TomEE 8.0.8 is using xmlsec-2.2.1.jar (Apache Santuario) which is affected by vulnerability CVE-2021-40690 with CVSS score of 6.5.
A file disclosure vulnerability has been found in Apache Santuario XML Security for Java. An XPath Transform could be used to extract any local .xml files in a RetrievalMethod element.
The remediation for the security flaw is available in xmlsec-2.1.7 older build and xmlsec-2.2.3 official build.
Please upgrade to xmlsec-2.2.3 version which has an official fix to address this issue.