Vulnerabilites related to apache - tomcat
Vulnerability from fkie_nvd
Published
2025-05-29 19:15
Modified
2025-06-25 15:40
Severity ?
Summary
Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104.
Users are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/xhqqk9w5q45srcdqhogdk04lhdscv30j | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/05/29/4 | Mailing List, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7F40F219-F606-447E-ACCD-D7A96093ED91",
"versionEndExcluding": "9.0.105",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4BA93AAE-946D-4DF3-AF9F-36C83FB7F1CB",
"versionEndExcluding": "10.1.41",
"versionStartIncluding": "10.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6475FBD6-E85B-4926-813F-CAE6A742871A",
"versionEndExcluding": "11.0.7",
"versionStartIncluding": "11.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Handling of Case Sensitivity vulnerability in Apache Tomcat\u0027s GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104.\n\nUsers are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue."
},
{
"lang": "es",
"value": "La vulnerabilidad de manejo incorrecto de la distinci\u00f3n entre may\u00fasculas y min\u00fasculas en el servlet GCI de Apache Tomcat permite eludir las restricciones de seguridad aplicables al componente pathInfo de una URI asignada al servlet CGI. Este problema afecta a Apache Tomcat: de la 11.0.0-M1 a la 11.0.6, de la 10.1.0-M1 a la 10.1.40 y de la 9.0.0.M1 a la 9.0.104. Se recomienda a los usuarios actualizar a las versiones 11.0.7, 10.1.41 o 9.0.105, que solucionan el problema."
}
],
"id": "CVE-2025-46701",
"lastModified": "2025-06-25T15:40:55.053",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-05-29T19:15:27.983",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/xhqqk9w5q45srcdqhogdk04lhdscv30j"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2025/05/29/4"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-178"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2002-12-31 05:00
Modified
2025-04-03 01:03
Severity ?
Summary
The default installation of Apache Tomcat 4.0 through 4.1 and 3.0 through 3.3.1 allows remote attackers to obtain the installation path and other sensitive system information via the (1) SnoopServlet or (2) TroubleShooter example servlets.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BAFF8D91-80A2-454A-8B44-A5A889002692",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FEC42876-65AD-476A-8B62-25D4E15D1BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "724A8FF9-8089-4302-8200-08987A712988",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "3F97DDB7-E32B-422F-8AEA-07C75DEAD36E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7079F63C-7CA8-4909-A9C8-45C4C1C1C186",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "EC829C8E-1061-4F62-BA4B-FE5C7F11F209",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "143BA75E-A186-47EF-A18C-B1A1A1F61C00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C0CDF9E1-9412-450E-B1D4-438F128FFF9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:3.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "32561F50-6385-4D71-AFAC-3D2F8DB55A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "914E1404-01A2-4F94-AA40-D5EA20F55AD3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "81FB1106-B26D-45BE-A511-8E69131BBA52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "401A213A-FED3-49C0-B823-2E02EA528905",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0BFE5AD8-DB14-4632-9D2A-F2013579CA7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0E300013-0CE7-4313-A553-74A6A247B3E9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The default installation of Apache Tomcat 4.0 through 4.1 and 3.0 through 3.3.1 allows remote attackers to obtain the installation path and other sensitive system information via the (1) SnoopServlet or (2) TroubleShooter example servlets."
}
],
"id": "CVE-2002-2006",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2002-12-31T05:00:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2002-04/0311.html"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/30899"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/30908"
},
{
"source": "cve@mitre.org",
"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1"
},
{
"source": "cve@mitre.org",
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.iss.net/security_center/static/8932.php"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/4575"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2008/1979/references"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2002-04/0311.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/30899"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/30908"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.iss.net/security_center/static/8932.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/4575"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/1979/references"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2002-12-31 05:00
Modified
2025-04-03 01:03
Severity ?
Summary
Tomcat 4.0 through 4.1.12, using mod_jk 1.2.1 module on Apache 1.3 through 1.3.27, allows remote attackers to cause a denial of service (desynchronized communications) via an HTTP GET request with a Transfer-Encoding chunked field with invalid values.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | http_server | 1.3 | |
| apache | http_server | 1.3.0 | |
| apache | http_server | 1.3.1 | |
| apache | http_server | 1.3.2 | |
| apache | http_server | 1.3.10 | |
| apache | http_server | 1.3.11 | |
| apache | http_server | 1.3.12 | |
| apache | http_server | 1.3.13 | |
| apache | http_server | 1.3.14 | |
| apache | http_server | 1.3.15 | |
| apache | http_server | 1.3.16 | |
| apache | http_server | 1.3.17 | |
| apache | http_server | 1.3.18 | |
| apache | http_server | 1.3.19 | |
| apache | http_server | 1.3.20 | |
| apache | http_server | 1.3.22 | |
| apache | http_server | 1.3.23 | |
| apache | http_server | 1.3.24 | |
| apache | http_server | 1.3.25 | |
| apache | http_server | 1.3.26 | |
| apache | http_server | 1.3.27 | |
| apache | tomcat | 4.0.0 | |
| apache | tomcat | 4.0.1 | |
| apache | tomcat | 4.0.2 | |
| apache | tomcat | 4.0.3 | |
| apache | tomcat | 4.0.4 | |
| apache | tomcat | 4.0.5 | |
| apache | tomcat | 4.0.6 | |
| apache | tomcat | 4.1.0 | |
| apache | tomcat | 4.1.1 | |
| apache | tomcat | 4.1.2 | |
| apache | tomcat | 4.1.3 | |
| apache | tomcat | 4.1.3 | |
| apache | tomcat | 4.1.9 | |
| apache | tomcat | 4.1.10 | |
| apache | tomcat | 4.1.12 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:http_server:1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "28EC1F94-04F3-490A-8324-1EB60EEBAD4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:1.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D9B12229-3F9E-469C-8AD6-7E43FA45B876",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "30D94958-0D13-4076-B6F0-61D505136789",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:1.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "691D7D29-420E-4ABC-844F-D5DD401598F1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:1.3.10:*:*:*:*:*:*:*",
"matchCriteriaId": "F715F8CB-A473-4374-8CF1-E9D74EBA5E8F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:1.3.11:*:*:*:*:*:*:*",
"matchCriteriaId": "7B6EE0E2-D608-4E72-A0E5-F407511405C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:1.3.12:*:*:*:*:*:*:*",
"matchCriteriaId": "33FD6791-3B84-40CA-BCF4-B5637B172F2A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:1.3.13:*:*:*:*:*:*:*",
"matchCriteriaId": "06F447C8-15FE-44DE-86AD-5E2D496AB2A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:1.3.14:*:*:*:*:*:*:*",
"matchCriteriaId": "6DDD2F69-CFD4-4DEA-B43A-1337EEFA95A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:1.3.15:*:*:*:*:*:*:*",
"matchCriteriaId": "A4955E57-9C5D-40C2-BD5F-A383FF3C33FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:1.3.16:*:*:*:*:*:*:*",
"matchCriteriaId": "6A7607F8-6C2A-4976-A861-3BEE1F45002B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:1.3.17:*:*:*:*:*:*:*",
"matchCriteriaId": "0A80B17D-FD66-40BD-9ADC-FE7A3944A696",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:1.3.18:*:*:*:*:*:*:*",
"matchCriteriaId": "713ADED4-CBE5-40C3-A128-99CFABF24560",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:1.3.19:*:*:*:*:*:*:*",
"matchCriteriaId": "70FA0B8E-1A90-4939-871A-38B9E93BCCC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:1.3.20:*:*:*:*:*:*:*",
"matchCriteriaId": "83BDEAE5-29B9-48E3-93FA-F30832044C9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:1.3.22:*:*:*:*:*:*:*",
"matchCriteriaId": "A2720E06-1B0E-4BFE-8C85-A17E597BB151",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:1.3.23:*:*:*:*:*:*:*",
"matchCriteriaId": "3EE1DECF-36C7-4968-8B7A-7A2034C2A957",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:1.3.24:*:*:*:*:*:*:*",
"matchCriteriaId": "B67BD173-8517-4E97-BC65-D9657C63601A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:1.3.25:*:*:*:*:*:*:*",
"matchCriteriaId": "B392A96F-FD2F-4073-8EED-EB31E1F20FE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:1.3.26:*:*:*:*:*:*:*",
"matchCriteriaId": "E130104B-86F5-411E-8AC0-9B4B780BCA00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:1.3.27:*:*:*:*:*:*:*",
"matchCriteriaId": "0E62E621-74DA-4D99-A79C-AD2B85896A2B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "914E1404-01A2-4F94-AA40-D5EA20F55AD3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "81FB1106-B26D-45BE-A511-8E69131BBA52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "401A213A-FED3-49C0-B823-2E02EA528905",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0BFE5AD8-DB14-4632-9D2A-F2013579CA7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "7641278D-3B8B-4CD2-B284-2047B65514A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BB7B9911-E836-4A96-A0E8-D13C957EC0EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D2341C51-A239-4A4A-B0DC-30F18175442C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0E300013-0CE7-4313-A553-74A6A247B3E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E08D7414-8D0C-45D6-8E87-679DF0201D55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AB15C5DB-0DBE-4DAD-ACBD-FAE23F768D01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "60CFD9CA-1878-4C74-A9BD-5D581736E6B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.3:beta:*:*:*:*:*:*",
"matchCriteriaId": "B7E52BE7-5281-4430-8846-E41CF34FC214",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.9:beta:*:*:*:*:*:*",
"matchCriteriaId": "CBDA8066-294D-431E-B026-C03707DFBCD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C92F3744-C8F9-4E29-BF1A-25E03A32F2C0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.12:*:*:*:*:*:*:*",
"matchCriteriaId": "F7DDA1D1-1DB2-4FD6-90A6-7DDE2FDD73F4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Tomcat 4.0 through 4.1.12, using mod_jk 1.2.1 module on Apache 1.3 through 1.3.27, allows remote attackers to cause a denial of service (desynchronized communications) via an HTTP GET request with a Transfer-Encoding chunked field with invalid values."
}
],
"id": "CVE-2002-2272",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2002-12-31T05:00:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2002-12/0045.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch"
],
"url": "http://www.securityfocus.com/bid/6320"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/10771"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2002-12/0045.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "http://www.securityfocus.com/bid/6320"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/10771"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-12 15:15
Modified
2024-11-21 06:04
Severity ?
Summary
A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | tomcat | 8.5.64 | |
| apache | tomcat | 9.0.44 | |
| apache | tomcat | 10.0.3 | |
| apache | tomcat | 10.0.4 | |
| mcafee | epolicy_orchestrator | * | |
| mcafee | epolicy_orchestrator | 5.10.0 | |
| mcafee | epolicy_orchestrator | 5.10.0 | |
| mcafee | epolicy_orchestrator | 5.10.0 | |
| mcafee | epolicy_orchestrator | 5.10.0 | |
| mcafee | epolicy_orchestrator | 5.10.0 | |
| mcafee | epolicy_orchestrator | 5.10.0 | |
| mcafee | epolicy_orchestrator | 5.10.0 | |
| mcafee | epolicy_orchestrator | 5.10.0 | |
| mcafee | epolicy_orchestrator | 5.10.0 | |
| mcafee | epolicy_orchestrator | 5.10.0 | |
| mcafee | epolicy_orchestrator | 5.10.0 | |
| oracle | big_data_spatial_and_graph | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.64:*:*:*:*:*:*:*",
"matchCriteriaId": "957579EB-9220-4E0F-AAA7-8C3508F1B324",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.44:*:*:*:*:*:*:*",
"matchCriteriaId": "EFF4A0C3-65AA-4B29-A5F7-343478672608",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7F002FE3-E742-465B-97A3-D0A530E712C0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "1CD1CF8D-350B-4C2D-B801-2FD780890340",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A30F7908-5AF6-4761-BC6A-4C18EFAE48E5",
"versionEndExcluding": "5.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:-:*:*:*:*:*:*",
"matchCriteriaId": "0F30D3AF-4FA3-4B7A-BE04-C24E2EA19A95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_1:*:*:*:*:*:*",
"matchCriteriaId": "7B00DDE7-7002-45BE-8EDE-65D964922CB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_10:*:*:*:*:*:*",
"matchCriteriaId": "DB88C165-BB24-49FB-AAF6-087A766D5AD1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_2:*:*:*:*:*:*",
"matchCriteriaId": "FF806B52-DAD5-4D12-8BB6-3CBF9DC6B8DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_3:*:*:*:*:*:*",
"matchCriteriaId": "7DE847E0-431D-497D-9C57-C4E59749F6A0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_4:*:*:*:*:*:*",
"matchCriteriaId": "46385384-5561-40AA-9FDE-A2DE4FDFAD3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_5:*:*:*:*:*:*",
"matchCriteriaId": "B7CA7CA6-7CF2-48F6-81B5-69BA0A37EF4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_6:*:*:*:*:*:*",
"matchCriteriaId": "9E4E5481-1070-4E1F-8679-1985DE4E785A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_7:*:*:*:*:*:*",
"matchCriteriaId": "D9EEA681-67FF-43B3-8610-0FA17FD279E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_8:*:*:*:*:*:*",
"matchCriteriaId": "C33BA8EA-793D-4E79-BE9C-235ACE717216",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_9:*:*:*:*:*:*",
"matchCriteriaId": "823DBE80-CB8D-4981-AE7C-28F3FDD40451",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:big_data_spatial_and_graph:*:*:*:*:*:*:*:*",
"matchCriteriaId": "384DEDD9-CB26-4306-99D8-83068A9B23ED",
"versionEndExcluding": "23.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64."
},
{
"lang": "es",
"value": "Una vulnerabilidad en Apache Tomcat permite a un atacante desencadenar remotamente una denegaci\u00f3n de servicio. Un error introducido como parte de un cambio para mejorar el manejo de errores durante la I/O sin bloqueo significaba que el flag de error asociado al objeto Request no se restablec\u00eda entre peticiones. Esto significaba que una vez que se produc\u00eda un error de I/O sin bloqueo, todas las futuras peticiones manejadas por ese objeto de petici\u00f3n podr\u00edan producir un fallo. Unos usuarios pod\u00edan desencadenar errores de I/O sin bloqueo, por ejemplo, abandonando una conexi\u00f3n, creando as\u00ed la posibilidad de desencadenar una DoS. Las aplicaciones que no usan I/O sin bloqueo no est\u00e1n expuestas a esta vulnerabilidad. Este problema afecta a Apache Tomcat versiones 10.0.3 a 10.0.4; 9.0.44; 8.5.64"
}
],
"id": "CVE-2021-30639",
"lastModified": "2024-11-21T06:04:20.727",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-12T15:15:08.333",
"references": [
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10366"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2a4f6506cb2daaf%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2a4f6506cb2daaf%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/rd84fae1f474597bdf358f5bdc0a5c453c507bd527b83e8be6b5ea3f4%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202208-34"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20210827-0007/"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10366"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2a4f6506cb2daaf%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2a4f6506cb2daaf%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/rd84fae1f474597bdf358f5bdc0a5c453c507bd527b83e8be6b5ea3f4%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202208-34"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20210827-0007/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-755"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2000-07-20 04:00
Modified
2025-04-03 01:03
Severity ?
Summary
The default configuration of Jakarta Tomcat does not restrict access to the /admin context, which allows remote attackers to read arbitrary files by directly calling the administrative servlets to add a context for the root directory.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://archives.neohapsis.com/archives/bugtraq/2000-07/0309.html | Broken Link, Exploit, Patch, Vendor Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/1548 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://exchange.xforce.ibmcloud.com/vulnerabilities/5160 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://archives.neohapsis.com/archives/bugtraq/2000-07/0309.html | Broken Link, Exploit, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/1548 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/5160 | Third Party Advisory, VDB Entry |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BAFF8D91-80A2-454A-8B44-A5A889002692",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FEC42876-65AD-476A-8B62-25D4E15D1BB6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The default configuration of Jakarta Tomcat does not restrict access to the /admin context, which allows remote attackers to read arbitrary files by directly calling the administrative servlets to add a context for the root directory."
}
],
"id": "CVE-2000-0672",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2000-07-20T04:00:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2000-07/0309.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/1548"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/5160"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2000-07/0309.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/1548"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/5160"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2003-11-17 05:00
Modified
2025-04-03 01:03
Severity ?
Summary
The Catalina org.apache.catalina.connector.http package in Tomcat 4.0.x up to 4.0.3 allows remote attackers to cause a denial of service via several requests that do not follow the HTTP protocol, which causes Tomcat to reject later requests.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "914E1404-01A2-4F94-AA40-D5EA20F55AD3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "81FB1106-B26D-45BE-A511-8E69131BBA52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "401A213A-FED3-49C0-B823-2E02EA528905",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0BFE5AD8-DB14-4632-9D2A-F2013579CA7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "7641278D-3B8B-4CD2-B284-2047B65514A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BB7B9911-E836-4A96-A0E8-D13C957EC0EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D2341C51-A239-4A4A-B0DC-30F18175442C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Catalina org.apache.catalina.connector.http package in Tomcat 4.0.x up to 4.0.3 allows remote attackers to cause a denial of service via several requests that do not follow the HTTP protocol, which causes Tomcat to reject later requests."
},
{
"lang": "es",
"value": "El paquete Catalina org.apache.catalina.connector.http en Tomcat 4.0.x a 4.0.3 permite a atacantes remotos causar una denegaci\u00f3n de servicio mediante ciertas peticiones que no siguen el protocolo HTTP, lo que hace que Tomcat rechace peticiones subsiguientes."
}
],
"id": "CVE-2003-0866",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2003-11-17T05:00:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=215506"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/30899"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/30908"
},
{
"source": "cve@mitre.org",
"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1"
},
{
"source": "cve@mitre.org",
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.debian.org/security/2003/dsa-395"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.securityfocus.com/bid/8824"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2008/1979/references"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/13429"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=215506"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/30899"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/30908"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.debian.org/security/2003/dsa-395"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.securityfocus.com/bid/8824"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/1979/references"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/13429"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-01-19 11:15
Modified
2025-06-13 16:15
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43.
Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | tomcat | * | |
| apache | tomcat | * | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2FC8F5FF-3E97-49CE-BF17-9ECFD0786E8F",
"versionEndExcluding": "8.5.64",
"versionStartIncluding": "8.5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "51D2E845-77E6-4D63-B3AA-E5C819589BAD",
"versionEndExcluding": "9.0.44",
"versionStartIncluding": "9.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "8B6787B6-54A8-475E-BA1C-AB99334B2535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "EABB6FBC-7486-44D5-A6AD-FFF1D3F677E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*",
"matchCriteriaId": "E10C03BC-EE6B-45B2-83AE-9E8DFB58D7DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*",
"matchCriteriaId": "8A6DA0BE-908C-4DA8-A191-A0113235E99A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*",
"matchCriteriaId": "39029C72-28B4-46A4-BFF5-EC822CFB2A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*",
"matchCriteriaId": "1A2E05A3-014F-4C4D-81E5-88E725FBD6AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*",
"matchCriteriaId": "166C533C-0833-41D5-99B6-17A4FAB3CAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*",
"matchCriteriaId": "D3768C60-21FA-4B92-B98C-C3A2602D1BC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*",
"matchCriteriaId": "DDD510FA-A2E4-4BAF-A0DE-F4E5777E9325",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*",
"matchCriteriaId": "C2409CC7-6A85-4A66-A457-0D62B9895DC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*",
"matchCriteriaId": "B392A7E5-4455-4B1C-8FAC-AE6DDC70689E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*",
"matchCriteriaId": "EF411DDA-2601-449A-9046-D250419A0E1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*",
"matchCriteriaId": "D7D8F2F4-AFE2-47EA-A3FD-79B54324DE02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*",
"matchCriteriaId": "1B4FBF97-DE16-4E5E-BE19-471E01818D40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*",
"matchCriteriaId": "3B266B1E-24B5-47EE-A421-E0E3CC0C7471",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*",
"matchCriteriaId": "29614C3A-6FB3-41C7-B56E-9CC3F45B04F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*",
"matchCriteriaId": "C6AB156C-8FF6-4727-AF75-590D0DCB3F9D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43.\n\nUsers are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue."
},
{
"lang": "es",
"value": "Vulnerabilidad de generaci\u00f3n de mensaje de error que contiene informaci\u00f3n confidencial en Apache Tomcat. Este problema afecta a Apache Tomcat: desde 8.5.7 hasta 8.5.63, desde 9.0.0-M11 hasta 9.0.43. Se recomienda a los usuarios actualizar a la versi\u00f3n 8.5.64 en adelante o 9.0.44 en adelante, que contienen una soluci\u00f3n para el problema."
}
],
"id": "CVE-2024-21733",
"lastModified": "2025-06-13T16:15:24.760",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-01-19T11:15:08.043",
"references": [
{
"source": "security@apache.org",
"url": "http://packetstormsecurity.com/files/176951/Apache-Tomcat-8.5.63-9.0.43-HTTP-Response-Smuggling.html"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/01/19/2"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Patch",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz"
},
{
"source": "security@apache.org",
"url": "https://security.netapp.com/advisory/ntap-20240216-0005/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/176951/Apache-Tomcat-8.5.63-9.0.43-HTTP-Response-Smuggling.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/01/19/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20240216-0005/"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-209"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-02-12 01:00
Modified
2025-04-09 00:30
Severity ?
Summary
Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. NOTE: this issue exists because of an incomplete fix for CVE-2007-3385.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E458C818-F9FA-4D48-8D70-D284138BB7F8",
"versionEndIncluding": "4.1.36",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8B9A1E54-7B84-4ECE-88ED-B28AA9A4EA6E",
"versionEndIncluding": "5.5.25",
"versionStartIncluding": "5.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0BBB0739-1784-432E-BF78-3E120A11EE56",
"versionEndIncluding": "6.0.14",
"versionStartIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (\") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. NOTE: this issue exists because of an incomplete fix for CVE-2007-3385."
},
{
"lang": "es",
"value": "Apache Tomcat 6.0.0 hasta 6.0.14, 5.5.0 hasta 5.5.25, 4.1.36 y 4.1.0 al no manejar adecuadamente secuencias (1) caracteres de dobles comillas (\") o (2) secuencias de contrabarra codificadas %5C en un valor de cookie, podr\u00eda provocar que informaci\u00f3n sensible como los IDs de sesi\u00f3n sean filtradas a atacantes remotos, as\u00ed como habilitar ataques de secuestro de sesi\u00f3n.\r\nNOTA: este problema existe debido a una arreglo erroneo de CVE-2007-3385."
}
],
"id": "CVE-2007-5333",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-02-12T01:00:00.000",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://jvn.jp/jp/JVN%2309470767/index.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=139344343412337\u0026w=2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/28878"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/28884"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/28915"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/29711"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/30676"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/30802"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/32036"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/32222"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/33330"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/37460"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/44183"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/57126"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "http://security.gentoo.org/glsa/glsa-200804-10.xml"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "http://securityreason.com/securityalert/3636"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://support.apple.com/kb/HT2163"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://support.apple.com/kb/HT3216"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg24018932"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg27012047"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg27012048"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www-1.ibm.com/support/docview.wss?uid=swg1IZ20133"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www-1.ibm.com/support/docview.wss?uid=swg1IZ20991"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:018"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:176"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.2.0.cp08/html-single/Release_Notes/index.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/487822/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/507985/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/27706"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/31681"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.vmware.com/security/advisories/VMSA-2008-0010.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"URL Repurposed"
],
"url": "http://www.vupen.com/english/advisories/2008/0488"
},
{
"source": "secalert@redhat.com",
"tags": [
"URL Repurposed"
],
"url": "http://www.vupen.com/english/advisories/2008/1856/references"
},
{
"source": "secalert@redhat.com",
"tags": [
"URL Repurposed"
],
"url": "http://www.vupen.com/english/advisories/2008/1981/references"
},
{
"source": "secalert@redhat.com",
"tags": [
"URL Repurposed"
],
"url": "http://www.vupen.com/english/advisories/2008/2690"
},
{
"source": "secalert@redhat.com",
"tags": [
"URL Repurposed"
],
"url": "http://www.vupen.com/english/advisories/2008/2780"
},
{
"source": "secalert@redhat.com",
"tags": [
"URL Repurposed"
],
"url": "http://www.vupen.com/english/advisories/2009/3316"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=532111"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"tags": [
"Tool Signature"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11177"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00315.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00460.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://jvn.jp/jp/JVN%2309470767/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=139344343412337\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/28878"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/28884"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/28915"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/29711"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/30676"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/30802"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/32036"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/32222"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/33330"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/37460"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/44183"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/57126"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://security.gentoo.org/glsa/glsa-200804-10.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://securityreason.com/securityalert/3636"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://support.apple.com/kb/HT2163"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://support.apple.com/kb/HT3216"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg24018932"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg27012047"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg27012048"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www-1.ibm.com/support/docview.wss?uid=swg1IZ20133"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www-1.ibm.com/support/docview.wss?uid=swg1IZ20991"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:018"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:176"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.2.0.cp08/html-single/Release_Notes/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/487822/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/507985/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/27706"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/31681"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.vmware.com/security/advisories/VMSA-2008-0010.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"URL Repurposed"
],
"url": "http://www.vupen.com/english/advisories/2008/0488"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"URL Repurposed"
],
"url": "http://www.vupen.com/english/advisories/2008/1856/references"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"URL Repurposed"
],
"url": "http://www.vupen.com/english/advisories/2008/1981/references"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"URL Repurposed"
],
"url": "http://www.vupen.com/english/advisories/2008/2690"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"URL Repurposed"
],
"url": "http://www.vupen.com/english/advisories/2008/2780"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"URL Repurposed"
],
"url": "http://www.vupen.com/english/advisories/2009/3316"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=532111"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Tool Signature"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11177"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00315.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00460.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vendorComments": [
{
"comment": "Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-5333\n\nThe Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.",
"lastModified": "2008-04-24T00:00:00",
"organization": "Red Hat"
}
],
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-01-19 18:02
Modified
2025-04-11 00:51
Severity ?
Summary
The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | tomcat | * | |
| redhat | jboss_enterprise_application_platform | 6.1.0 | |
| redhat | jboss_enterprise_portal_platform | 6.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CEBF404D-B53C-4B16-9010-0777DEE1B9E8",
"versionEndIncluding": "7.0.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AF680478-162A-4F7B-B9BA-C407FA3C0EEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AC0F117C-E25C-4B0C-9459-4BB4413440CB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "secalert@redhat.com",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue"
},
{
"lang": "es",
"value": "** EN DISPUTA ** ** El m\u00e9todo readObject en la clase DiskFileItem en Apache Tomcat y JBoss Web, tal como se utiliza en la plataforma Red Hat JBoss Enterprise Application 6.1.0 y Red Hat JBoss Portal 6.0.0, permite a atacantes remotos para escribir en archivos arbitrarios a trav\u00e9s de un byte NULL en un nombre de archivo en una instancia serializada, un problema similar a CVE-2013-2.186. NOTA: se ha informado que este problema es disputado por el equipo de Apache Tomcat, aunque Red Hat lo considera una vulnerabilidad. La disputa parece considerar si se trata de la responsabilidad de las aplicaciones para evitar que los datos no confiables para ser deserializados, o si esta clase debe proteger inherentemente contra este tema."
}
],
"id": "CVE-2013-2185",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-01-19T18:02:57.037",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://openwall.com/lists/oss-security/2014/10/24/12"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1193.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1194.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1265.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2013/09/05/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2014/10/24/12"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1193.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1194.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1265.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2013/09/05/4"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2001-08-02 04:00
Modified
2025-04-03 01:03
Severity ?
Summary
Apache Software Foundation Tomcat Servlet prior to 3.2.2 allows a remote attacker to read the source code to arbitrary 'jsp' files via a malformed URL request which does not end with an HTTP protocol specification (i.e. HTTP/1.0).
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2509D996-9DB0-4710-86A1-4E60782D2E20",
"versionEndIncluding": "3.2.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Software Foundation Tomcat Servlet prior to 3.2.2 allows a remote attacker to read the source code to arbitrary \u0027jsp\u0027 files via a malformed URL request which does not end with an HTTP protocol specification (i.e. HTTP/1.0)."
}
],
"id": "CVE-2001-0590",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2001-08-02T04:00:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2001-04/0031.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/5580"
},
{
"source": "cve@mitre.org",
"url": "http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0112-004"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/6971"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2001-04/0031.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/5580"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0112-004"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/6971"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-05-21 20:30
Modified
2025-04-09 00:30
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in the appdev/sample/web/hello.jsp example application in Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.23, and 6.0.0 through 6.0.10 allow remote attackers to inject arbitrary web script or HTML via the test parameter and unspecified vectors.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "914E1404-01A2-4F94-AA40-D5EA20F55AD3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "81FB1106-B26D-45BE-A511-8E69131BBA52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "401A213A-FED3-49C0-B823-2E02EA528905",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0BFE5AD8-DB14-4632-9D2A-F2013579CA7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "7641278D-3B8B-4CD2-B284-2047B65514A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BB7B9911-E836-4A96-A0E8-D13C957EC0EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D2341C51-A239-4A4A-B0DC-30F18175442C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C92F3744-C8F9-4E29-BF1A-25E03A32F2C0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.15:*:*:*:*:*:*:*",
"matchCriteriaId": "1C03E4C9-34E3-42F7-8B73-D3C595FD7EE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.24:*:*:*:*:*:*:*",
"matchCriteriaId": "B1D9BD7E-FCC2-404B-A057-1A10997DAFF9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.28:*:*:*:*:*:*:*",
"matchCriteriaId": "6A79DA2C-35F3-47DE-909B-8D8D1AE111C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.31:*:*:*:*:*:*:*",
"matchCriteriaId": "17522878-4266-432A-859D-C02096C8AC0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2A8FEEF0-8E57-43B1-8316-228B76E458D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D82F3FAE-91AD-4F0B-A1F7-11C1A97C5ECB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A3B2802B-E56C-462A-9601-361A9166B5F1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "190FB4FD-22A5-4771-8F99-1E260A36A474",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "4BD3785E-3A09-4BE4-96C7-619B8A7D5062",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "285F7969-09F6-48CC-89CE-928225A53CDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "3B9EDACC-0300-4DA7-B1CD-5F7A6029AF38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "6B387EF0-94AD-4C8E-8CD4-4F5F706481BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "DA486065-18D5-4425-ADA5-284101919564",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A0141E20-2E3D-4CD0-A757-D7CA98499CCE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "9E62493D-FEAE-49E8-A293-CE18451D0264",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "FA01AB58-CAB2-420A-9899-EAB153DD898A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "D731AFDD-9C33-4DC8-9BC6-06BB51048752",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "01706205-1369-4E5D-8936-723DA980CA9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "0DC4A52C-6FBC-420A-885A-F72BC1DBAEC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "3A1C882D-949B-40B9-BC9F-E7FCE4FE7C3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "9A1451D2-B905-4AD7-9BD7-10CF2A12BA34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "C505696B-10E4-4B99-A598-40FA0DA39F7B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "9EB2F3D8-25A1-408E-80D0-59D52A901284",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.21:*:*:*:*:*:*:*",
"matchCriteriaId": "C3904E9A-585A-4005-B2E9-13538535383D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.22:*:*:*:*:*:*:*",
"matchCriteriaId": "AA1934BF-83E3-4B0B-A1DF-391A5332CE39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.23:*:*:*:*:*:*:*",
"matchCriteriaId": "F06B9809-5BFA-4DB9-8753-1D8319713879",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "DF6631B0-9F2E-4C5F-AB21-F085A8C1559B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.25:*:*:*:*:*:*:*",
"matchCriteriaId": "15625451-E56D-405F-BE9B-B3CB1A35E929",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "97ADBDC4-B669-467D-9A07-9A2DD8B68374",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "8DA876C8-4417-4C35-9FEC-278D45CE6E92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "03C08A88-9377-4B32-8173-EE2D121B06D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "F7225A43-8EAE-4DA6-BBDC-4418D5444767",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "A46C0933-3B19-40EA-8DED-2BF25AB85C17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49E3C039-A949-4F1B-892A-57147EECB249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F28C7801-41B9-4552-BA1E-577967BCBBEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "25B21085-7259-4685-9D1F-FF98E6489E10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "635EE321-2A1F-4FF8-95BE-0C26591969D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "9A81B035-8598-4D2C-B45F-C6C9D4B10C2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E1096947-82A6-4EA8-A4F2-00D91E3F7DAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0EBFA1D3-16A6-4041-BB30-51D2EE0F2AF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "B70B372F-EFFD-4AF7-99B5-7D1B23A0C54C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "9C95ADA4-66F5-45C4-A677-ACE22367A75A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "11951A10-39A2-4FF5-8C43-DF94730FB794",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "351E5BCF-A56B-4D91-BA3C-21A4B77D529A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the appdev/sample/web/hello.jsp example application in Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.23, and 6.0.0 through 6.0.10 allow remote attackers to inject arbitrary web script or HTML via the test parameter and unspecified vectors."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en la aplicaci\u00f3n ejemplo appdev/sample/web/hello.jsp en Tomcat 4.0.0 hasta la 4.0.6, 4.1.0 hasta la 4.1.36, 5.0.0 hasta la 5.0.30, 5.5.0 hasta la5.5.23, y 6.0.0 hasta la 6.0.10 permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s del par\u00e1metro test y vectores no especificados."
}
],
"id": "CVE-2007-1355",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2007-05-21T20:30:00.000",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx"
},
{
"source": "secalert@redhat.com",
"url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795"
},
{
"source": "secalert@redhat.com",
"url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html"
},
{
"source": "secalert@redhat.com",
"url": "http://osvdb.org/34875"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2008-0630.html"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/27037"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/27727"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/30802"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/30899"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/30908"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/31493"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/33668"
},
{
"source": "secalert@redhat.com",
"url": "http://securityreason.com/securityalert/2722"
},
{
"source": "secalert@redhat.com",
"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1"
},
{
"source": "secalert@redhat.com",
"url": "http://support.apple.com/kb/HT2163"
},
{
"source": "secalert@redhat.com",
"url": "http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540"
},
{
"source": "secalert@redhat.com",
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "secalert@redhat.com",
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "secalert@redhat.com",
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/469067/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/500396/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/500412/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch"
],
"url": "http://www.securityfocus.com/bid/24058"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2007/3386"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2008/1979/references"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2008/1981/references"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2009/0233"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34377"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6111"
},
{
"source": "secalert@redhat.com",
"url": "https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/34875"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2008-0630.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/27037"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/27727"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/30802"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/30899"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/30908"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/31493"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/33668"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/2722"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.apple.com/kb/HT2163"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/469067/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/500396/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/500412/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "http://www.securityfocus.com/bid/24058"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2007/3386"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/1979/references"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/1981/references"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2009/0233"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34377"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6111"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2003-02-07 05:00
Modified
2025-04-03 01:03
Severity ?
Summary
Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, allows remote attackers to list directories even with an index.html or other file present, or obtain unprocessed source code for a JSP file, via a URL containing a null character.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BAFF8D91-80A2-454A-8B44-A5A889002692",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FEC42876-65AD-476A-8B62-25D4E15D1BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "724A8FF9-8089-4302-8200-08987A712988",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "3F97DDB7-E32B-422F-8AEA-07C75DEAD36E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7079F63C-7CA8-4909-A9C8-45C4C1C1C186",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "EC829C8E-1061-4F62-BA4B-FE5C7F11F209",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "143BA75E-A186-47EF-A18C-B1A1A1F61C00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C0CDF9E1-9412-450E-B1D4-438F128FFF9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:3.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "32561F50-6385-4D71-AFAC-3D2F8DB55A4B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, allows remote attackers to list directories even with an index.html or other file present, or obtain unprocessed source code for a JSP file, via a URL containing a null character."
},
{
"lang": "es",
"value": "Jakarta Tomcat antes de 3.3.1a, cuando se usa con JDK 1.3.1 o anterior, permite a atacantes remotos listar directorios incluso cuando un index.html u otro fichero presente mediante una URL conteniendo un car\u00e1cter nulo."
}
],
"id": "CVE-2003-0042",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2003-02-07T05:00:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/RELEASE-NOTES-3.3.1a.txt"
},
{
"source": "cve@mitre.org",
"url": "http://marc.info/?l=bugtraq\u0026m=104394568616290\u0026w=2"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/7972"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/7977"
},
{
"source": "cve@mitre.org",
"url": "http://www.ciac.org/ciac/bulletins/n-060.shtml"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.debian.org/security/2003/dsa-246"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/advisories/5111"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/6721"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/11194"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/RELEASE-NOTES-3.3.1a.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=104394568616290\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/7972"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/7977"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ciac.org/ciac/bulletins/n-060.shtml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.debian.org/security/2003/dsa-246"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/advisories/5111"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/6721"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/11194"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-02-24 22:15
Modified
2024-11-21 05:11
Severity ?
