Uploaded image for project: 'TomEE'
  1. TomEE
  2. TOMEE-3798

TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 8.0.8
    • 8.0.9
    • None

    Description

      TomEE 8.0.8 is using xmlsec-2.2.1.jar (Apache Santuario) which is affected by vulnerability CVE-2021-40690 with CVSS score of 6.5.

      Summary:
      A file disclosure vulnerability has been found in Apache Santuario XML Security for Java. An XPath Transform could be used to extract any local .xml files in a RetrievalMethod element.

      The remediation for the security flaw is available in xmlsec-2.1.7 older build and xmlsec-2.2.3 official build.

      Please upgrade to xmlsec-2.2.3 version which has an official fix to address this issue.

      Attachments

        Activity

          People

            jgallimore Jonathan Gallimore
            Mahathi Vavilala Pavana Sai Mahathi Vavilala
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: