Hello Cesar, Yes we declare it in the allowlist. The tool used is Grype.
Best Regards. -----Original Message----- From: Cesar Hernandez <[email protected]> Sent: mardi 31 janvier 2023 00:03 To: [email protected] Subject: Re: CVE-2016-3088 @Francois What vulnerability scan are you using? maybe you can file this as a false positive in the scanner project. El vie, 27 ene 2023 a las 13:34, Richard Zowalla (<[email protected]>) escribió: > TomEE relies on activemq 5.16.5. > > According to [1], the fileserver was removed with 5.14.0. > > Gruß > Richard > > [1] > > https://activemq.apache.org/security-advisories.data/CVE-2016-3088-ann > ouncement.txt > > Am Freitag, dem 27.01.2023 um 18:05 +0000 schrieb COURTAULT Francois: > > Hello everyone, > > > > We scan the vulnerabilities in TomEE Plus 8.0.14 and we have > > discovered the following CVE: CVE-2016-3088 which prevent us to use > > this version :( It seems it is due to activemq-protobuf-1.1.jar. > > > > The question: Is the ActiveMQ Fileserver web application deployed in > > TomEE 8.0.14 and TomEE 9.0.0 ? > > If not the CVE-2016-3088 doesn't affect TomEE 8.0.14 and 9.0.0, > > right ? > > > > Best Regards. > > > > > > > > -- Atentamente: César Hernández.