Summary
In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2EC441A9-309B-4478-A60C-AD9EE2E31C53",
"versionEndIncluding": "7.0.99",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0CE458D0-7BED-406E-AEDC-0A74D5B2245B",
"versionEndIncluding": "8.5.50",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "255568C5-7907-4C8C-BD1A-8F1F6061CE17",
"versionEndIncluding": "9.0.30",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "67BBBD83-E232-4198-9748-C512D9E0EEDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "9D0689FE-4BC0-4F53-8C79-34B21F9B86C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "89B129B2-FB6F-4EF9-BF12-E589A87996CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "8B6787B6-54A8-475E-BA1C-AB99334B2535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "EABB6FBC-7486-44D5-A6AD-FFF1D3F677E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*",
"matchCriteriaId": "E10C03BC-EE6B-45B2-83AE-9E8DFB58D7DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*",
"matchCriteriaId": "8A6DA0BE-908C-4DA8-A191-A0113235E99A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*",
"matchCriteriaId": "39029C72-28B4-46A4-BFF5-EC822CFB2A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*",
"matchCriteriaId": "1A2E05A3-014F-4C4D-81E5-88E725FBD6AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*",
"matchCriteriaId": "166C533C-0833-41D5-99B6-17A4FAB3CAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*",
"matchCriteriaId": "D3768C60-21FA-4B92-B98C-C3A2602D1BC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*",
"matchCriteriaId": "DDD510FA-A2E4-4BAF-A0DE-F4E5777E9325",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "9F542E12-6BA8-4504-A494-DA83E7E19BD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*",
"matchCriteriaId": "C2409CC7-6A85-4A66-A457-0D62B9895DC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*",
"matchCriteriaId": "B392A7E5-4455-4B1C-8FAC-AE6DDC70689E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*",
"matchCriteriaId": "EF411DDA-2601-449A-9046-D250419A0E1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*",
"matchCriteriaId": "D7D8F2F4-AFE2-47EA-A3FD-79B54324DE02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*",
"matchCriteriaId": "1B4FBF97-DE16-4E5E-BE19-471E01818D40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*",
"matchCriteriaId": "3B266B1E-24B5-47EE-A421-E0E3CC0C7471",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*",
"matchCriteriaId": "29614C3A-6FB3-41C7-B56E-9CC3F45B04F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*",
"matchCriteriaId": "C6AB156C-8FF6-4727-AF75-590D0DCB3F9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "C0C5F004-F7D8-45DB-B173-351C50B0EC16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "D1902D2E-1896-4D3D-9E1C-3A675255072C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "49AAF4DF-F61D-47A8-8788-A21E317A145D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "454211D0-60A2-4661-AECA-4C0121413FEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "0686F977-889F-4960-8E0B-7784B73A7F2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "558703AE-DB5E-4DFF-B497-C36694DD7B24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "ED6273F2-1165-47A4-8DD7-9E9B2472941B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netapp:data_availability_services:-:*:*:*:*:*:*:*",
"matchCriteriaId": "0EF46487-B64A-454E-AECC-D74B83170ACD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "34B80C9D-62AA-42FA-AB46-F8A414FCBE5E",
"versionEndIncluding": "3.1.3",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "80C9DBB8-3D50-4D5D-859A-B022EB7C2E64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F8C893E4-1D3A-4687-BE5A-D26FFEBCCC78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "B0BB81C3-29FD-4AE0-8D46-456FAF135F6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.6:*:*:*:*:*:*:*",
"matchCriteriaId": "4305ED0E-30CC-4AEA-8988-3D1EC93A0BB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0C57FD3A-0CC1-4BA9-879A-8C4A40234162",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "698FB6D0-B26F-4760-9B9B-1C65FBFF2126",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4F1D64BC-17BF-4DAE-B5FC-BC41F9C12DFD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0DB23B9A-571E-4B77-B432-23F3DC9B67D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:health_sciences_empirica_inspections:1.0.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F5F58398-0001-42FE-BD17-44F924955C3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:health_sciences_empirica_signal:7.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "456AE11C-DD5B-4EA9-AA93-AAFC988830EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1A3DC116-2844-47A1-BEC2-D0675DD97148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E0F1DF3E-0F2D-4EFC-9A3E-F72149C8AE94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DED59B62-C9BF-4C0E-B351-3884E8441655",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A74FD5F-4FEA-4A74-8B92-72DFDE6BA464",
"versionEndIncluding": "17.3",
"versionStartIncluding": "17.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E7116EED-13F0-41A6-93D4-DBBDBD984423",
"versionEndIncluding": "4.0.12",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "73573516-EDA0-4176-A3ED-2F7006C87F8E",
"versionEndIncluding": "8.0.20",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EE8CF045-09BB-4069-BCEC-496D5AE3B780",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F510ED6D-7BF8-4548-BF0F-3CF926EB135E",
"versionEndIncluding": "20.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:transportation_management:6.3.7:*:*:*:*:*:*:*",
"matchCriteriaId": "A58642E0-CA59-4DE6-A83C-F551FC621C32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:workload_manager:12.2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "AD848FE1-CFD7-490C-B008-DF3B30F3256F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:workload_manager:18c:*:*:*:*:*:*:*",
"matchCriteriaId": "630C8E99-FE49-486E-9003-40B82809B7A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:workload_manager:19c:*:*:*:*:*:*:*",
"matchCriteriaId": "C842DE9E-5E12-4295-AFA5-DEB5FEDE490A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely."
},
{
"lang": "es",
"value": "En Apache Tomcat versiones 9.0.0.M1 hasta 9.0.30, versiones 8.5.0 hasta 8.5.50 y versiones 7.0.0 hasta 7.0.99, el c\u00f3digo de an\u00e1lisis del encabezado HTTP utiliz\u00f3 un enfoque para el an\u00e1lisis de fin de l\u00ednea que permiti\u00f3 a algunos encabezados HTTP no v\u00e1lidos ser analizados como v\u00e1lidos. Esto conllev\u00f3 a una posibilidad de Tr\u00e1fico No Autorizado de Peticiones HTTP si Tomcat se encontraba detr\u00e1s de un proxy inverso que manejaba incorrectamente el encabezado Transfer-Encoding no v\u00e1lido en una manera particular. Tal proxy inverso es considerado improbable."
}
],
"id": "CVE-2020-1935",
"lastModified": "2024-11-21T05:11:38.730",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-24T22:15:11.980",
"references": [
{
"source": "security@apache.org",
"tags": [
"Broken Link",
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r127f76181aceffea2bd4711b03c595d0f115f63e020348fe925a916c%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r441c1f30a252bf14b07396286f6abd8089ce4240e91323211f1a2d75%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r660cd379afe346f10d72c0eaa8459ccc95d83aff181671b7e9076919%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78%40%3Ccommits.tomee.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r80e9c8417c77d52c62809168b96912bda70ddf7748f19f8210f745b1%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r9ce7918faf347e7aac32be930bf26c233b0b140fe37af0bb294158b6%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/ra5dee390ad2d60307b8362505c059cd6a726de4d146d63dfce1e05e7%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743%40%3Ccommits.tomee.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rd547be0c9d821b4b1000a694b8e58ef9f5e2d66db03a31dfe77c4b18%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20200327-0005/"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4448-1/"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4673"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4680"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r127f76181aceffea2bd4711b03c595d0f115f63e020348fe925a916c%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r441c1f30a252bf14b07396286f6abd8089ce4240e91323211f1a2d75%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r660cd379afe346f10d72c0eaa8459ccc95d83aff181671b7e9076919%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78%40%3Ccommits.tomee.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r80e9c8417c77d52c62809168b96912bda70ddf7748f19f8210f745b1%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r9ce7918faf347e7aac32be930bf26c233b0b140fe37af0bb294158b6%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/ra5dee390ad2d60307b8362505c059cd6a726de4d146d63dfce1e05e7%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743%40%3Ccommits.tomee.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rd547be0c9d821b4b1000a694b8e58ef9f5e2d66db03a31dfe77c4b18%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20200327-0005/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4448-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4673"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4680"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-444"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-04-25 20:19
Modified
2025-04-09 00:30
Severity ?
Summary
The AJP connector in Apache Tomcat 5.5.15 uses an incorrect length for chunks, which can cause a buffer over-read in the ajp_process_callback in mod_jk, which allows remote attackers to read portions of sensitive memory.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.15:*:*:*:*:*:*:*",
"matchCriteriaId": "E437055A-0A81-413F-AB08-0E9D0DC9EA30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The AJP connector in Apache Tomcat 5.5.15 uses an incorrect length for chunks, which can cause a buffer over-read in the ajp_process_callback in mod_jk, which allows remote attackers to read portions of sensitive memory."
},
{
"lang": "es",
"value": "El conector AJP en Apache Tomcat 5.5.15 utiliza un longitud incorrecta para chunks, lo cual podr\u00eda provocar una lectura m\u00e1s all\u00e1 del l\u00edmite del b\u00fafer en ajp_process_callback en mod_jk, lo cual podr\u00eda permitir a atacantes remotos leer porciones de memoria sensibles.\r\n"
}
],
"id": "CVE-2006-7197",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 7.8,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-04-25T20:19:00.000",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://issues.apache.org/bugzilla/show_bug.cgi?id=38859"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/28477"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://issues.apache.org/bugzilla/show_bug.cgi?id=38859"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/28477"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2006-07-25 13:22
Modified
2025-04-03 01:03
Severity ?
Summary
Apache Tomcat 5 before 5.5.17 allows remote attackers to list directories via a semicolon (;) preceding a filename with a mapped extension, as demonstrated by URLs ending with /;index.jsp and /;help.do.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "03C08A88-9377-4B32-8173-EE2D121B06D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "D56581E2-9ECD-426A-96D8-A9D958900AD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "5B0C01D5-773F-469C-9E69-170C2844AAA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.12:*:*:*:*:*:*:*",
"matchCriteriaId": "357651FD-392E-4775-BF20-37A23B3ABAE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.16:*:*:*:*:*:*:*",
"matchCriteriaId": "9276A093-9C98-4617-9941-2276995F5848",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Tomcat 5 before 5.5.17 allows remote attackers to list directories via a semicolon (;) preceding a filename with a mapped extension, as demonstrated by URLs ending with /;index.jsp and /;help.do."
},
{
"lang": "es",
"value": "Apache Tomcat 5 anterior a 5.5.17 permite a atacantes remotos listar directorios a trav\u00e9s de un punto y coma (;) precedido de un nombre de archivo con una extensi\u00f3n mapeada, como se demostr\u00f3 con las URLs finalizadas con /;index.jsp y /;help.do."
}
],
"id": "CVE-2006-3835",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2006-07-25T13:22:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch"
],
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0467.html"
},
{
"source": "cve@mitre.org",
"url": "http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx"
},
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/25212"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/30899"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/30908"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/33668"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/37297"
},
{
"source": "cve@mitre.org",
"url": "http://securitytracker.com/id?1016576"
},
{
"source": "cve@mitre.org",
"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1"
},
{
"source": "cve@mitre.org",
"url": "http://support.avaya.com/elmodocs2/security/ASA-2007-206.htm"
},
{
"source": "cve@mitre.org",
"url": "http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540"
},
{
"source": "cve@mitre.org",
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "cve@mitre.org",
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.sec-consult.com/289.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securenetwork.it/ricerca/advisory/download/SN-2009-02.txt"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/468048/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/500396/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/500412/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/507729/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/19106"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2007/1727"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2008/1979/references"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2009/0233"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/27902"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34183"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0467.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/25212"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/30899"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/30908"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/33668"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/37297"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securitytracker.com/id?1016576"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.avaya.com/elmodocs2/security/ASA-2007-206.htm"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.sec-consult.com/289.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securenetwork.it/ricerca/advisory/download/SN-2009-02.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/468048/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/500396/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/500412/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/507729/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/19106"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2007/1727"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/1979/references"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2009/0233"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/27902"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34183"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
}
],
"sourceIdentifier": "cve@mitre.org",
"vendorComments": [
{
"comment": "This issue is not a security issue in Tomcat itself, but is caused when directory listings are enabled.\n\nDetails on how to disable directory listings are available at: http://tomcat.apache.org/faq/misc.html#listing",
"lastModified": "2006-08-24T00:00:00",
"organization": "Red Hat"
}
],
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2001-11-22 05:00
Modified
2025-04-03 01:03
Severity ?
Summary
Jakarta Tomcat 4.0.1 allows remote attackers to reveal physical path information by requesting a long URL with a .JSP extension.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "81FB1106-B26D-45BE-A511-8E69131BBA52",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Jakarta Tomcat 4.0.1 allows remote attackers to reveal physical path information by requesting a long URL with a .JSP extension."
}
],
"id": "CVE-2001-0917",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2001-11-22T05:00:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://marc.info/?l=bugtraq\u0026m=100654722925155\u0026w=2"
},
{
"source": "cve@mitre.org",
"url": "http://marc.info/?l=tomcat-dev\u0026m=100658457507305\u0026w=2"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/7599"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=100654722925155\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=tomcat-dev\u0026m=100658457507305\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/7599"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-11-16 21:55
Modified
2025-04-11 00:51
Severity ?
Summary
java/org/apache/coyote/http11/InternalNioInputBuffer.java in the HTTP NIO connector in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28 does not properly restrict the request-header size, which allows remote attackers to cause a denial of service (memory consumption) via a large amount of header data.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D11D6FB7-CBDB-48C1-98CB-1B3CAA36C5D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49E3C039-A949-4F1B-892A-57147EECB249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.0:alpha:*:*:*:*:*:*",
"matchCriteriaId": "0A354C34-A3FE-4B8A-9985-8874A0634BC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F28C7801-41B9-4552-BA1E-577967BCBBEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.1:alpha:*:*:*:*:*:*",
"matchCriteriaId": "CFE300CC-FD4A-444E-8506-E5E269D0A0A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "25B21085-7259-4685-9D1F-FF98E6489E10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:alpha:*:*:*:*:*:*",
"matchCriteriaId": "F50A3EC9-516E-48A7-839B-A73F491B5B9F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:beta:*:*:*:*:*:*",
"matchCriteriaId": "8C28F09D-5CAA-4CA7-A2B5-3B2820F5F409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "635EE321-2A1F-4FF8-95BE-0C26591969D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "9A81B035-8598-4D2C-B45F-C6C9D4B10C2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.4:alpha:*:*:*:*:*:*",
"matchCriteriaId": "FAC2FC75-97D2-4EA1-A1A0-F592A6D7C1F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E1096947-82A6-4EA8-A4F2-00D91E3F7DAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0EBFA1D3-16A6-4041-BB30-51D2EE0F2AF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.6:alpha:*:*:*:*:*:*",
"matchCriteriaId": "C4871FD1-7F8C-4677-A80B-4A0BBC71DD7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "B70B372F-EFFD-4AF7-99B5-7D1B23A0C54C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:alpha:*:*:*:*:*:*",
"matchCriteriaId": "31AB969A-9ACE-44EF-B2E5-CEC008F47C46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:beta:*:*:*:*:*:*",
"matchCriteriaId": "06217215-72E4-4478-BACB-628A0836A645",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "9C95ADA4-66F5-45C4-A677-ACE22367A75A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.8:alpha:*:*:*:*:*:*",
"matchCriteriaId": "EA810F3F-ADD3-4D3F-9DFC-DBDD87B3079C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "11951A10-39A2-4FF5-8C43-DF94730FB794",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.9:beta:*:*:*:*:*:*",
"matchCriteriaId": "8B79F2EA-C893-4359-80EC-24AE38D982E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "351E5BCF-A56B-4D91-BA3C-21A4B77D529A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2DC2BBB4-171E-4EFF-A575-A5B7FF031755",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "6B6B0504-27C1-4824-A928-A878CBBAB32D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "CE81AD36-ACD1-4C6C-8E7C-5326D1DA3045",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "D903956B-14F5-4177-AF12-0A5F1846D3C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "81F847DC-A2F5-456C-9038-16A0E85F4C3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3EBD00-1E1E-452D-AFFB-08A6BD111DDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "C6B93A3A-D487-4CA1-8257-26F8FE287B8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "BD8802B2-57E0-4AA6-BC8E-00DE60468569",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "8461DF95-18DC-4BF5-A703-7F19DA88DC30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "1F4C9BCF-9C73-4991-B02F-E08C5DA06EBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "2823789C-2CB6-4300-94DB-BDBE83ABA8E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "C5416C76-46ED-4CB1-A7F8-F24EA16DE7F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "A61429EE-4331-430C-9830-58DCCBCBCB58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "31B3593F-CEDF-423C-90F8-F88EED87DC3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "AE7862B2-E1FA-4E16-92CD-8918AB461D9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "A9E03BE3-60CC-4415-B993-D0BB00F87A30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.31:*:*:*:*:*:*:*",
"matchCriteriaId": "CE92E59A-FF0D-4D1A-8B12-CC41A7E1FD3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.32:*:*:*:*:*:*:*",
"matchCriteriaId": "BFD64FE7-ABAF-49F3-B8D0-91C37C822F4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.33:*:*:*:*:*:*:*",
"matchCriteriaId": "48E5E8C3-21AD-4230-B945-AB7DE66307B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.35:*:*:*:*:*:*:*",
"matchCriteriaId": "4945C8C1-C71B-448B-9075-07C6C92599CF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0F8C62EF-1B67-456A-9C66-755439CF8556",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "33E9607B-4D28-460D-896B-E4B7FA22441E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A819E245-D641-4F19-9139-6C940504F6E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8C381275-10C5-4939-BCE3-0D1F3B3CB2EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*",
"matchCriteriaId": "81A31CA0-A209-4C49-AA06-C38E165E5B68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7205475A-6D04-4042-B24E-1DA5A57029B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "08022987-B36B-4F63-88A5-A8F59195DF4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*",
"matchCriteriaId": "0AA563BF-A67A-477D-956A-167ABEF885C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "FF4B7557-EF35-451E-B55D-3296966695AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8980E61E-27BE-4858-82B3-C0E8128AF521",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "8756BF9B-3E24-4677-87AE-31CE776541F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "88CE057E-2092-4C98-8D0C-75CF439D0A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8F194580-EE6D-4E38-87F3-F0661262256B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A9731BAA-4C6C-4259-B786-F577D8A90FA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "1F74A421-D019-4248-84B8-C70D4D9A8A95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "2BA27FF9-4C66-4E17-95C0-1CB2DAA6AFC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "05346F5A-FB52-4376-AAC7-9A5308216545",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "305688F2-50A6-41FB-8614-BC589DB9A789",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "D24AA431-C436-4AA5-85DF-B9AAFF2548FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "25966344-15D5-4101-9346-B06BFD2DFFF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "11F4CBAC-27B1-4EFF-955A-A63B457D0578",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "FD55B338-9DBE-4643-ABED-A08964D3AF7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0D4F710E-06EA-48F4-AC6A-6F143950F015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "2C4936C2-0B2D-4C44-98C3-443090965F5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*",
"matchCriteriaId": "48453405-2319-4327-9F4C-6F70B49452C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*",
"matchCriteriaId": "49DD9544-6424-41A6-AEC0-EC19B8A10E71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*",
"matchCriteriaId": "E4670E65-2E11-49A4-B661-57C2F60D411F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*",
"matchCriteriaId": "31002A23-4788-4BC7-AE11-A3C2AA31716D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "java/org/apache/coyote/http11/InternalNioInputBuffer.java in the HTTP NIO connector in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28 does not properly restrict the request-header size, which allows remote attackers to cause a denial of service (memory consumption) via a large amount of header data."
