{"id":"CVE-2020-11969","details":"If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker URI includes the useJMX=true parameter, a JMX port is opened on TCP port 1099, which does not include authentication. This affects Apache TomEE 8.0.0-M1 - 8.0.1, Apache TomEE 7.1.0 - 7.1.2, Apache TomEE 7.0.0-M1 - 7.0.7, Apache TomEE 1.0.0 - 1.7.5.","aliases":["GHSA-836g-5fr5-fgcr"],"modified":"2026-04-11T22:57:32.395625Z","published":"2020-06-15T20:15:11.147Z","references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r85b87478f8aa4751aa3a06e88622e80ffabae376ee7283e147ee56b9%40%3Cdev.tomee.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rbd23418646dedda70a546331ea1c1d115b8975b7e7dc452d10e2e773%40%3Cannounce.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ref088c4732e1a8dd0bbbb96e13ffafcfe65f984238ffa55f438d78fe%40%3Cdev.tomee.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ref088c4732e1a8dd0bbbb96e13ffafcfe65f984238ffa55f438d78fe%40%3Cusers.tomee.apache.org%3E"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2020/12/16/2"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/rbd23418646dedda70a546331ea1c1d115b8975b7e7dc452d10e2e773%40%3Cdev.tomee.apache.org%3E"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/tomee","events":[{"introduced":"83c249c71f8dbc7aa149e202be0c0bdc01b6469e"},{"last_affected":"0bbaf5086db3a716a3976635c2d8b8e1b28ad9d4"},{"introduced":"a789142b0448aa9a65adcc0cd032f56ad7f756f6"},{"last_affected":"24420829cd7de768df247fa7b3c8ae62c13a68e2"},{"introduced":"8c6358cca46e431df78fc9c7d818259a9ba8635b"},{"last_affected":"4ec1e7e4017fceb7b40b582ad6897a49b84e7643"},{"introduced":"2fd9372ccc2438b6b42021c46f51bf91add099e1"},{"last_affected":"38d3d3041e8489c312ffaa9fa6c694e072b444e8"},{"introduced":"0"},{"last_affected":"ecdcd044f92953e55d9e7a948968de918edb4ed6"},{"last_affected":"510c4bade028e1fd52412618c2f578e05164214d"},{"last_affected":"8846c3f4d05722717b65e9bef9384c2928b7cfe9"},{"last_affected":"bdcec137dd4eb1658e78ddcf5b7b15ac583daea1"}],"database_specific":{"cpe":["cpe:2.3:a:apache:tomee:*:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomee:7.0.0:m1:*:*:*:*:*:*","cpe:2.3:a:apache:tomee:7.0.0:m2:*:*:*:*:*:*","cpe:2.3:a:apache:tomee:7.0.0:m3:*:*:*:*:*:*","cpe:2.3:a:apache:tomee:8.0.0:m1:*:*:*:*:*:*"],"source":"CPE_FIELD","extracted_events":[{"introduced":"1.0.0"},{"last_affected":"1.7.5"},{"introduced":"7.0.0"},{"last_affected":"7.0.7"},{"introduced":"7.1.0"},{"last_affected":"7.1.2"},{"introduced":"8.0.0"},{"last_affected":"8.0.1"},{"introduced":"0"},{"last_affected":"7.0.0-m1"},{"last_affected":"7.0.0-m2"},{"last_affected":"7.0.0-m3"},{"last_affected":"8.0.0-m1"}]}}],"versions":["8.0.0-TT.1","tomee-1.7.4","tomee-1.7.5","tomee-7.0.0-M1","tomee-7.0.0-M2","tomee-7.0.0-M3","tomee-7.0.5","tomee-7.0.6","tomee-7.0.7","tomee-7.1.0","tomee-7.1.1","tomee-7.1.2","tomee-8.0.0-M1","tomee-8.0.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-11969.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}