ID CVE-2002-1394
Summary Apache Tomcat 4.0.5 and earlier, when using both the invoker servlet and the default servlet, allows remote attackers to read source code for server files or bypass certain protections, a variant of CAN-2002-1148.
References
Vulnerable Configurations
  • Apache Software Foundation Tomcat 4.0.0
    cpe:2.3:a:apache:tomcat:4.0.0
  • Apache Software Foundation Tomcat 4.0.1
    cpe:2.3:a:apache:tomcat:4.0.1
  • Apache Software Foundation Tomcat 4.0.2
    cpe:2.3:a:apache:tomcat:4.0.2
  • Apache Software Foundation Tomcat 4.0.3
    cpe:2.3:a:apache:tomcat:4.0.3
  • Apache Software Foundation Tomcat 4.0.4
    cpe:2.3:a:apache:tomcat:4.0.4
  • Apache Software Foundation Tomcat 4.0.5
    cpe:2.3:a:apache:tomcat:4.0.5
  • Apache Software Foundation Tomcat 4.1.0
    cpe:2.3:a:apache:tomcat:4.1.0
  • Apache Software Foundation Tomcat 4.1.3 beta
    cpe:2.3:a:apache:tomcat:4.1.3:beta
  • Apache Software Foundation Tomcat 4.1.9 beta
    cpe:2.3:a:apache:tomcat:4.1.9:beta
  • Apache Software Foundation Tomcat 4.1.10
    cpe:2.3:a:apache:tomcat:4.1.10
CVSS
Base: 7.5 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-225.NASL
    description A security vulnerability has been confirmed to exist in Apache Tomcat 4.0.x releases, which allows to use a specially crafted URL to return the unprocessed source of a JSP page, or, under special circumstances, a static resource which would otherwise have been protected by a security constraint, without the need for being properly authenticated. This is based on a variant of the exploit that was identified as CAN-2002-1148.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15062
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15062
    title Debian DSA-225-1 : tomcat4 - source disclosure
  • NASL family CGI abuses
    NASL id TOMCAT_SOURCE_EXPOSURE.NASL
    description The version of Apache Tomcat running on the remote host is affected by an information disclosure vulnerability. It is possible to view source code using the default servlet : org.apache.catalina.servlets.DefaultServlet A remote attacker can exploit this information to mount further attacks. This version of Tomcat reportedly affected by additional vulnerabilities; however, Nessus has not checked for them.
    last seen 2019-02-21
    modified 2018-08-22
    plugin id 11176
    published 2002-11-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=11176
    title Apache Tomcat Catalina org.apache.catalina.servlets.DefaultServlet Source Code Disclosure
redhat via4
advisories
  • rhsa
    id RHSA-2003:075
  • rhsa
    id RHSA-2003:082
refmap via4
bid 6562
confirm
debian DSA-225
gentoo GLSA-200210-001
mlist
  • [tomcat-dev] 20190319 svn commit: r1855831 [21/30] - in /tomcat/site/trunk: ./ docs/ xdocs/
  • [tomcat-dev] 20190325 svn commit: r1856174 [19/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/
xf tomcat-invoker-source-code(10376)
Last major update 17-10-2016 - 22:26
Published 17-01-2003 - 00:00
Last modified 25-03-2019 - 07:29
Back to Top