},
{
"lang": "es",
"value": "java/org/apache/coyote/http11/InternalNioInputBuffer.java en el conector HTTP NIO en Apache Tomcat v6.x antes de v6.0.36 y v7.x antes de V7.0.28 no restringe correctamente el tama\u00f1o de la petici\u00f3n de cabecera, lo que permite a atacantes remotos causar una denegaci\u00f3n de servicio (por excesivo consumo de memoria) a trav\u00e9s de una gran cantidad de datos en una cabecera.\r\n"
}
],
"id": "CVE-2012-2733",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-11-16T21:55:01.353",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00090.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2013-01/msg00037.html"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=136612293908376\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=136612293908376\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=139344343412337\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/51371"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/57126"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1350301"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1356208"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/56402"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id?1027729"
},
{
"source": "secalert@redhat.com",
"url": "http://www.ubuntu.com/usn/USN-1637-1"
},
{
"source": "secalert@redhat.com",
"url": "https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03748878"
},
{
"source": "secalert@redhat.com",
"url": "https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03748878"
},
{
"source": "secalert@redhat.com",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19218"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00090.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2013-01/msg00037.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=136612293908376\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=136612293908376\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=139344343412337\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/51371"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/57126"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1350301"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1356208"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/56402"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id?1027729"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ubuntu.com/usn/USN-1637-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03748878"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03748878"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19218"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-09-28 14:15
Modified
2025-05-21 15:15
Severity ?
3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2022/09/28/1 | Mailing List, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/3jjqbsp6j88b198x5rmg99b1qr8ht3g3 | Mailing List, Vendor Advisory | |
| security@apache.org | https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html | Mailing List, Third Party Advisory | |
| security@apache.org | https://www.debian.org/security/2022/dsa-5265 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/09/28/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/3jjqbsp6j88b198x5rmg99b1qr8ht3g3 | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2022/dsa-5265 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | tomcat | * | |
| apache | tomcat | * | |
| apache | tomcat | * | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| debian | debian_linux | 10.0 | |
| debian | debian_linux | 11.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1F762135-0F3D-4344-AA58-48E239BF3E1B",
"versionEndIncluding": "8.5.77",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "503E5C18-810C-4F6F-962B-20CCACCAB114",
"versionEndIncluding": "9.0.60",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "894AE0F8-6F54-41FC-BD51-505BD404EC5C",
"versionEndIncluding": "10.0.18",
"versionStartIncluding": "10.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "6D402B5D-5901-43EB-8E6A-ECBD512CE367",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "33C71AE1-B38E-4783-BAC2-3CDA7B4D9EBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "F6BD4180-D3E8-42AB-96B1-3869ECF47F6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "64668CCF-DBC9-442D-9E0F-FD40E1D0DDB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "9846609D-51FC-4CDD-97B3-8C6E07108F14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "2E321FB4-0B0C-497A-BB75-909D888C93CB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "3B0CAE57-AF7A-40E6-9519-F5C9F422C1BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "7CB9D150-EED6-4AE9-BCBE-48932E50035E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "D334103F-F64E-4869-BCC8-670A5AFCC76C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "941FCF7B-FFB6-4967-95C7-BB3D32C73DAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "CE1A9030-B397-4BA6-8E13-DA1503872DDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "6284B74A-1051-40A7-9D74-380FEEEC3F88",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client."
},
{
"lang": "es",
"value": "Una implementaci\u00f3n simplificada de lecturas y escrituras de bloqueo introducida en Tomcat versi\u00f3n 10 y retrocedida a Tomcat versi\u00f3n 9.0.47 en adelante expuso un error de concurrencia de larga data (pero extremadamente dif\u00edcil de activar) en Apache Tomcat versiones 10.1.0 a 10. 1.0-M12, 10.0.0-M1 a 10.0.18, 9.0.0-M1 a 9.0.60 y 8.5.0 a 8.5.77, que pod\u00eda causar que las conexiones de los clientes compartieran una instancia de Http11Processor resultando en que las respuestas, o parte de ellas, fueran recibidas por el cliente equivocado"
}
],
"id": "CVE-2021-43980",
"lastModified": "2025-05-21T15:15:55.223",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-09-28T14:15:09.880",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/09/28/1"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/3jjqbsp6j88b198x5rmg99b1qr8ht3g3"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5265"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/09/28/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/3jjqbsp6j88b198x5rmg99b1qr8ht3g3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5265"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-362"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-362"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2005-05-02 04:00
Modified
2025-04-03 01:03
Severity ?
Summary
Apache Tomcat before 5.x allows remote attackers to cause a denial of service (application crash) via a crafted AJP12 packet to TCP port 8007.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.hitachi-support.com/security_e/vuls_e/HS05-006_e/index-e.html | ||
| cve@mitre.org | http://www.kb.cert.org/vuls/id/204710 | Third Party Advisory, US Government Resource | |
| cve@mitre.org | http://www.kb.cert.org/vuls/id/JGEI-6A2LEF | Third Party Advisory, US Government Resource | |
| cve@mitre.org | http://www.securityfocus.com/bid/12795 | ||
| cve@mitre.org | https://exchange.xforce.ibmcloud.com/vulnerabilities/19681 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.hitachi-support.com/security_e/vuls_e/HS05-006_e/index-e.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.kb.cert.org/vuls/id/204710 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.kb.cert.org/vuls/id/JGEI-6A2LEF | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/12795 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/19681 |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BAFF8D91-80A2-454A-8B44-A5A889002692",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FEC42876-65AD-476A-8B62-25D4E15D1BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "724A8FF9-8089-4302-8200-08987A712988",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "3F97DDB7-E32B-422F-8AEA-07C75DEAD36E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7079F63C-7CA8-4909-A9C8-45C4C1C1C186",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:3.2.2:beta2:*:*:*:*:*:*",
"matchCriteriaId": "4BE08AEE-4801-4FAF-97AD-BBD5C5849E3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "EC829C8E-1061-4F62-BA4B-FE5C7F11F209",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "143BA75E-A186-47EF-A18C-B1A1A1F61C00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C0CDF9E1-9412-450E-B1D4-438F128FFF9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:3.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "32561F50-6385-4D71-AFAC-3D2F8DB55A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:3.3.1a:*:*:*:*:*:*:*",
"matchCriteriaId": "D51D88E7-6F5C-42B0-BAD6-7DCD9A357B43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Tomcat before 5.x allows remote attackers to cause a denial of service (application crash) via a crafted AJP12 packet to TCP port 8007."
}
],
"id": "CVE-2005-0808",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2005-05-02T04:00:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://www.hitachi-support.com/security_e/vuls_e/HS05-006_e/index-e.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/204710"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/JGEI-6A2LEF"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/12795"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/19681"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.hitachi-support.com/security_e/vuls_e/HS05-006_e/index-e.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/204710"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/JGEI-6A2LEF"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/12795"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/19681"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-06-05 16:00
Modified
2025-04-09 00:30
Severity ?
Summary
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0E300013-0CE7-4313-A553-74A6A247B3E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E08D7414-8D0C-45D6-8E87-679DF0201D55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AB15C5DB-0DBE-4DAD-ACBD-FAE23F768D01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "60CFD9CA-1878-4C74-A9BD-5D581736E6B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.3:beta:*:*:*:*:*:*",
"matchCriteriaId": "B7E52BE7-5281-4430-8846-E41CF34FC214",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "02860646-1D72-4D9A-AE2A-5868C8EDB3AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "5BE4B9B5-9C2E-47E1-9483-88A17264594F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "5BE92A9B-4B8C-468E-9162-A56ED5313E17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "AE21D455-5B38-4B07-8E25-4EE782501EB3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "B9AE125C-EB8E-4D33-BB64-1E2AEE18BF81",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "47588ABB-FCE6-478D-BEAD-FC9A0C7D66DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.9:beta:*:*:*:*:*:*",
"matchCriteriaId": "CBDA8066-294D-431E-B026-C03707DFBCD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C92F3744-C8F9-4E29-BF1A-25E03A32F2C0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.11:*:*:*:*:*:*:*",
"matchCriteriaId": "084B3227-FE22-43E3-AE06-7BB257018690",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.12:*:*:*:*:*:*:*",
"matchCriteriaId": "F7DDA1D1-1DB2-4FD6-90A6-7DDE2FDD73F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.13:*:*:*:*:*:*:*",
"matchCriteriaId": "D2BFF1D5-2E34-4A01-83A7-6AA3A112A1B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.14:*:*:*:*:*:*:*",
"matchCriteriaId": "6D536FF4-7582-4351-ABE3-876E20F8E7FE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.15:*:*:*:*:*:*:*",
"matchCriteriaId": "1C03E4C9-34E3-42F7-8B73-D3C595FD7EE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.16:*:*:*:*:*:*:*",
"matchCriteriaId": "FB43F47F-5BF9-43A0-BF0E-451B4A8F7137",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.17:*:*:*:*:*:*:*",
"matchCriteriaId": "DFFFE700-AAFE-4F5B-B0E2-C3DA76DE492D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.18:*:*:*:*:*:*:*",
"matchCriteriaId": "11DDD82E-5D83-4581-B2F3-F12655BBF817",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.19:*:*:*:*:*:*:*",
"matchCriteriaId": "8A0F0C91-171E-421D-BE86-11567DEFC7BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.20:*:*:*:*:*:*:*",
"matchCriteriaId": "F22D2621-D305-43CE-B00D-9A7563B061F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.21:*:*:*:*:*:*:*",
"matchCriteriaId": "9A5D55E8-D3A3-4784-8AC6-CCB07E470AB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.22:*:*:*:*:*:*:*",
"matchCriteriaId": "7F4245BA-B05C-49DE-B2E0-1E588209ED3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.23:*:*:*:*:*:*:*",
"matchCriteriaId": "8633532B-9785-4259-8840-B08529E20DCC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.24:*:*:*:*:*:*:*",
"matchCriteriaId": "B1D9BD7E-FCC2-404B-A057-1A10997DAFF9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.25:*:*:*:*:*:*:*",
"matchCriteriaId": "F935ED72-58F4-49C1-BD9F-5473E0B9D8CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.26:*:*:*:*:*:*:*",
"matchCriteriaId": "FADB75DC-8713-4F0C-9F06-30DA6F6EF6B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.27:*:*:*:*:*:*:*",
"matchCriteriaId": "2EA52901-2D16-4F7E-BF5E-780B42A55D6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.28:*:*:*:*:*:*:*",
"matchCriteriaId": "6A79DA2C-35F3-47DE-909B-8D8D1AE111C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.29:*:*:*:*:*:*:*",
"matchCriteriaId": "8BF6952D-6308-4029-8B63-0BD9C648C60F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.30:*:*:*:*:*:*:*",
"matchCriteriaId": "94941F86-0BBF-4F30-8F13-FB895A11ED69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.31:*:*:*:*:*:*:*",
"matchCriteriaId": "17522878-4266-432A-859D-C02096C8AC0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.32:*:*:*:*:*:*:*",
"matchCriteriaId": "951FFCD7-EAC2-41E6-A53B-F90C540327E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.33:*:*:*:*:*:*:*",
"matchCriteriaId": "BF1F2738-C7D6-4206-9227-43F464887FF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.34:*:*:*:*:*:*:*",
"matchCriteriaId": "98EEB6F2-A721-45CF-A856-0E01B043C317",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.35:*:*:*:*:*:*:*",
"matchCriteriaId": "02FDE602-A56A-477E-B704-41AF92EEBB9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.36:*:*:*:*:*:*:*",
"matchCriteriaId": "5A28B11A-3BC7-41BC-8970-EE075B029F5C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.37:*:*:*:*:*:*:*",
"matchCriteriaId": "4AD3E84C-9A2E-4586-A09E-CBDEB1E7F695",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.38:*:*:*:*:*:*:*",
"matchCriteriaId": "6EF54C08-5FF1-4D02-AA16-B13096BD566C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.39:*:*:*:*:*:*:*",
"matchCriteriaId": "D8F3B31D-8974-4016-ACAF-E7A917C99F84",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EB203AEC-2A94-48CA-A0E0-B5A8EBF028B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6E98B82A-22E5-4E6C-90AE-56F5780EA147",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "34672E90-C220-436B-9143-480941227933",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "92883AFA-A02F-41A5-9977-ABEAC8AD2970",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "989A78F8-EE92-465F-8A8D-ECF0B58AFE7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "1F5B6627-B4A4-4E2D-B96C-CA37CCC8C804",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "ACFB09F3-32D1-479C-8C39-D7329D9A6623",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "D56581E2-9ECD-426A-96D8-A9D958900AD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "717F6995-5AF0-484C-90C0-A82F25FD2E32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "5B0C01D5-773F-469C-9E69-170C2844AAA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.10:*:*:*:*:*:*:*",
"matchCriteriaId": "EB03FDFB-4DBF-4B70-BFA3-570D1DE67695",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.11:*:*:*:*:*:*:*",
"matchCriteriaId": "9F5CF79C-759B-4FF9-90EE-847264059E93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.12:*:*:*:*:*:*:*",
"matchCriteriaId": "357651FD-392E-4775-BF20-37A23B3ABAE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.13:*:*:*:*:*:*:*",
"matchCriteriaId": "585B9476-6B86-4809-9B9E-26112114CB59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.14:*:*:*:*:*:*:*",
"matchCriteriaId": "6145036D-4FCE-4EBE-A137-BDFA69BA54F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.15:*:*:*:*:*:*:*",
"matchCriteriaId": "E437055A-0A81-413F-AB08-0E9D0DC9EA30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.16:*:*:*:*:*:*:*",
"matchCriteriaId": "9276A093-9C98-4617-9941-2276995F5848",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.17:*:*:*:*:*:*:*",
"matchCriteriaId": "97C9C36C-EF7E-4D42-9749-E2FF6CE35A2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.18:*:*:*:*:*:*:*",
"matchCriteriaId": "C98575E2-E39A-4A8F-B5B5-BD280B8367BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.19:*:*:*:*:*:*:*",
"matchCriteriaId": "5BDA08E7-A417-44E8-9C89-EB22BEEC3B9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.20:*:*:*:*:*:*:*",
"matchCriteriaId": "DCD1B6BE-CF07-4DA8-A703-4A48506C8AD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.21:*:*:*:*:*:*:*",
"matchCriteriaId": "5878E08E-2741-4798-94E9-BA8E07386B12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.22:*:*:*:*:*:*:*",
"matchCriteriaId": "69F6BAB7-C099-4345-A632-7287AEA555B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.23:*:*:*:*:*:*:*",
"matchCriteriaId": "F3AAF031-D16B-4D51-9581-2D1376A5157B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.24:*:*:*:*:*:*:*",
"matchCriteriaId": "51120689-F5C0-4DF1-91AA-314C40A46C58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.25:*:*:*:*:*:*:*",
"matchCriteriaId": "F67477AB-85F6-421C-9C0B-C8EFB1B200CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.26:*:*:*:*:*:*:*",
"matchCriteriaId": "16D0C265-2ED9-42CF-A7D6-C7FAE4246A1B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.27:*:*:*:*:*:*:*",
"matchCriteriaId": "5D70CFD9-B55D-4A29-B94C-D33F3E881A8F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49E3C039-A949-4F1B-892A-57147EECB249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F28C7801-41B9-4552-BA1E-577967BCBBEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "25B21085-7259-4685-9D1F-FF98E6489E10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "635EE321-2A1F-4FF8-95BE-0C26591969D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "9A81B035-8598-4D2C-B45F-C6C9D4B10C2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E1096947-82A6-4EA8-A4F2-00D91E3F7DAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0EBFA1D3-16A6-4041-BB30-51D2EE0F2AF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "B70B372F-EFFD-4AF7-99B5-7D1B23A0C54C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "9C95ADA4-66F5-45C4-A677-ACE22367A75A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "11951A10-39A2-4FF5-8C43-DF94730FB794",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "351E5BCF-A56B-4D91-BA3C-21A4B77D529A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2DC2BBB4-171E-4EFF-A575-A5B7FF031755",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "6B6B0504-27C1-4824-A928-A878CBBAB32D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "CE81AD36-ACD1-4C6C-8E7C-5326D1DA3045",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "D903956B-14F5-4177-AF12-0A5F1846D3C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "81F847DC-A2F5-456C-9038-16A0E85F4C3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3EBD00-1E1E-452D-AFFB-08A6BD111DDD",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter."
},
{
"lang": "es",
"value": "Apache Tomcat v4.1.0 hasta v4.1.39, v5.5.0 hasta v5.5.27, y v6.0.0 hasta v6.0.18, cuando se utiliza autenticaci\u00f3n FORM, permite a atacantes remotos enumerar nombres de usuarios v\u00e1lidos a trav\u00e9s de una solicitud a /j_security_check con codificaci\u00f3n malformada de URL de contrase\u00f1as. Est\u00e1 relacionado con una comprobaci\u00f3n de errores incorrecta en los entornos de autenticaci\u00f3n (1) MemoryRealm, (2) DataSourceRealm y (3) JDBCRealm; como se ha demostrado con un valor % (porcentaje) en el par\u00e1metro j_password."
