- Home
- CVEs with nessus.description==From+Red+Hat+Security+Advisory+2009%3A1164+%3A%0A%0AUpdated+tomcat+packages+that+fix+several+security+issues+are+now+available+for+Red+Hat+Enterprise+Linux+5.%0A%0AThis+update+has+been+rated+as+having+important+security+impact+by+the+Red+Hat+Security+Response+Team.%0A%0AApache+Tomcat+is+a+servlet+container+for+the+Java+Servlet+and+JavaServer+Pages+%28JSP%29+technologies.%0A%0AIt+was+discovered+that+the+Red+Hat+Security+Advisory+RHSA-2007%3A0871+did+not+address+all+possible+flaws+in+the+way+Tomcat+handles+certain+characters+and+character+sequences+in+cookie+values.+A+remote+attacker+could+use+this+flaw+to+obtain+sensitive+information%2C+such+as+session+IDs%2C+and+then+use+this+information+for+session+hijacking+attacks.%0A%28CVE-2007-5333%29%0A%0ANote%3A+The+fix+for+the+CVE-2007-5333+flaw+changes+the+default+cookie+processing+behavior%3A+with+this+update%2C+version+0+cookies+that+contain+values+that+must+be+quoted+to+be+valid+are+automatically+changed+to+version+1+cookies.+To+reactivate+the+previous%2C+but+insecure+behavior%2C+add+the+following+entry+to+the+%27%2Fetc%2Ftomcat5%2Fcatalina.properties%27+file+%3A%0A%0Aorg.apache.tomcat.util.http.ServerCookie.VERSION_SWITCH%3Dfalse%0A%0AIt+was+discovered+that+request+dispatchers+did+not+properly+normalize+user+requests+that+have+trailing+query+strings%2C+allowing+remote+attackers+to+send+specially+crafted+requests+that+would+cause+an+information+leak.+%28CVE-2008-5515%29%0A%0AA+flaw+was+found+in+the+way+the+Tomcat+AJP+%28Apache+JServ+Protocol%29+connector+processes+AJP+connections.+An+attacker+could+use+this+flaw+to+send+specially+crafted+requests+that+would+cause+a+temporary+denial+of+service.+%28CVE-2009-0033%29%0A%0AIt+was+discovered+that+the+error+checking+methods+of+certain+authentication+classes+did+not+have+sufficient+error+checking%2C+allowing+remote+attackers+to+enumerate+%28via+brute-force+methods%29+usernames+registered+with+applications+running+on+Tomcat+when+FORM-based+authentication+was+used.+%28CVE-2009-0580%29%0A%0AA+cross-site+scripting+%28XSS%29+flaw+was+found+in+the+examples+calendar+application.+With+some+web+browsers%2C+remote+attackers+could+use+this+flaw+to+inject+arbitrary+web+script+or+HTML+via+the+%27time%27+parameter.%0A%28CVE-2009-0781%29%0A%0AIt+was+discovered+that+web+applications+containing+their+own+XML+parsers+could+replace+the+XML+parser+Tomcat+uses+to+parse+configuration+files.+A+malicious+web+application+running+on+a+Tomcat+instance+could+read+or%2C+potentially%2C+modify+the+configuration+and+XML-based+data+of+other+web+applications+deployed+on+the+same+Tomcat+instance.+%28CVE-2009-0783%29%0A%0AUsers+of+Tomcat+should+upgrade+to+these+updated+packages%2C+which+contain+backported+patches+to+resolve+these+issues.+Tomcat+must+be+restarted+for+this+update+to+take+effect
Max CVSS | 0 |
Min CVSS | 0 |
Total Count | 2 |
| ID | CVSS | Summary | Last (major) update | Published |
Back to Top
Mark selected
Back to Top