JVNDB-2020-006814 // 
            
            
            
            CNNVD: CNNVD-202006-1047

EXTERNAL IDS
db:NVDid:CVE-2020-11969
Trust: 3.0
db:OPENWALLid:OSS-SECURITY/2020/12/16/2
Trust: 1.6
db:JVNDBid:JVNDB-2020-006814
Trust: 0.8
db:CNVDid:CNVD-2021-22176
Trust: 0.6
db:CNNVDid:CNNVD-202006-1047
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2021-22176 // 
            
            
            
            JVNDB: JVNDB-2020-006814 // 
            
            
            
            CNNVD: CNNVD-202006-1047 // 
            
            
            
            NVD: CVE-2020-11969

REFERENCES
url:https://nvd.nist.gov/vuln/detail/cve-2020-11969
Trust: 2.0
url:https://lists.apache.org/thread.html/rbd23418646dedda70a546331ea1c1d115b8975b7e7dc452d10e2e773%40%3cdev.tomee.apache.org%3e
Trust: 1.6
url:http://www.openwall.com/lists/oss-security/2020/12/16/2
Trust: 1.6
url:https://lists.apache.org/thread.html/ref088c4732e1a8dd0bbbb96e13ffafcfe65f984238ffa55f438d78fe%40%3cdev.tomee.apache.org%3e
Trust: 1.0
url:https://lists.apache.org/thread.html/rbd23418646dedda70a546331ea1c1d115b8975b7e7dc452d10e2e773%40%3cannounce.apache.org%3e
Trust: 1.0
url:https://lists.apache.org/thread.html/r85b87478f8aa4751aa3a06e88622e80ffabae376ee7283e147ee56b9%40%3cdev.tomee.apache.org%3e
Trust: 1.0
url:https://lists.apache.org/thread.html/ref088c4732e1a8dd0bbbb96e13ffafcfe65f984238ffa55f438d78fe%40%3cusers.tomee.apache.org%3e
Trust: 1.0
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11969
Trust: 0.8
url:https://lists.apache.org/thread.html/rbd23418646dedda70a546331ea1c1d115b8975b7e7dc452d10e2e773@%3cannounce.apache.org%3e
Trust: 0.6
url:https://lists.apache.org/thread.html/ref088c4732e1a8dd0bbbb96e13ffafcfe65f984238ffa55f438d78fe@%3cdev.tomee.apache.org%3e
Trust: 0.6
url:https://lists.apache.org/thread.html/ref088c4732e1a8dd0bbbb96e13ffafcfe65f984238ffa55f438d78fe@%3cusers.tomee.apache.org%3e
Trust: 0.6
url:https://lists.apache.org/thread.html/r85b87478f8aa4751aa3a06e88622e80ffabae376ee7283e147ee56b9@%3cdev.tomee.apache.org%3e
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2021-22176 // 
            
            
            
            JVNDB: JVNDB-2020-006814 // 
            
            
            
            CNNVD: CNNVD-202006-1047 // 
            
            
            
            NVD: CVE-2020-11969

SOURCES
db:CNVDid:CNVD-2021-22176
db:JVNDBid:JVNDB-2020-006814
db:CNNVDid:CNNVD-202006-1047
db:NVDid:CVE-2020-11969

LAST UPDATE DATE
2024-11-23T22:33:26.442000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2021-22176date:2021-03-25T00:00:00
db:JVNDBid:JVNDB-2020-006814date:2020-07-17T00:00:00
db:CNNVDid:CNNVD-202006-1047date:2020-12-24T00:00:00
db:NVDid:CVE-2020-11969date:2024-11-21T04:59:00.827

SOURCES RELEASE DATE
db:CNVDid:CNVD-2021-22176date:2021-03-25T00:00:00
db:JVNDBid:JVNDB-2020-006814date:2020-07-17T00:00:00
db:CNNVDid:CNNVD-202006-1047date:2020-06-15T00:00:00
db:NVDid:CVE-2020-11969date:2020-06-15T20:15:11.147