}
],
"id": "CVE-2009-0580",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2009-06-05T16:00:00.233",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=127420533226623\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=127420533226623\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=129070310906557\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=129070310906557\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=133469267822771\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=133469267822771\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=136485229118404\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=136485229118404\u0026w=2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/35326"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/35344"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/35685"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/35788"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/37460"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/42368"
},
{
"source": "secalert@redhat.com",
"url": "http://securitytracker.com/id?1022332"
},
{
"source": "secalert@redhat.com",
"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1"
},
{
"source": "secalert@redhat.com",
"url": "http://support.apple.com/kb/HT4077"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://svn.apache.org/viewvc?rev=747840\u0026view=rev"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://svn.apache.org/viewvc?rev=781379\u0026view=rev"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://svn.apache.org/viewvc?rev=781382\u0026view=rev"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2011/dsa-2207"
},
{
"source": "secalert@redhat.com",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:136"
},
{
"source": "secalert@redhat.com",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:138"
},
{
"source": "secalert@redhat.com",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:176"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/504045/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/504108/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/504125/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/507985/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/35196"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/1496"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2009/1856"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2009/3316"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2010/3056"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50930"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18915"
},
{
"source": "secalert@redhat.com",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6628"
},
{
"source": "secalert@redhat.com",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9101"
},
{
"source": "secalert@redhat.com",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html"
},
{
"source": "secalert@redhat.com",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html"
},
{
"source": "secalert@redhat.com",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=127420533226623\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=127420533226623\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=129070310906557\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=129070310906557\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=133469267822771\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=133469267822771\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=136485229118404\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=136485229118404\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/35326"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/35344"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/35685"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/35788"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/37460"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/42368"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securitytracker.com/id?1022332"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.apple.com/kb/HT4077"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://svn.apache.org/viewvc?rev=747840\u0026view=rev"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://svn.apache.org/viewvc?rev=781379\u0026view=rev"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://svn.apache.org/viewvc?rev=781382\u0026view=rev"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2011/dsa-2207"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:136"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:138"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:176"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/504045/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/504108/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/504125/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/507985/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/35196"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/1496"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2009/1856"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2009/3316"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2010/3056"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50930"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18915"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6628"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9101"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-04-17 16:59
Modified
2025-04-20 01:37
Severity ?
Summary
In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | tomcat | 8.5.0 | |
| apache | tomcat | 8.5.1 | |
| apache | tomcat | 8.5.2 | |
| apache | tomcat | 8.5.3 | |
| apache | tomcat | 8.5.4 | |
| apache | tomcat | 8.5.5 | |
| apache | tomcat | 8.5.6 | |
| apache | tomcat | 8.5.7 | |
| apache | tomcat | 8.5.8 | |
| apache | tomcat | 8.5.9 | |
| apache | tomcat | 8.5.10 | |
| apache | tomcat | 8.5.11 | |
| apache | tomcat | 8.5.12 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "69A7FC28-A0EC-4516-9776-700343D2F4DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "18814653-6D44-47D9-A2F5-89C5AFB255F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D4D811A9-4988-4C11-AA27-F5BE2B93D8D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FAEF824D-7E95-4BC1-8DBB-787DCE595E21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "97F4A2B3-DB1D-4D0B-B5FF-7EE2A0D291BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B461D5A-1208-498F-B551-46C6D514AC2B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "598E5D91-0165-4D55-9EDD-EBB5AAAD1172",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4B6B61B7-09A3-41C8-8333-0417C14CC87E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "95A139BA-CD3C-42F5-88BA-BE7BE58246D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "876EADA5-60AD-4849-BE10-61C75AA75053",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1814F8DE-2060-411F-9FCC-6EC42AF5663D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.11:*:*:*:*:*:*:*",
"matchCriteriaId": "1AF6DBF7-BB0A-4AE6-84DA-51428ACF47CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.12:*:*:*:*:*:*:*",
"matchCriteriaId": "A34F72ED-04FE-4EDE-BB18-BE8B1E99EEF1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "9D0689FE-4BC0-4F53-8C79-34B21F9B86C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "89B129B2-FB6F-4EF9-BF12-E589A87996CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "8B6787B6-54A8-475E-BA1C-AB99334B2535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "EABB6FBC-7486-44D5-A6AD-FFF1D3F677E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*",
"matchCriteriaId": "E10C03BC-EE6B-45B2-83AE-9E8DFB58D7DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*",
"matchCriteriaId": "8A6DA0BE-908C-4DA8-A191-A0113235E99A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*",
"matchCriteriaId": "39029C72-28B4-46A4-BFF5-EC822CFB2A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*",
"matchCriteriaId": "1A2E05A3-014F-4C4D-81E5-88E725FBD6AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*",
"matchCriteriaId": "166C533C-0833-41D5-99B6-17A4FAB3CAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*",
"matchCriteriaId": "D3768C60-21FA-4B92-B98C-C3A2602D1BC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "9F542E12-6BA8-4504-A494-DA83E7E19BD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "C0C5F004-F7D8-45DB-B173-351C50B0EC16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "D1902D2E-1896-4D3D-9E1C-3A675255072C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "49AAF4DF-F61D-47A8-8788-A21E317A145D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "454211D0-60A2-4661-AECA-4C0121413FEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "0686F977-889F-4960-8E0B-7784B73A7F2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "558703AE-DB5E-4DFF-B497-C36694DD7B24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "ED6273F2-1165-47A4-8DD7-9E9B2472941B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up."
},
{
"lang": "es",
"value": "En Apache Tomcat 9.0.0.M1 a 9.0.0.M18 y 8.5.0 a 8.5.12, la refactorizaci\u00f3n de los conectores HTTP introdujo una regresi\u00f3n en el procesamiento de archivos de env\u00edo. Si el procesamiento de archivos enviados se complet\u00f3 r\u00e1pidamente, es posible que el Procesador se agregue a la cach\u00e9 del procesador dos veces. Esto podr\u00eda resultar en el mismo procesador que se utiliza para m\u00faltiples solicitudes que a su vez podr\u00eda dar lugar a errores inesperados y / o mezcla de respuesta."
}
],
"id": "CVE-2017-5651",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-04-17T16:59:00.477",
"references": [
{
"source": "security@apache.org",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97544"
},
{
"source": "security@apache.org",
"url": "http://www.securitytracker.com/id/1038219"
},
{
"source": "security@apache.org",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://bz.apache.org/bugzilla/show_bug.cgi?id=60918"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/6694538826b87522fb723d2dcedd537e14ebe0a381d92e5525a531d8%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://security.gentoo.org/glsa/201705-09"
},
{
"source": "security@apache.org",
"url": "https://security.netapp.com/advisory/ntap-20180614-0001/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97544"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1038219"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://bz.apache.org/bugzilla/show_bug.cgi?id=60918"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/6694538826b87522fb723d2dcedd537e14ebe0a381d92e5525a531d8%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.gentoo.org/glsa/201705-09"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20180614-0001/"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-04-28 20:15
Modified
2025-05-06 20:15
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service.
This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5.
Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/j6zzk0y3yym9pzfzkq5vcyxzz0yzh826 | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/04/28/2 | Mailing List, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | tomcat | * | |
| apache | tomcat | * | |
| apache | tomcat | * | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6F4F87EB-0046-4BAA-91C8-C60C60425186",
"versionEndExcluding": "9.0.104",
"versionStartIncluding": "9.0.76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7EC8AA6F-0BB4-4075-8F2B-DE39FD9A2BD8",
"versionEndExcluding": "10.1.40",
"versionStartIncluding": "10.1.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "45AB4386-DB38-4808-924A-617CECE9F939",
"versionEndExcluding": "11.0.6",
"versionStartIncluding": "11.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "57088BDD-A136-45EF-A8A1-2EBF79CEC2CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "B32D1D7A-A04F-444E-8F45-BB9A9E4B0199",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "0092FB35-3B00-484F-A24D-7828396A4FF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone13:*:*:*:*:*:*",
"matchCriteriaId": "CB557E88-FA9D-4B69-AA6F-EAEE7F9B01AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone14:*:*:*:*:*:*",
"matchCriteriaId": "72D3C6F1-84FA-4F82-96C1-9A8DA1C1F30F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone15:*:*:*:*:*:*",
"matchCriteriaId": "3521C81B-37D9-48FC-9540-D0D333B9A4A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone16:*:*:*:*:*:*",
"matchCriteriaId": "02A84634-A8F2-4BA9-B9F3-BEF36AEC5480",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone17:*:*:*:*:*:*",
"matchCriteriaId": "ECBBC1F1-C86B-40AF-B740-A99F6B27682A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone18:*:*:*:*:*:*",
"matchCriteriaId": "9D2206B2-F3FF-43F2-B3E2-3CAAC64C691D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone19:*:*:*:*:*:*",
"matchCriteriaId": "0495A538-4102-40D0-A35C-0179CFD52A9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "2AAD52CE-94F5-4F98-A027-9A7E68818CB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone20:*:*:*:*:*:*",
"matchCriteriaId": "77BA6600-0890-4BA1-B447-EC1746BAB4FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone21:*:*:*:*:*:*",
"matchCriteriaId": "7914D26B-CBD6-4846-9BD3-403708D69319",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone22:*:*:*:*:*:*",
"matchCriteriaId": "123C6285-03BE-49FC-B821-8BDB25D02863",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone23:*:*:*:*:*:*",
"matchCriteriaId": "8A28C2E2-B7BC-46CE-94E4-AE3EF172AA47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone24:*:*:*:*:*:*",
"matchCriteriaId": "069B0D8E-8223-4C4E-A834-C6235D6C3450",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone25:*:*:*:*:*:*",
"matchCriteriaId": "E6282085-5716-4874-B0B0-180ECDEE128F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "F1F981F5-035A-4EDD-8A9F-481EE8BC7FF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "03A171AF-2EC8-4422-912C-547CDB58CAAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "538E68C4-0BA4-495F-AEF8-4EF6EE7963CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "49350A6E-5E1D-45B2-A874-3B8601B3ADCC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "5F50942F-DF54-46C0-8371-9A476DD3EEA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "D12C2C95-B79F-4AA4-8CE3-99A3EE7991AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "98792138-DD56-42DF-9612-3BDC65EEC117",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service.\n\nThis issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5.\n\nUsers are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue."
},
{
"lang": "es",
"value": "Vulnerabilidad de validaci\u00f3n de entrada incorrecta en Apache Tomcat. La gesti\u00f3n incorrecta de errores en algunos encabezados de prioridad HTTP no v\u00e1lidos provoc\u00f3 una limpieza incompleta de la solicitud fallida, lo que gener\u00f3 una fuga de memoria. Un gran n\u00famero de solicitudes de este tipo podr\u00eda generar una excepci\u00f3n OutOfMemoryException, lo que resulta en una denegaci\u00f3n de servicio. Este problema afecta a Apache Tomcat: de la 9.0.76 a la 9.0.102, de la 10.1.10 a la 10.1.39 y de la 11.0.0-M2 a la 11.0.5. Se recomienda actualizar a las versiones 9.0.104, 10.1.40 o 11.0.6, que solucionan el problema."
}
],
"id": "CVE-2025-31650",
"lastModified": "2025-05-06T20:15:26.237",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-04-28T20:15:20.653",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/j6zzk0y3yym9pzfzkq5vcyxzz0yzh826"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2025/04/28/2"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-459"
}
],
"source": "security@apache.org",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-459"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-02-10 18:00
Modified
2025-04-11 00:51
Severity ?
Summary
Apache Tomcat 7.0.0 through 7.0.3, 6.0.x, and 5.5.x, when running within a SecurityManager, does not make the ServletContext attribute read-only, which allows local web applications to read or write files outside of the intended working directory, as demonstrated using a directory traversal attack.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0F8C62EF-1B67-456A-9C66-755439CF8556",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A819E245-D641-4F19-9139-6C940504F6E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8C381275-10C5-4939-BCE3-0D1F3B3CB2EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7205475A-6D04-4042-B24E-1DA5A57029B7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D11D6FB7-CBDB-48C1-98CB-1B3CAA36C5D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49E3C039-A949-4F1B-892A-57147EECB249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F28C7801-41B9-4552-BA1E-577967BCBBEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "25B21085-7259-4685-9D1F-FF98E6489E10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "635EE321-2A1F-4FF8-95BE-0C26591969D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "9A81B035-8598-4D2C-B45F-C6C9D4B10C2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E1096947-82A6-4EA8-A4F2-00D91E3F7DAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0EBFA1D3-16A6-4041-BB30-51D2EE0F2AF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "B70B372F-EFFD-4AF7-99B5-7D1B23A0C54C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "9C95ADA4-66F5-45C4-A677-ACE22367A75A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "11951A10-39A2-4FF5-8C43-DF94730FB794",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "351E5BCF-A56B-4D91-BA3C-21A4B77D529A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2DC2BBB4-171E-4EFF-A575-A5B7FF031755",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "6B6B0504-27C1-4824-A928-A878CBBAB32D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "CE81AD36-ACD1-4C6C-8E7C-5326D1DA3045",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "D903956B-14F5-4177-AF12-0A5F1846D3C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "81F847DC-A2F5-456C-9038-16A0E85F4C3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3EBD00-1E1E-452D-AFFB-08A6BD111DDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "C6B93A3A-D487-4CA1-8257-26F8FE287B8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "BD8802B2-57E0-4AA6-BC8E-00DE60468569",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "8461DF95-18DC-4BF5-A703-7F19DA88DC30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "1F4C9BCF-9C73-4991-B02F-E08C5DA06EBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "2823789C-2CB6-4300-94DB-BDBE83ABA8E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "C5416C76-46ED-4CB1-A7F8-F24EA16DE7F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "A61429EE-4331-430C-9830-58DCCBCBCB58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "31B3593F-CEDF-423C-90F8-F88EED87DC3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "AE7862B2-E1FA-4E16-92CD-8918AB461D9A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EB203AEC-2A94-48CA-A0E0-B5A8EBF028B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6E98B82A-22E5-4E6C-90AE-56F5780EA147",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "34672E90-C220-436B-9143-480941227933",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "92883AFA-A02F-41A5-9977-ABEAC8AD2970",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "989A78F8-EE92-465F-8A8D-ECF0B58AFE7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "1F5B6627-B4A4-4E2D-B96C-CA37CCC8C804",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "ACFB09F3-32D1-479C-8C39-D7329D9A6623",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "D56581E2-9ECD-426A-96D8-A9D958900AD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "717F6995-5AF0-484C-90C0-A82F25FD2E32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "5B0C01D5-773F-469C-9E69-170C2844AAA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.10:*:*:*:*:*:*:*",
"matchCriteriaId": "EB03FDFB-4DBF-4B70-BFA3-570D1DE67695",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.11:*:*:*:*:*:*:*",
"matchCriteriaId": "9F5CF79C-759B-4FF9-90EE-847264059E93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.12:*:*:*:*:*:*:*",
"matchCriteriaId": "357651FD-392E-4775-BF20-37A23B3ABAE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.13:*:*:*:*:*:*:*",
"matchCriteriaId": "585B9476-6B86-4809-9B9E-26112114CB59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.14:*:*:*:*:*:*:*",
"matchCriteriaId": "6145036D-4FCE-4EBE-A137-BDFA69BA54F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.15:*:*:*:*:*:*:*",
"matchCriteriaId": "E437055A-0A81-413F-AB08-0E9D0DC9EA30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.16:*:*:*:*:*:*:*",
"matchCriteriaId": "9276A093-9C98-4617-9941-2276995F5848",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.17:*:*:*:*:*:*:*",
"matchCriteriaId": "97C9C36C-EF7E-4D42-9749-E2FF6CE35A2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.18:*:*:*:*:*:*:*",
"matchCriteriaId": "C98575E2-E39A-4A8F-B5B5-BD280B8367BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.19:*:*:*:*:*:*:*",
"matchCriteriaId": "5BDA08E7-A417-44E8-9C89-EB22BEEC3B9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.20:*:*:*:*:*:*:*",
"matchCriteriaId": "DCD1B6BE-CF07-4DA8-A703-4A48506C8AD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.21:*:*:*:*:*:*:*",
"matchCriteriaId": "5878E08E-2741-4798-94E9-BA8E07386B12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.22:*:*:*:*:*:*:*",
"matchCriteriaId": "69F6BAB7-C099-4345-A632-7287AEA555B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.23:*:*:*:*:*:*:*",
"matchCriteriaId": "F3AAF031-D16B-4D51-9581-2D1376A5157B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.24:*:*:*:*:*:*:*",
"matchCriteriaId": "51120689-F5C0-4DF1-91AA-314C40A46C58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.25:*:*:*:*:*:*:*",
"matchCriteriaId": "F67477AB-85F6-421C-9C0B-C8EFB1B200CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.26:*:*:*:*:*:*:*",
"matchCriteriaId": "16D0C265-2ED9-42CF-A7D6-C7FAE4246A1B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.27:*:*:*:*:*:*:*",
"matchCriteriaId": "5D70CFD9-B55D-4A29-B94C-D33F3E881A8F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.28:*:*:*:*:*:*:*",
"matchCriteriaId": "C1195878-CCC9-49BC-9AC7-1F88F0DFAB82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.29:*:*:*:*:*:*:*",
"matchCriteriaId": "375C26A9-623E-483A-BC11-468D9DE278C1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.30:*:*:*:*:*:*:*",
"matchCriteriaId": "BCDDD480-3C9E-4BE9-848A-99A13145C2AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.32:*:*:*:*:*:*:*",
"matchCriteriaId": "7B980C39-A4D8-483A-B48C-36CA4F5CEAA1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Tomcat 7.0.0 through 7.0.3, 6.0.x, and 5.5.x, when running within a SecurityManager, does not make the ServletContext attribute read-only, which allows local web applications to read or write files outside of the intended working directory, as demonstrated using a directory traversal attack."
},
{
"lang": "es",
"value": "Apache Tomcat v7.0.0 hasta v7.0.3, v6.0.x, y v5.5.x, cuando se ejecuta dentro de un SecurityManager no tiene el atributo ServletContext de s\u00f3lo lectura, lo que permite a las aplicaciones web locales leer y escribir archivos fuera del directorio de trabajo previsto, como se ha demostrado mediante un ataque de salto de directorio."
}
],
"id": "CVE-2010-3718",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 1.2,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:H/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 1.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-02-10T18:00:01.550",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=130168502603566\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=132215163318824\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=132215163318824\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=136485229118404\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=136485229118404\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=139344343412337\u0026w=2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/43192"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/45022"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/57126"
},
{
"source": "secalert@redhat.com",
"url": "http://securityreason.com/securityalert/8072"
},
{
"source": "secalert@redhat.com",
"url": "http://support.apple.com/kb/HT5002"
},
{
"source": "secalert@redhat.com",
"url": "http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5098550.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2011/dsa-2160"
},
{
"source": "secalert@redhat.com",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:030"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0791.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0896.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0897.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2011-1845.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/516211/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/46177"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id?1025025"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/65159"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12517"
},
{
"source": "secalert@redhat.com",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13969"
},
{
"source": "secalert@redhat.com",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19379"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=130168502603566\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=132215163318824\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=132215163318824\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=136485229118404\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=136485229118404\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=139344343412337\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/43192"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/45022"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/57126"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/8072"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.apple.com/kb/HT5002"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5098550.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2011/dsa-2160"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:030"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0791.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0896.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0897.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2011-1845.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/516211/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/46177"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id?1025025"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/65159"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12517"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13969"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19379"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-08-14 22:17
Modified
2025-04-09 00:30
Severity ?
