TomEE latest available version 8.0.6 has the opensaml component version 3.3.1 which is vulnerable to security issues mentioned below -

Vulnerability Details

CVE-2020-27978

Vulnerability Published: 2020-10-28 11:15 EDT
Vulnerability Updated: 2020-10-28 12:26 EDT
CVSS Score: (under review, not scored yet - updates will be reported in issue comments)

Summary: Shibboleth Identify Provider 3.x before 3.4.6 has a denial of service flaw. A remote unauthenticated attacker can cause a login flow to trigger Java heap exhaustion due to the creation of objects in the Java Servlet container session.

BDSA-2019-4785

Affected Component(s): OpenSAML 2.0
Vulnerability Published: 2020-10-29 11:37 EDT
Vulnerability Updated: 2020-10-29 11:37 EDT
CVSS Score: 6.5 (overall), 7.5 (base)

Summary: Shibboleth Identity Provider is vulnerable to denial-of-service (DoS) due to improper processing of authentication webflows. An attacker could exploit this vulnerability by supplying a system with maliciously crafted requests.

------------

The issue is fixed in version 3.4.6 or later