- Home
- CVEs with nessus.description==According to its self-reported version number, the Apache Tomcat
server listening on the remote host is prior to 4.1.40, 5.5.28, or
6.0.20. It is, therefore, affected by the following vulnerabilities :
- The remote server is affected by a directory traversal
vulnerability if a RequestDispatcher obtained from a
Request object is used. A specially crafted value for a
request parameter can be used to access potentially
sensitive configuration files or other files, e.g.,
files in the WEB-INF directory. (CVE-2008-5515)
- The remote server is affected by a denial of service
vulnerability if configured to use the Java AJP
connector. An attacker can send a malicious request with
invalid headers which causes the AJP connector to be put
into an error state for a short time. This behavior can
be used as a denial of service attack. (CVE-2009-0033)
- The remote server is affected by a username enumeration
vulnerability if configured to use FORM authentication
along with the 'MemoryRealm', 'DataSourceRealm', or
'JDBCRealm' authentication realms. (CVE-2009-0580)
- The remote server is affected by a script injection
vulnerability if the example JSP application,
'cal2.jsp', is installed. An unauthenticated, remote
attacker can exploit this issue to inject arbitrary HTML
or script code into a user's browser to be executed
within the security context of the affected site.
(CVE-2009-0781)
- The remote server is vulnerable to unauthorized
modification of 'web.xml', 'context.xml', or TLD files
of arbitrary web applications. This vulnerability allows
the XML parser, used to process the XML and TLD files,
to be replaced. (CVE-2009-0783)
Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.
Max CVSS | 0 |
Min CVSS | 0 |
Total Count | 2 |
| ID | CVSS | Summary | Last (major) update | Published |
Back to Top
Mark selected
Back to Top