Summary
Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 does not properly handle the \" character sequence in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C0CDF9E1-9412-450E-B1D4-438F128FFF9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:3.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "32561F50-6385-4D71-AFAC-3D2F8DB55A4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:3.3.1a:*:*:*:*:*:*:*",
"matchCriteriaId": "D51D88E7-6F5C-42B0-BAD6-7DCD9A357B43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:3.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C091BCC4-4B19-4304-A807-FE3BB3BCC8CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0E300013-0CE7-4313-A553-74A6A247B3E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E08D7414-8D0C-45D6-8E87-679DF0201D55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AB15C5DB-0DBE-4DAD-ACBD-FAE23F768D01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "60CFD9CA-1878-4C74-A9BD-5D581736E6B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.3:beta:*:*:*:*:*:*",
"matchCriteriaId": "B7E52BE7-5281-4430-8846-E41CF34FC214",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.9:beta:*:*:*:*:*:*",
"matchCriteriaId": "CBDA8066-294D-431E-B026-C03707DFBCD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C92F3744-C8F9-4E29-BF1A-25E03A32F2C0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.15:*:*:*:*:*:*:*",
"matchCriteriaId": "1C03E4C9-34E3-42F7-8B73-D3C595FD7EE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.24:*:*:*:*:*:*:*",
"matchCriteriaId": "B1D9BD7E-FCC2-404B-A057-1A10997DAFF9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.28:*:*:*:*:*:*:*",
"matchCriteriaId": "6A79DA2C-35F3-47DE-909B-8D8D1AE111C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.31:*:*:*:*:*:*:*",
"matchCriteriaId": "17522878-4266-432A-859D-C02096C8AC0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.36:*:*:*:*:*:*:*",
"matchCriteriaId": "5A28B11A-3BC7-41BC-8970-EE075B029F5C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "13D9B12F-F36A-424E-99BB-E00EF0FCA277",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2A8FEEF0-8E57-43B1-8316-228B76E458D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D82F3FAE-91AD-4F0B-A1F7-11C1A97C5ECB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A3B2802B-E56C-462A-9601-361A9166B5F1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "190FB4FD-22A5-4771-8F99-1E260A36A474",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "4BD3785E-3A09-4BE4-96C7-619B8A7D5062",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "285F7969-09F6-48CC-89CE-928225A53CDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "3B9EDACC-0300-4DA7-B1CD-5F7A6029AF38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "6B387EF0-94AD-4C8E-8CD4-4F5F706481BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "DA486065-18D5-4425-ADA5-284101919564",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A0141E20-2E3D-4CD0-A757-D7CA98499CCE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "9E62493D-FEAE-49E8-A293-CE18451D0264",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "FA01AB58-CAB2-420A-9899-EAB153DD898A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "D731AFDD-9C33-4DC8-9BC6-06BB51048752",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "01706205-1369-4E5D-8936-723DA980CA9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "0DC4A52C-6FBC-420A-885A-F72BC1DBAEC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "3A1C882D-949B-40B9-BC9F-E7FCE4FE7C3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "9A1451D2-B905-4AD7-9BD7-10CF2A12BA34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "C505696B-10E4-4B99-A598-40FA0DA39F7B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "9EB2F3D8-25A1-408E-80D0-59D52A901284",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.21:*:*:*:*:*:*:*",
"matchCriteriaId": "C3904E9A-585A-4005-B2E9-13538535383D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.22:*:*:*:*:*:*:*",
"matchCriteriaId": "AA1934BF-83E3-4B0B-A1DF-391A5332CE39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.23:*:*:*:*:*:*:*",
"matchCriteriaId": "F06B9809-5BFA-4DB9-8753-1D8319713879",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "DF6631B0-9F2E-4C5F-AB21-F085A8C1559B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.25:*:*:*:*:*:*:*",
"matchCriteriaId": "15625451-E56D-405F-BE9B-B3CB1A35E929",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "97ADBDC4-B669-467D-9A07-9A2DD8B68374",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "8DA876C8-4417-4C35-9FEC-278D45CE6E92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "03C08A88-9377-4B32-8173-EE2D121B06D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "F7225A43-8EAE-4DA6-BBDC-4418D5444767",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "A46C0933-3B19-40EA-8DED-2BF25AB85C17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EB203AEC-2A94-48CA-A0E0-B5A8EBF028B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6E98B82A-22E5-4E6C-90AE-56F5780EA147",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "34672E90-C220-436B-9143-480941227933",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "92883AFA-A02F-41A5-9977-ABEAC8AD2970",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "989A78F8-EE92-465F-8A8D-ECF0B58AFE7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "1F5B6627-B4A4-4E2D-B96C-CA37CCC8C804",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "ACFB09F3-32D1-479C-8C39-D7329D9A6623",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "D56581E2-9ECD-426A-96D8-A9D958900AD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "717F6995-5AF0-484C-90C0-A82F25FD2E32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "5B0C01D5-773F-469C-9E69-170C2844AAA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.10:*:*:*:*:*:*:*",
"matchCriteriaId": "EB03FDFB-4DBF-4B70-BFA3-570D1DE67695",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.11:*:*:*:*:*:*:*",
"matchCriteriaId": "9F5CF79C-759B-4FF9-90EE-847264059E93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.12:*:*:*:*:*:*:*",
"matchCriteriaId": "357651FD-392E-4775-BF20-37A23B3ABAE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.13:*:*:*:*:*:*:*",
"matchCriteriaId": "585B9476-6B86-4809-9B9E-26112114CB59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.14:*:*:*:*:*:*:*",
"matchCriteriaId": "6145036D-4FCE-4EBE-A137-BDFA69BA54F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.15:*:*:*:*:*:*:*",
"matchCriteriaId": "E437055A-0A81-413F-AB08-0E9D0DC9EA30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.16:*:*:*:*:*:*:*",
"matchCriteriaId": "9276A093-9C98-4617-9941-2276995F5848",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.17:*:*:*:*:*:*:*",
"matchCriteriaId": "97C9C36C-EF7E-4D42-9749-E2FF6CE35A2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.18:*:*:*:*:*:*:*",
"matchCriteriaId": "C98575E2-E39A-4A8F-B5B5-BD280B8367BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.19:*:*:*:*:*:*:*",
"matchCriteriaId": "5BDA08E7-A417-44E8-9C89-EB22BEEC3B9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.20:*:*:*:*:*:*:*",
"matchCriteriaId": "DCD1B6BE-CF07-4DA8-A703-4A48506C8AD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.21:*:*:*:*:*:*:*",
"matchCriteriaId": "5878E08E-2741-4798-94E9-BA8E07386B12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.22:*:*:*:*:*:*:*",
"matchCriteriaId": "69F6BAB7-C099-4345-A632-7287AEA555B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.23:*:*:*:*:*:*:*",
"matchCriteriaId": "F3AAF031-D16B-4D51-9581-2D1376A5157B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.24:*:*:*:*:*:*:*",
"matchCriteriaId": "51120689-F5C0-4DF1-91AA-314C40A46C58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49E3C039-A949-4F1B-892A-57147EECB249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F28C7801-41B9-4552-BA1E-577967BCBBEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "25B21085-7259-4685-9D1F-FF98E6489E10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "635EE321-2A1F-4FF8-95BE-0C26591969D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "9A81B035-8598-4D2C-B45F-C6C9D4B10C2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E1096947-82A6-4EA8-A4F2-00D91E3F7DAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0EBFA1D3-16A6-4041-BB30-51D2EE0F2AF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "B70B372F-EFFD-4AF7-99B5-7D1B23A0C54C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "9C95ADA4-66F5-45C4-A677-ACE22367A75A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "11951A10-39A2-4FF5-8C43-DF94730FB794",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "351E5BCF-A56B-4D91-BA3C-21A4B77D529A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2DC2BBB4-171E-4EFF-A575-A5B7FF031755",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "6B6B0504-27C1-4824-A928-A878CBBAB32D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "CE81AD36-ACD1-4C6C-8E7C-5326D1DA3045",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 does not properly handle the \\\" character sequence in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks."
},
{
"lang": "es",
"value": "Apache Tomcat 6.0.0 hasta 6.0.13, 5.5.0 hasta 5.5.24, 5.0.0 hasta 5.0.30, 4.1.0 hasta 4.1.36, y 3.3 hasta 3.3.2 no trata adecuadamente la secuencia de caracteres \\\" en un valor de cookie, lo cual podr\u00eda provocar que informaci\u00f3n sensible como los IDs de sesi\u00f3n sean filtradas a atacantes remotos, as\u00ed como habilitar ataques de secuestro de sesi\u00f3n."
}
],
"id": "CVE-2007-3385",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-08-14T22:17:00.000",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx"
},
{
"source": "secalert@redhat.com",
"url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795"
},
{
"source": "secalert@redhat.com",
"url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795"
},
{
"source": "secalert@redhat.com",
"url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01192554"
},
{
"source": "secalert@redhat.com",
"url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01192554"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/26466"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/26898"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/27037"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/27267"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/27727"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/28317"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/28361"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/29242"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/30802"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/33668"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/36486"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/44183"
},
{
"source": "secalert@redhat.com",
"url": "http://securityreason.com/securityalert/3011"
},
{
"source": "secalert@redhat.com",
"url": "http://securitytracker.com/id?1018557"
},
{
"source": "secalert@redhat.com",
"url": "http://support.apple.com/kb/HT2163"
},
{
"source": "secalert@redhat.com",
"url": "http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540"
},
{
"source": "secalert@redhat.com",
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg1IZ55562"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2008/dsa-1447"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2008/dsa-1453"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/993544"
},
{
"source": "secalert@redhat.com",
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2007:241"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2007-0871.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2007-0950.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0195.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/476444/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/500396/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/500412/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/25316"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2007/2902"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2007/3386"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2007/3527"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2008/1981/references"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2009/0233"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35999"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9549"
},
{
"source": "secalert@redhat.com",
"url": "https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01192554"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01192554"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/26466"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/26898"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/27037"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/27267"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/27727"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/28317"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/28361"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/29242"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/30802"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/33668"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/36486"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/44183"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/3011"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securitytracker.com/id?1018557"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.apple.com/kb/HT2163"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg1IZ55562"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2008/dsa-1447"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2008/dsa-1453"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/993544"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2007:241"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2007-0871.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2007-0950.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0195.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/476444/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/500396/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/500412/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/25316"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2007/2902"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2007/3386"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2007/3527"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/1981/references"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2009/0233"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35999"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9549"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-08-10 22:29
Modified
2025-04-20 01:37
Severity ?
Summary
The HTTP/2 header parser in Apache Tomcat 9.0.0.M1 to 9.0.0.M11 and 8.5.0 to 8.5.6 entered an infinite loop if a header was received that was larger than the available buffer. This made a denial of service attack possible.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | tomcat | 8.5.0 | |
| apache | tomcat | 8.5.1 | |
| apache | tomcat | 8.5.2 | |
| apache | tomcat | 8.5.3 | |
| apache | tomcat | 8.5.4 | |
| apache | tomcat | 8.5.5 | |
| apache | tomcat | 8.5.6 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "69A7FC28-A0EC-4516-9776-700343D2F4DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "18814653-6D44-47D9-A2F5-89C5AFB255F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D4D811A9-4988-4C11-AA27-F5BE2B93D8D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FAEF824D-7E95-4BC1-8DBB-787DCE595E21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "97F4A2B3-DB1D-4D0B-B5FF-7EE2A0D291BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B461D5A-1208-498F-B551-46C6D514AC2B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "598E5D91-0165-4D55-9EDD-EBB5AAAD1172",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "9D0689FE-4BC0-4F53-8C79-34B21F9B86C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "89B129B2-FB6F-4EF9-BF12-E589A87996CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "8B6787B6-54A8-475E-BA1C-AB99334B2535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "9F542E12-6BA8-4504-A494-DA83E7E19BD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "C0C5F004-F7D8-45DB-B173-351C50B0EC16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "D1902D2E-1896-4D3D-9E1C-3A675255072C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "49AAF4DF-F61D-47A8-8788-A21E317A145D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "454211D0-60A2-4661-AECA-4C0121413FEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "0686F977-889F-4960-8E0B-7784B73A7F2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "558703AE-DB5E-4DFF-B497-C36694DD7B24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "ED6273F2-1165-47A4-8DD7-9E9B2472941B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The HTTP/2 header parser in Apache Tomcat 9.0.0.M1 to 9.0.0.M11 and 8.5.0 to 8.5.6 entered an infinite loop if a header was received that was larger than the available buffer. This made a denial of service attack possible."
},
{
"lang": "es",
"value": "El parser de cabecera HTTP/2 en Apache Tomcat en sus versiones 9.0.0.M1 a 9.0.0.M11 y 8.5.0 a 8.5.6 entraba en un bucle infinito si la cabecera recibida era mayor que el b\u00fafer disponible. Esto hizo que fuese posible realizar un ataque de denegaci\u00f3n de servicio."
}
],
"id": "CVE-2016-6817",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2017-08-10T22:29:00.233",
"references": [
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94462"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1037330"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/a9f24571460af003071475b75f18cad81ebcc36fa7c876965a75e32a%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://security.netapp.com/advisory/ntap-20180607-0001/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94462"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1037330"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/a9f24571460af003071475b75f18cad81ebcc36fa7c876965a75e32a%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20180607-0001/"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-835"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-04-17 16:59
Modified
2025-04-20 01:37
Severity ?
Summary
In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | tomcat | 8.5.0 | |
| apache | tomcat | 8.5.1 | |
| apache | tomcat | 8.5.2 | |
| apache | tomcat | 8.5.3 | |
| apache | tomcat | 8.5.4 | |
| apache | tomcat | 8.5.5 | |
| apache | tomcat | 8.5.6 | |
| apache | tomcat | 8.5.7 | |
| apache | tomcat | 8.5.8 | |
| apache | tomcat | 8.5.9 | |
| apache | tomcat | 8.5.10 | |
| apache | tomcat | 8.5.11 | |
| apache | tomcat | 8.5.12 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "69A7FC28-A0EC-4516-9776-700343D2F4DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "18814653-6D44-47D9-A2F5-89C5AFB255F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D4D811A9-4988-4C11-AA27-F5BE2B93D8D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FAEF824D-7E95-4BC1-8DBB-787DCE595E21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "97F4A2B3-DB1D-4D0B-B5FF-7EE2A0D291BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B461D5A-1208-498F-B551-46C6D514AC2B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "598E5D91-0165-4D55-9EDD-EBB5AAAD1172",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4B6B61B7-09A3-41C8-8333-0417C14CC87E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "95A139BA-CD3C-42F5-88BA-BE7BE58246D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "876EADA5-60AD-4849-BE10-61C75AA75053",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1814F8DE-2060-411F-9FCC-6EC42AF5663D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.11:*:*:*:*:*:*:*",
"matchCriteriaId": "1AF6DBF7-BB0A-4AE6-84DA-51428ACF47CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.12:*:*:*:*:*:*:*",
"matchCriteriaId": "A34F72ED-04FE-4EDE-BB18-BE8B1E99EEF1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "9D0689FE-4BC0-4F53-8C79-34B21F9B86C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "89B129B2-FB6F-4EF9-BF12-E589A87996CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "8B6787B6-54A8-475E-BA1C-AB99334B2535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "EABB6FBC-7486-44D5-A6AD-FFF1D3F677E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*",
"matchCriteriaId": "E10C03BC-EE6B-45B2-83AE-9E8DFB58D7DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*",
"matchCriteriaId": "8A6DA0BE-908C-4DA8-A191-A0113235E99A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*",
"matchCriteriaId": "39029C72-28B4-46A4-BFF5-EC822CFB2A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*",
"matchCriteriaId": "1A2E05A3-014F-4C4D-81E5-88E725FBD6AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*",
"matchCriteriaId": "166C533C-0833-41D5-99B6-17A4FAB3CAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*",
"matchCriteriaId": "D3768C60-21FA-4B92-B98C-C3A2602D1BC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "9F542E12-6BA8-4504-A494-DA83E7E19BD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "C0C5F004-F7D8-45DB-B173-351C50B0EC16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "D1902D2E-1896-4D3D-9E1C-3A675255072C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "49AAF4DF-F61D-47A8-8788-A21E317A145D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "454211D0-60A2-4661-AECA-4C0121413FEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "0686F977-889F-4960-8E0B-7784B73A7F2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "558703AE-DB5E-4DFF-B497-C36694DD7B24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "ED6273F2-1165-47A4-8DD7-9E9B2472941B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads."
},
{
"lang": "es",
"value": "En Apache Tomcat 9.0.0.M1 a 9.0.0.M18 y 8.5.0 a 8.5.12, el tratamiento de un marco HTTP/2 GOAWAY para una conexi\u00f3n que no cerr\u00f3 los flujos asociados con esa conexi\u00f3n que estaban esperando actualmente un WINDOW_UPDATE antes de permitir que la aplicaci\u00f3n escriba m\u00e1s datos. Estos flujos de espera cada uno consumi\u00f3 un hilo. Un cliente malicioso podr\u00eda construir una serie de peticiones HTTP/2 que consumir\u00edan todos los subprocesos de procesamiento disponibles."
}
],
"id": "CVE-2017-5650",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-04-17T16:59:00.430",
"references": [
{
"source": "security@apache.org",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97531"
},
{
"source": "security@apache.org",
"url": "http://www.securitytracker.com/id/1038217"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/d24303fb095db072740d8154b0f0db3f2b8f67bc91a0562dbe89c738%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://security.gentoo.org/glsa/201705-09"
},
{
"source": "security@apache.org",
"url": "https://security.netapp.com/advisory/ntap-20180614-0001/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97531"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1038217"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/d24303fb095db072740d8154b0f0db3f2b8f67bc91a0562dbe89c738%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.gentoo.org/glsa/201705-09"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20180614-0001/"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-404"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-09-12 01:55
Modified
2025-04-12 10:46
Severity ?
