@Francois What vulnerability scan are you using? maybe you can file this as a false positive in the scanner project.
El vie, 27 ene 2023 a las 13:34, Richard Zowalla (<r...@apache.org>) escribió: > TomEE relies on activemq 5.16.5. > > According to [1], the fileserver was removed with 5.14.0. > > Gruß > Richard > > [1] > > https://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt > > Am Freitag, dem 27.01.2023 um 18:05 +0000 schrieb COURTAULT Francois: > > Hello everyone, > > > > We scan the vulnerabilities in TomEE Plus 8.0.14 and we have > > discovered the following CVE: CVE-2016-3088 which prevent us to use > > this version :( > > It seems it is due to activemq-protobuf-1.1.jar. > > > > The question: Is the ActiveMQ Fileserver web application deployed in > > TomEE 8.0.14 and TomEE 9.0.0 ? > > If not the CVE-2016-3088 doesn't affect TomEE 8.0.14 and 9.0.0, right > > ? > > > > Best Regards. > > > > > > > > -- Atentamente: César Hernández.