CVE-2021-40690

The CVE-2021-40690 issue affects Apache Santuario – XML Security for Java. All versions prior to 2.2.3 and 2.1.7 are vulnerable due to the "secureValidation" property not being passed when creating a KeyInfo from a KeyInfoReference element, enabling an XPath Transform abuse to extract local .xml ...

CVE-2021-33037

CVE-2021-33037 affects Apache Tomcat: versions 10.0.0-M1–10.0.6, 9.0.0.M1–9.0.46, and 8.5.0–8.5.66 may mishandle the HTTP transfer-encoding header with reverse proxies, enabling request smuggling. Root cause: improper header handling allowing spoofed content encoding sequencing. Impact stated in ...

CVE-2019-13990

CVE-2019-13990 affects Terracotta Quartz Scheduler within Atlassian Jira Service Management Data Center/Server and related Oracle Fusion Middleware deployments, via XXE in the Terracotta Quartz Scheduler component when parsing a job description. The root cause is an XML External Entity condition ...

CVE-2019-17569

CVE-2019-17569: In Apache Tomcat, a regression from refactoring in 9.0.28–9.0.30, 8.5.48–8.5.50, and 7.0.98–7.0.99 caused invalid Transfer-Encoding header handling, enabling HTTP Request Smuggling behind a misconfigured reverse proxy. Connected advisories show mitigations: Amazon Linux 2 ALAS2TOM...

CVE-2021-30468

CVE-2021-30468 is a denial-of-service issue in Apache CXF caused by an infinite loop in the JsonMapObjectReaderWriter. Connected IBM advisories confirm the vulnerability affects CXF usage in IBM products (e.g., Tivoli Network Manager IP Edition and IBM Security Guardium) and list the affected CXF...

CVE-2019-17359

The CVE-2019-17359 entry concerns Bouncy Castle Crypto (BC Java) 1.63. The vulnerability lies in the ASN.1 parser, which can trigger a large memory allocation leading to a memory exhaustion/OutOfMemoryError via crafted ASN.1 data. Affected product: BC Java 1.63; fixed in BC Java 1.64. The issue i...

CVE-2020-13931

CVE-2020-13931 : Apache TomEE with embedded ActiveMQ broker and a misconfigured broker config can open a JMX port (TCP 1099) without authentication, for TomEE versions 8.0.0-M1–8.0.3, 7.1.0–7.1.3, 7.0.0-M1–7.0.8, and 1.0.0–1.7.5. This edge case was not covered by the prior fix for CVE-2020-11969,...

CVE-2018-8031

CVE-2018-8031 describes a Cross-site Scripting (XSS) vulnerability in the Apache TomEE console (tomee-webapp). The issue could allow arbitrary JavaScript execution when a user visits a malicious URL. TomEE bundles without this application or after setup, the UI can be removed to mitigate exposure...

CVE-2020-11969

CVE-2020-11969 concerns Apache TomEE when configured with the embedded ActiveMQ broker and broker URI includes useJMX=true, which opens a JMX port on TCP 1099 without authentication. Affected versions: TomEE 8.0.0-M1 through 8.0.1; 7.1.0 through 7.1.2; 7.0.0-M1 through 7.0.7; 1.0.0 through 1.7.5....

CVE-2016-0779

CVE-2016-0779 affects Apache TomEE, where the EjbObjectInputStream class before 1.7.4 and before 7.0.0-M3 allows remote attackers to execute arbitrary code via a crafted serialized object. The vulnerability enables remote code execution (RCE) by deserializing untrusted data, with affected product...