Summary
Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | tomcat | * | |
| apache | tomcat | 7.0.0 | |
| apache | tomcat | 7.0.0 | |
| apache | tomcat | 7.0.1 | |
| apache | tomcat | 7.0.2 | |
| apache | tomcat | 7.0.2 | |
| apache | tomcat | 7.0.3 | |
| apache | tomcat | 7.0.4 | |
| apache | tomcat | 7.0.4 | |
| apache | tomcat | 7.0.10 | |
| apache | tomcat | 7.0.11 | |
| apache | tomcat | 7.0.12 | |
| apache | tomcat | 7.0.13 | |
| apache | tomcat | 7.0.14 | |
| apache | tomcat | 7.0.15 | |
| apache | tomcat | 7.0.16 | |
| apache | tomcat | 7.0.17 | |
| apache | tomcat | 7.0.18 | |
| apache | tomcat | 7.0.19 | |
| apache | tomcat | 7.0.20 | |
| apache | tomcat | 7.0.21 | |
| apache | tomcat | 7.0.22 | |
| apache | tomcat | 7.0.23 | |
| apache | tomcat | 7.0.24 | |
| apache | tomcat | 7.0.25 | |
| apache | tomcat | 7.0.26 | |
| apache | tomcat | 7.0.27 | |
| apache | tomcat | 7.0.28 | |
| apache | tomcat | 7.0.29 | |
| apache | tomcat | 7.0.30 | |
| apache | tomcat | 7.0.31 | |
| apache | tomcat | 7.0.32 | |
| apache | tomcat | 7.0.33 | |
| apache | tomcat | 7.0.34 | |
| apache | tomcat | 7.0.35 | |
| apache | tomcat | 7.0.36 | |
| apache | tomcat | 7.0.37 | |
| apache | tomcat | 7.0.38 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CEBF404D-B53C-4B16-9010-0777DEE1B9E8",
"versionEndIncluding": "7.0.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0F8C62EF-1B67-456A-9C66-755439CF8556",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "33E9607B-4D28-460D-896B-E4B7FA22441E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A819E245-D641-4F19-9139-6C940504F6E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8C381275-10C5-4939-BCE3-0D1F3B3CB2EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*",
"matchCriteriaId": "81A31CA0-A209-4C49-AA06-C38E165E5B68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7205475A-6D04-4042-B24E-1DA5A57029B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "08022987-B36B-4F63-88A5-A8F59195DF4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*",
"matchCriteriaId": "0AA563BF-A67A-477D-956A-167ABEF885C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A9731BAA-4C6C-4259-B786-F577D8A90FA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "1F74A421-D019-4248-84B8-C70D4D9A8A95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "2BA27FF9-4C66-4E17-95C0-1CB2DAA6AFC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "05346F5A-FB52-4376-AAC7-9A5308216545",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "305688F2-50A6-41FB-8614-BC589DB9A789",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "D24AA431-C436-4AA5-85DF-B9AAFF2548FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "25966344-15D5-4101-9346-B06BFD2DFFF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "11F4CBAC-27B1-4EFF-955A-A63B457D0578",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "FD55B338-9DBE-4643-ABED-A08964D3AF7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0D4F710E-06EA-48F4-AC6A-6F143950F015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "2C4936C2-0B2D-4C44-98C3-443090965F5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*",
"matchCriteriaId": "48453405-2319-4327-9F4C-6F70B49452C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*",
"matchCriteriaId": "49DD9544-6424-41A6-AEC0-EC19B8A10E71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*",
"matchCriteriaId": "E4670E65-2E11-49A4-B661-57C2F60D411F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "5E8FF71D-4710-4FBB-9925-A6A26C450F7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*",
"matchCriteriaId": "31002A23-4788-4BC7-AE11-A3C2AA31716D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "7144EDDF-8265-4642-8EEB-ED52527E0A26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "DF06B5C1-B9DD-4673-A101-56E1E593ACDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "7D731065-626B-4425-8E49-F708DD457824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "B3D850EA-E537-42C8-93B9-96E15CB26747",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "E037DA05-2BEF-4F64-B8BB-307247B6A05C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.31:*:*:*:*:*:*:*",
"matchCriteriaId": "BCAF1EB5-FB34-40FC-96ED-9D073890D8BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*",
"matchCriteriaId": "D395D95B-1F4A-420E-A0F6-609360AF7B69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*",
"matchCriteriaId": "9BD221BA-0AB6-4972-8AD9-5D37AC07762F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*",
"matchCriteriaId": "E55B6565-96CB-4F6A-9A80-C3FB82F30546",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*",
"matchCriteriaId": "D3300AFE-49A4-4904-B9A0-5679F09FA01E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.36:*:*:*:*:*:*:*",
"matchCriteriaId": "ED5125CC-05F9-4678-90DB-A5C7CD24AE6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*",
"matchCriteriaId": "7BD93669-1B30-4BF8-AD7D-F60DD8D63CC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.38:*:*:*:*:*:*:*",
"matchCriteriaId": "1B904C74-B92E-4EAE-AE6C-78E2B844C3DB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file."
},
{
"lang": "es",
"value": "Vulnerabilidad de la subida de ficheros sin restricciones Apache Tomcat 7.x anterior a 7.0.40, en ciertas situaciones que implican c\u00f3digo anticuado java.io.File y configuraci\u00f3n JMX personalizada, permite a atacantes remotos ejecutar c\u00f3digo arbitrario mediante la subida y el acceso a un archivo JSP."
}
],
"id": "CVE-2013-4444",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-09-12T01:55:06.730",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://archives.neohapsis.com/archives/bugtraq/2014-09/0075.html"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=144498216801440\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://openwall.com/lists/oss-security/2014/10/24/12"
},
{
"source": "secalert@redhat.com",
"url": "http://seclists.org/fulldisclosure/2021/Jan/23"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2016/dsa-3447"
},
{
"source": "secalert@redhat.com",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/69728"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1030834"
},
{
"source": "secalert@redhat.com",
"url": "https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://archives.neohapsis.com/archives/bugtraq/2014-09/0075.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=144498216801440\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2014/10/24/12"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2021/Jan/23"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3447"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/69728"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1030834"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-02-25 01:59
Modified
2025-04-12 10:46
Severity ?
Summary
The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "33E9607B-4D28-460D-896B-E4B7FA22441E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*",
"matchCriteriaId": "81A31CA0-A209-4C49-AA06-C38E165E5B68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*",
"matchCriteriaId": "0AA563BF-A67A-477D-956A-167ABEF885C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.5:beta:*:*:*:*:*:*",
"matchCriteriaId": "6F1B937B-57E0-4E88-9E39-39012A924525",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8980E61E-27BE-4858-82B3-C0E8128AF521",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A9731BAA-4C6C-4259-B786-F577D8A90FA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "1F74A421-D019-4248-84B8-C70D4D9A8A95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "2BA27FF9-4C66-4E17-95C0-1CB2DAA6AFC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "305688F2-50A6-41FB-8614-BC589DB9A789",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "25966344-15D5-4101-9346-B06BFD2DFFF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0D4F710E-06EA-48F4-AC6A-6F143950F015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "2C4936C2-0B2D-4C44-98C3-443090965F5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*",
"matchCriteriaId": "48453405-2319-4327-9F4C-6F70B49452C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*",
"matchCriteriaId": "49DD9544-6424-41A6-AEC0-EC19B8A10E71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*",
"matchCriteriaId": "E4670E65-2E11-49A4-B661-57C2F60D411F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*",
"matchCriteriaId": "31002A23-4788-4BC7-AE11-A3C2AA31716D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "7144EDDF-8265-4642-8EEB-ED52527E0A26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "DF06B5C1-B9DD-4673-A101-56E1E593ACDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "7D731065-626B-4425-8E49-F708DD457824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "B3D850EA-E537-42C8-93B9-96E15CB26747",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "E037DA05-2BEF-4F64-B8BB-307247B6A05C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*",
"matchCriteriaId": "D395D95B-1F4A-420E-A0F6-609360AF7B69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*",
"matchCriteriaId": "9BD221BA-0AB6-4972-8AD9-5D37AC07762F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*",
"matchCriteriaId": "E55B6565-96CB-4F6A-9A80-C3FB82F30546",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*",
"matchCriteriaId": "D3300AFE-49A4-4904-B9A0-5679F09FA01E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*",
"matchCriteriaId": "7BD93669-1B30-4BF8-AD7D-F60DD8D63CC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*",
"matchCriteriaId": "B8C8C97F-6C9D-4647-AB8A-ADAA5536DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*",
"matchCriteriaId": "2C6109D1-BC36-40C5-A02A-7AEBC949BAC0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*",
"matchCriteriaId": "DA8A7333-B4C3-4876-AE01-62F2FD315504",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*",
"matchCriteriaId": "92993E23-D805-407B-8B87-11CEEE8B212F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*",
"matchCriteriaId": "6AA28D3A-3EE5-4F90-B8F5-4943F7607DA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*",
"matchCriteriaId": "C947E549-2459-4AFB-84A7-36BDA30B5F29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*",
"matchCriteriaId": "5D55DF79-F9BE-4907-A4D8-96C4B11189ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*",
"matchCriteriaId": "14AB5787-82D7-4F78-BE93-4556AB7A7D0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*",
"matchCriteriaId": "F8E9453E-BC9B-4F77-85FA-BA15AC55C245",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*",
"matchCriteriaId": "A7EF0518-73F9-47DB-8946-A8334936BEFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*",
"matchCriteriaId": "95AA8778-7833-4572-A71B-5FD89938CE94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*",
"matchCriteriaId": "242E47CE-EF69-4F8F-AB40-5AF2811674CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*",
"matchCriteriaId": "CDA1555C-E55A-4E14-B786-BFEE3F09220B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*",
"matchCriteriaId": "F8075E9A-DA7F-4A0B-8B4D-0CD951369111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*",
"matchCriteriaId": "335A5320-6086-4B45-9903-82F6F92A584F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*",
"matchCriteriaId": "46B33408-C2E2-4E7C-9334-6AB98F13468C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*",
"matchCriteriaId": "9F036676-9EFB-4A92-828E-A38905D594E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*",
"matchCriteriaId": "E9728EE8-6029-4DF3-942E-E4ACC09111A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:*",
"matchCriteriaId": "34E7DAC8-8419-45D1-A28F-14CF2FE1B6EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4752862B-7D26-4285-B8A0-CF082C758353",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*",
"matchCriteriaId": "58EA7199-3373-4F97-9907-3A479A02155E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "F963D737-2E95-4D7C-92C7-DACF3F36D1E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "2BBBC5EA-012C-4C5D-A61B-BAF134B300DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2A358FDF-C249-4D7A-9445-8B9E7D9D40AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "AFF96F96-34DB-4EB3-BF59-11220673FA26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "701424A2-BB06-44B5-B468-7164E4F95529",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "1BA6388C-5B6E-4651-8AE3-EBCCF61C27E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "8F9A5B7E-33A9-4651-9BE1-371A0064B661",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "F99252E8-A59C-48E1-B251-718D7FB3E399",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "4E0DDEF6-A8EE-46C4-A046-A1F26E7C4E87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "14B38892-9C00-4510-B7BA-F2A8F2CACCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "7409B064-D43E-489E-AEC6-0A767FB21737",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.21:*:*:*:*:*:*:*",
"matchCriteriaId": "F019268F-80C4-48FE-8164-E9DA0A3BAFF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.22:*:*:*:*:*:*:*",
"matchCriteriaId": "1EFBD214-FCFE-4F04-A903-66EFDA764B9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.23:*:*:*:*:*:*:*",
"matchCriteriaId": "425D86B3-6BB9-410D-8125-F7CF87290AD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "3EE3BB0D-1002-41E4-9BE8-875D97330057",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "6622472B-8644-4D45-A54B-A215C3D64B83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "B338F95B-2924-435B-827F-E64420A93244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "209D1349-7740-4DBE-80A5-E6343C62BAB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "09E77C24-C265-403D-A193-B3739713F6B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "28616FA3-9A98-4AAE-9F94-3E77A14156EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "9D0689FE-4BC0-4F53-8C79-34B21F9B86C2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "B6B7CAD7-9D4E-4FDB-88E3-1E583210A01F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*",
"matchCriteriaId": "E88A537F-F4D0-46B9-9E37-965233C2A355",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token."
},
{
"lang": "es",
"value": "Las aplicaciones (1) Manager y (2) Host Manager en Apache Tomcat 7.x en versiones anteriores a 7.0.68, 8.x en versiones anteriores a 8.0.31 y 9.x en versiones anteriores a 9.0.0.M2 establecen sesiones y env\u00edan tokens CSRF para peticiones nuevas arbitrarias, lo que permite a atacantes remotos eludir un mecanismo de protecci\u00f3n CSRF mediante el uso de un token."
}
],
"id": "CVE-2015-5351",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-02-25T01:59:03.263",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html"
},
{
"source": "secalert@redhat.com",
"url": "http://packetstormsecurity.com/files/135882/Apache-Tomcat-CSRF-Token-Leak.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1089.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2599.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2807.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2808.html"
},
{
"source": "secalert@redhat.com",
"url": "http://seclists.org/bugtraq/2016/Feb/148"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1720652"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1720655"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1720658"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1720660"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1720661"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1720663"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-8.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-9.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2016/dsa-3530"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2016/dsa-3552"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2016/dsa-3609"
},
{
"source": "secalert@redhat.com",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/83330"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1035069"
},
{
"source": "secalert@redhat.com",
"url": "http://www.ubuntu.com/usn/USN-3024-1"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2016:1087"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2016:1088"
},
{
"source": "secalert@redhat.com",
"url": "https://bto.bluecoat.com/security-advisory/sa118"
},
{
"source": "secalert@redhat.com",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442"
},
{
"source": "secalert@redhat.com",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://security.gentoo.org/glsa/201705-09"
},
{
"source": "secalert@redhat.com",
"url": "https://security.netapp.com/advisory/ntap-20180531-0001/"
},
{
"source": "secalert@redhat.com",
"url": "https://softwaresupport.hpe.com/document/-/facetsearch/document/KM02978021"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/135882/Apache-Tomcat-CSRF-Token-Leak.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1089.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2599.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2807.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2808.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/bugtraq/2016/Feb/148"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1720652"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1720655"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1720658"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1720660"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1720661"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1720663"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-8.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-9.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3530"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3552"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3609"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/83330"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1035069"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ubuntu.com/usn/USN-3024-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2016:1087"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2016:1088"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://bto.bluecoat.com/security-advisory/sa118"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.gentoo.org/glsa/201705-09"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20180531-0001/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://softwaresupport.hpe.com/document/-/facetsearch/document/KM02978021"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-06-04 19:32
Modified
2025-04-09 00:30
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to host-manager/html/add.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | tomcat | 5.5.9 | |
| apache | tomcat | 5.5.10 | |
| apache | tomcat | 5.5.11 | |
| apache | tomcat | 5.5.12 | |
| apache | tomcat | 5.5.13 | |
| apache | tomcat | 5.5.14 | |
| apache | tomcat | 5.5.15 | |
| apache | tomcat | 5.5.16 | |
| apache | tomcat | 5.5.17 | |
| apache | tomcat | 5.5.18 | |
| apache | tomcat | 5.5.19 | |
| apache | tomcat | 5.5.20 | |
| apache | tomcat | 5.5.21 | |
| apache | tomcat | 5.5.22 | |
| apache | tomcat | 5.5.23 | |
| apache | tomcat | 5.5.24 | |
| apache | tomcat | 5.5.25 | |
| apache | tomcat | 5.5.26 | |
| apache | tomcat | 6.0.0 | |
| apache | tomcat | 6.0.1 | |
| apache | tomcat | 6.0.2 | |
| apache | tomcat | 6.0.3 | |
| apache | tomcat | 6.0.4 | |
| apache | tomcat | 6.0.5 | |
| apache | tomcat | 6.0.6 | |
| apache | tomcat | 6.0.7 | |
| apache | tomcat | 6.0.8 | |
| apache | tomcat | 6.0.9 | |
| apache | tomcat | 6.0.10 | |
| apache | tomcat | 6.0.11 | |
| apache | tomcat | 6.0.12 | |
| apache | tomcat | 6.0.13 | |
| apache | tomcat | 6.0.14 | |
| apache | tomcat | 6.0.15 | |
| apache | tomcat | 6.0.16 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "5B0C01D5-773F-469C-9E69-170C2844AAA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.10:*:*:*:*:*:*:*",
"matchCriteriaId": "EB03FDFB-4DBF-4B70-BFA3-570D1DE67695",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.11:*:*:*:*:*:*:*",
"matchCriteriaId": "9F5CF79C-759B-4FF9-90EE-847264059E93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.12:*:*:*:*:*:*:*",
"matchCriteriaId": "357651FD-392E-4775-BF20-37A23B3ABAE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.13:*:*:*:*:*:*:*",
"matchCriteriaId": "585B9476-6B86-4809-9B9E-26112114CB59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.14:*:*:*:*:*:*:*",
"matchCriteriaId": "6145036D-4FCE-4EBE-A137-BDFA69BA54F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.15:*:*:*:*:*:*:*",
"matchCriteriaId": "E437055A-0A81-413F-AB08-0E9D0DC9EA30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.16:*:*:*:*:*:*:*",
"matchCriteriaId": "9276A093-9C98-4617-9941-2276995F5848",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.17:*:*:*:*:*:*:*",
"matchCriteriaId": "97C9C36C-EF7E-4D42-9749-E2FF6CE35A2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.18:*:*:*:*:*:*:*",
"matchCriteriaId": "C98575E2-E39A-4A8F-B5B5-BD280B8367BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.19:*:*:*:*:*:*:*",
"matchCriteriaId": "5BDA08E7-A417-44E8-9C89-EB22BEEC3B9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.20:*:*:*:*:*:*:*",
"matchCriteriaId": "DCD1B6BE-CF07-4DA8-A703-4A48506C8AD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.21:*:*:*:*:*:*:*",
"matchCriteriaId": "5878E08E-2741-4798-94E9-BA8E07386B12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.22:*:*:*:*:*:*:*",
"matchCriteriaId": "69F6BAB7-C099-4345-A632-7287AEA555B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.23:*:*:*:*:*:*:*",
"matchCriteriaId": "F3AAF031-D16B-4D51-9581-2D1376A5157B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.24:*:*:*:*:*:*:*",
"matchCriteriaId": "51120689-F5C0-4DF1-91AA-314C40A46C58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.25:*:*:*:*:*:*:*",
"matchCriteriaId": "F67477AB-85F6-421C-9C0B-C8EFB1B200CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.26:*:*:*:*:*:*:*",
"matchCriteriaId": "16D0C265-2ED9-42CF-A7D6-C7FAE4246A1B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49E3C039-A949-4F1B-892A-57147EECB249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F28C7801-41B9-4552-BA1E-577967BCBBEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "25B21085-7259-4685-9D1F-FF98E6489E10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "635EE321-2A1F-4FF8-95BE-0C26591969D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "9A81B035-8598-4D2C-B45F-C6C9D4B10C2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E1096947-82A6-4EA8-A4F2-00D91E3F7DAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0EBFA1D3-16A6-4041-BB30-51D2EE0F2AF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "B70B372F-EFFD-4AF7-99B5-7D1B23A0C54C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "9C95ADA4-66F5-45C4-A677-ACE22367A75A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "11951A10-39A2-4FF5-8C43-DF94730FB794",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "351E5BCF-A56B-4D91-BA3C-21A4B77D529A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2DC2BBB4-171E-4EFF-A575-A5B7FF031755",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "6B6B0504-27C1-4824-A928-A878CBBAB32D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "CE81AD36-ACD1-4C6C-8E7C-5326D1DA3045",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "D903956B-14F5-4177-AF12-0A5F1846D3C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "81F847DC-A2F5-456C-9038-16A0E85F4C3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3EBD00-1E1E-452D-AFFB-08A6BD111DDD",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to host-manager/html/add."
},
{
"lang": "es",
"value": "Vulnerabilidad de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en Apache Tomcat v5.5.9 a la v5.5.26 y v6.0.0 a la v6.0.16, permite a atacantes remotos inyectar secuencias de comandos web y HTML de su elecci\u00f3n a trav\u00e9s del par\u00e1metro name (tambi\u00e9n conocido como el atributo hostname) al host-manager/html/add."
}
],
"id": "CVE-2008-1947",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2008-06-04T19:32:00.000",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00001.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=123376588623823\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=123376588623823\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=139344343412337\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=tomcat-user\u0026m=121244319501278\u0026w=2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/30500"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/30592"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/30967"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/31639"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/31865"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/31891"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/32120"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/32222"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/32266"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/33797"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/33999"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/34013"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/37460"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/57126"
},
{
"source": "secalert@redhat.com",
"url": "http://support.apple.com/kb/HT3216"
},
{
"source": "secalert@redhat.com",
"url": "http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm"
},
{
"source": "secalert@redhat.com",
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "secalert@redhat.com",
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2008/dsa-1593"
},
{
"source": "secalert@redhat.com",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:188"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0648.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0862.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0864.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/492958/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/507985/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/29502"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/31681"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id?1020624"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vmware.com/security/advisories/VMSA-2009-0002.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2008/1725"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2008/2780"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2008/2823"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2009/0320"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2009/0503"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2009/3316"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42816"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11534"
},
{
"source": "secalert@redhat.com",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6009"
},
{
"source": "secalert@redhat.com",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00712.html"
},
{
"source": "secalert@redhat.com",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00859.html"
},
{
"source": "secalert@redhat.com",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00889.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00001.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=123376588623823\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=123376588623823\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=139344343412337\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=tomcat-user\u0026m=121244319501278\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/30500"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/30592"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/30967"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/31639"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/31865"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/31891"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/32120"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/32222"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/32266"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/33797"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/33999"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/34013"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/37460"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/57126"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.apple.com/kb/HT3216"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2008/dsa-1593"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:188"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0648.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0862.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0864.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/492958/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/507985/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/29502"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/31681"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id?1020624"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vmware.com/security/advisories/VMSA-2009-0002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/1725"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/2780"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/2823"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2009/0320"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2009/0503"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2009/3316"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42816"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11534"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6009"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00712.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00859.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00889.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-08-11 02:29
Modified
2025-04-20 01:37
Severity ?
Summary
The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*",
"matchCriteriaId": "DA8A7333-B4C3-4876-AE01-62F2FD315504",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*",
"matchCriteriaId": "92993E23-D805-407B-8B87-11CEEE8B212F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*",
"matchCriteriaId": "7A11BD74-305C-41E2-95B1-5008EEF5FA5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*",
"matchCriteriaId": "595442D0-9DB7-475A-AE30-8535B70E122E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*",
"matchCriteriaId": "4B0BA92A-0BD3-4CE4-9465-95E949104BAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*",
"matchCriteriaId": "6F944B72-B9EB-4EB8-AEA3-E0D7ADBE1305",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*",
"matchCriteriaId": "6AA28D3A-3EE5-4F90-B8F5-4943F7607DA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*",
"matchCriteriaId": "BFD3EB84-2ED2-49D4-8BC9-6398C2E46F0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*",
"matchCriteriaId": "DEDF6E1A-0DD6-42AB-9510-F6F4B6002C91",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*",
"matchCriteriaId": "C947E549-2459-4AFB-84A7-36BDA30B5F29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*",
"matchCriteriaId": "5D55DF79-F9BE-4907-A4D8-96C4B11189ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*",
"matchCriteriaId": "14AB5787-82D7-4F78-BE93-4556AB7A7D0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*",
"matchCriteriaId": "F8E9453E-BC9B-4F77-85FA-BA15AC55C245",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*",
"matchCriteriaId": "A7EF0518-73F9-47DB-8946-A8334936BEFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*",
"matchCriteriaId": "95AA8778-7833-4572-A71B-5FD89938CE94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*",
"matchCriteriaId": "242E47CE-EF69-4F8F-AB40-5AF2811674CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.58:*:*:*:*:*:*:*",
"matchCriteriaId": "A225D4F7-174E-47C3-8390-C6FA28DB5A9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*",
"matchCriteriaId": "CDA1555C-E55A-4E14-B786-BFEE3F09220B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.60:*:*:*:*:*:*:*",
"matchCriteriaId": "6BAC42AE-B82A-4ABF-9519-B2D97D925707",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*",
"matchCriteriaId": "F8075E9A-DA7F-4A0B-8B4D-0CD951369111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*",
"matchCriteriaId": "335A5320-6086-4B45-9903-82F6F92A584F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*",
"matchCriteriaId": "46B33408-C2E2-4E7C-9334-6AB98F13468C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*",
"matchCriteriaId": "9F036676-9EFB-4A92-828E-A38905D594E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*",
"matchCriteriaId": "E9728EE8-6029-4DF3-942E-E4ACC09111A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.66:*:*:*:*:*:*:*",
"matchCriteriaId": "62DBB843-288C-4060-8777-6CDCF1860D29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:*",
"matchCriteriaId": "34E7DAC8-8419-45D1-A28F-14CF2FE1B6EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.68:*:*:*:*:*:*:*",
"matchCriteriaId": "89B87EB5-4902-4C2A-878A-45185F7D0FA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.69:*:*:*:*:*:*:*",
"matchCriteriaId": "C0596E6C-9ACE-4106-A2FF-BED7967C323F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.70:*:*:*:*:*:*:*",
"matchCriteriaId": "8F7158DC-966B-4508-8600-40E3E9D3D0DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.71:*:*:*:*:*:*:*",
"matchCriteriaId": "A190FE0D-86C1-49EE-BDAE-5879C32BDC92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.72:*:*:*:*:*:*:*",
"matchCriteriaId": "CA20F45F-01A2-43DD-9731-DFF54E31719F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.73:*:*:*:*:*:*:*",
"matchCriteriaId": "3C7A728B-59DB-4EDE-8929-C91F4C410902",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.74:*:*:*:*:*:*:*",
"matchCriteriaId": "26889291-3280-4524-8F4A-9B22FF4600C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.75:*:*:*:*:*:*:*",
"matchCriteriaId": "6E4CAEBD-0F38-4892-9D0B-9D7392E0BCC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.76:*:*:*:*:*:*:*",
"matchCriteriaId": "61C4DA00-E47C-47BE-856C-7E0D4B0F9DAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.77:*:*:*:*:*:*:*",
"matchCriteriaId": "41FF234B-A9AD-4C51-8E9E-939DC8ECB64A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.78:*:*:*:*:*:*:*",
"matchCriteriaId": "4FA0E2FD-84FB-4691-B4B5-12A381CB091E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E6CE354B-36BE-4280-9D86-E3AC552E6D6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4752862B-7D26-4285-B8A0-CF082C758353",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*",
"matchCriteriaId": "58EA7199-3373-4F97-9907-3A479A02155E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "F963D737-2E95-4D7C-92C7-DACF3F36D1E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "2BBBC5EA-012C-4C5D-A61B-BAF134B300DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2A358FDF-C249-4D7A-9445-8B9E7D9D40AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8C4DB619-F6B0-4896-9AE2-7E7D92105577",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "AFF96F96-34DB-4EB3-BF59-11220673FA26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "44883383-6360-4BE6-9B48-1308F85E5797",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "EDF3E379-47D2-4C86-8C6D-8B3C25A0E1C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "E82391BD-10FF-4E7F-91DC-35AA11325530",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "92C22F12-C072-4A12-A4A9-CBF589A36FF1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "61E008F8-2F01-4DD8-853A-337B4B4163C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "6A776B25-6AF1-421B-8E47-2A7499F6B4D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "7A332FDE-42AE-4F48-9553-5AE953CD6D3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "701424A2-BB06-44B5-B468-7164E4F95529",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "1BA6388C-5B6E-4651-8AE3-EBCCF61C27E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "A63FA521-9D20-49B9-A9A4-0DF891B4E4E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "8F9A5B7E-33A9-4651-9BE1-371A0064B661",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "F99252E8-A59C-48E1-B251-718D7FB3E399",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "9D05293B-B9D8-42F1-9367-9D2E058EFAD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "4E0DDEF6-A8EE-46C4-A046-A1F26E7C4E87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "14B38892-9C00-4510-B7BA-F2A8F2CACCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "8C913AA6-2260-4249-BE1D-7139F45735D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "7409B064-D43E-489E-AEC6-0A767FB21737",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.21:*:*:*:*:*:*:*",
"matchCriteriaId": "F019268F-80C4-48FE-8164-E9DA0A3BAFF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.22:*:*:*:*:*:*:*",
"matchCriteriaId": "1EFBD214-FCFE-4F04-A903-66EFDA764B9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.23:*:*:*:*:*:*:*",
"matchCriteriaId": "425D86B3-6BB9-410D-8125-F7CF87290AD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "3EE3BB0D-1002-41E4-9BE8-875D97330057",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.25:*:*:*:*:*:*:*",
"matchCriteriaId": "25D0E80B-EDDA-4876-912D-44BFE6211EB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "6622472B-8644-4D45-A54B-A215C3D64B83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "B338F95B-2924-435B-827F-E64420A93244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "209D1349-7740-4DBE-80A5-E6343C62BAB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "09E77C24-C265-403D-A193-B3739713F6B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "28616FA3-9A98-4AAE-9F94-3E77A14156EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.31:*:*:*:*:*:*:*",
"matchCriteriaId": "335925DA-11C0-4222-B6B7-82602B361751",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.32:*:*:*:*:*:*:*",
"matchCriteriaId": "603A14BF-72BB-4A3D-8CBC-932DC45CEC06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.33:*:*:*:*:*:*:*",
"matchCriteriaId": "4C2E1C55-3C89-4F26-A981-1195BCC9BB5C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.34:*:*:*:*:*:*:*",
"matchCriteriaId": "FC242407-A447-4ABD-8E19-EB6DB1F35121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.35:*:*:*:*:*:*:*",
"matchCriteriaId": "31BB906B-812F-462C-9AEE-147C1418D865",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.36:*:*:*:*:*:*:*",
"matchCriteriaId": "0B701E17-D231-44ED-A46E-C67749A725B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.37:*:*:*:*:*:*:*",
"matchCriteriaId": "B8CAF2F7-D227-4F06-B0E6-533C5EDB105B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.38:*:*:*:*:*:*:*",
"matchCriteriaId": "305B73CE-0224-4E73-8EB2-FC41A62FBA08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.39:*:*:*:*:*:*:*",
"matchCriteriaId": "D0DBF476-D7BB-4FC8-89FE-FF0CD135E9BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.40:*:*:*:*:*:*:*",
"matchCriteriaId": "BC866C53-0C6B-4D0B-A168-D3985B1CF0F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.41:*:*:*:*:*:*:*",
"matchCriteriaId": "290B0787-49F1-41FB-9AFD-36646FB16CA9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.42:*:*:*:*:*:*:*",
"matchCriteriaId": "1B741F4F-E52B-43CD-A9CC-6AC46B2DE111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.43:*:*:*:*:*:*:*",
"matchCriteriaId": "BB7A8369-183D-4C00-B2B2-0F81DA153C4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.44:*:*:*:*:*:*:*",
"matchCriteriaId": "50550ABF-3414-4F93-A56C-9B0CCC8A52AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "69A7FC28-A0EC-4516-9776-700343D2F4DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "18814653-6D44-47D9-A2F5-89C5AFB255F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D4D811A9-4988-4C11-AA27-F5BE2B93D8D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FAEF824D-7E95-4BC1-8DBB-787DCE595E21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "97F4A2B3-DB1D-4D0B-B5FF-7EE2A0D291BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B461D5A-1208-498F-B551-46C6D514AC2B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "598E5D91-0165-4D55-9EDD-EBB5AAAD1172",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4B6B61B7-09A3-41C8-8333-0417C14CC87E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "95A139BA-CD3C-42F5-88BA-BE7BE58246D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "876EADA5-60AD-4849-BE10-61C75AA75053",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1814F8DE-2060-411F-9FCC-6EC42AF5663D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.11:*:*:*:*:*:*:*",
"matchCriteriaId": "1AF6DBF7-BB0A-4AE6-84DA-51428ACF47CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.12:*:*:*:*:*:*:*",
"matchCriteriaId": "A34F72ED-04FE-4EDE-BB18-BE8B1E99EEF1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.13:*:*:*:*:*:*:*",
"matchCriteriaId": "3245C35C-02E7-46B9-A720-37D3C17AFDD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.14:*:*:*:*:*:*:*",
"matchCriteriaId": "F4239A72-EFA1-49E3-8755-5961060F2198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.15:*:*:*:*:*:*:*",
"matchCriteriaId": "C9053CCE-1175-47F9-BF27-7586F082AF83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "9D0689FE-4BC0-4F53-8C79-34B21F9B86C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "89B129B2-FB6F-4EF9-BF12-E589A87996CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "8B6787B6-54A8-475E-BA1C-AB99334B2535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "EABB6FBC-7486-44D5-A6AD-FFF1D3F677E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*",
"matchCriteriaId": "E10C03BC-EE6B-45B2-83AE-9E8DFB58D7DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*",
"matchCriteriaId": "8A6DA0BE-908C-4DA8-A191-A0113235E99A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*",
"matchCriteriaId": "39029C72-28B4-46A4-BFF5-EC822CFB2A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*",
"matchCriteriaId": "1A2E05A3-014F-4C4D-81E5-88E725FBD6AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*",
"matchCriteriaId": "166C533C-0833-41D5-99B6-17A4FAB3CAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*",
"matchCriteriaId": "D3768C60-21FA-4B92-B98C-C3A2602D1BC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*",
"matchCriteriaId": "DDD510FA-A2E4-4BAF-A0DE-F4E5777E9325",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "9F542E12-6BA8-4504-A494-DA83E7E19BD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*",
"matchCriteriaId": "C2409CC7-6A85-4A66-A457-0D62B9895DC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*",
"matchCriteriaId": "B392A7E5-4455-4B1C-8FAC-AE6DDC70689E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "C0C5F004-F7D8-45DB-B173-351C50B0EC16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "D1902D2E-1896-4D3D-9E1C-3A675255072C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "49AAF4DF-F61D-47A8-8788-A21E317A145D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "454211D0-60A2-4661-AECA-4C0121413FEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "0686F977-889F-4960-8E0B-7784B73A7F2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "558703AE-DB5E-4DFF-B497-C36694DD7B24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "ED6273F2-1165-47A4-8DD7-9E9B2472941B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances."
},
{
"lang": "es",
"value": "CORS Filter en Apache Tomcat 9.0.0.M1 a 9.0.0.M21, 8.5.0 a 8.5.15, 8.0.0.RC1 a 8.0.44 y 7.0.41 a 7.0.78 no a\u00f1adi\u00f3 un encabezado HTTP Vary indicando que la respuesta var\u00eda dependiendo de Origin. Esto permit\u00eda, en algunas circunstancias, el envenenamiento de la cach\u00e9 del lado del cliente y del servidor."
}
],
"id": "CVE-2017-7674",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-08-11T02:29:00.287",
"references": [
{
"source": "security@apache.org",
"url": "http://www.debian.org/security/2017/dsa-3974"
},
{
"source": "security@apache.org",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/100280"
},
{
"source": "security@apache.org",
"url": "https://access.redhat.com/errata/RHSA-2017:1801"
},
{
"source": "security@apache.org",
"url": "https://access.redhat.com/errata/RHSA-2017:1802"
},
{
"source": "security@apache.org",
"url": "https://access.redhat.com/errata/RHSA-2017:3081"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/22b4bb077502f847e2b9fcf00b96e81e734466ab459780ff73b60c0f%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r15695e6203b026c9e9070ca9fa95fb17dd4cd88e5342a7dc5e1e7b85%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r1c62634b7426bee5f553307063457b99c84af73b078ede4f2592b34e%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r409efdf706c2077ae5c37018a87da725a3ca89570a9530342cdc53e4%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html"
},
{
"source": "security@apache.org",
"url": "https://security.netapp.com/advisory/ntap-20180614-0003/"
},
{
"source": "security@apache.org",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03828en_us"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2017/dsa-3974"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/100280"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2017:1801"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2017:1802"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2017:3081"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/22b4bb077502f847e2b9fcf00b96e81e734466ab459780ff73b60c0f%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r15695e6203b026c9e9070ca9fa95fb17dd4cd88e5342a7dc5e1e7b85%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r1c62634b7426bee5f553307063457b99c84af73b078ede4f2592b34e%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r409efdf706c2077ae5c37018a87da725a3ca89570a9530342cdc53e4%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20180614-0003/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03828en_us"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-345"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2005-12-31 05:00
Modified
2025-04-03 01:03
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in the example web applications for Jakarta Tomcat 5.5.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) el/functions.jsp, (2) el/implicit-objects.jsp, and (3) jspx/textRotate.jspx in examples/jsp2/, as demonstrated via script in a request to snp/snoop.jsp. NOTE: other XSS issues in the manager were simultaneously reported, but these require admin access and do not cross privilege boundaries.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF73578B-8EF3-476D-B918-C0C2025F72CF",
"versionEndIncluding": "5.5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the example web applications for Jakarta Tomcat 5.5.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) el/functions.jsp, (2) el/implicit-objects.jsp, and (3) jspx/textRotate.jspx in examples/jsp2/, as demonstrated via script in a request to snp/snoop.jsp. NOTE: other XSS issues in the manager were simultaneously reported, but these require admin access and do not cross privilege boundaries."
}
],
"id": "CVE-2005-4838",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2005-12-31T05:00:00.000",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065598.html"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=tomcat-dev\u0026m=110476790331536\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=tomcat-dev\u0026m=110477195116951\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2008-0630.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/13737"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/31493"
},
{
"source": "secalert@redhat.com",
"url": "http://securitytracker.com/id?1012793"
},
{
"source": "secalert@redhat.com",
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "secalert@redhat.com",
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.oliverkarow.de/research/jakarta556_xss.txt"
},
{
"source": "secalert@redhat.com",
"url": "http://www.osvdb.org/12721"
},
{
"source": "secalert@redhat.com",
"url": "http://www.osvdb.org/34878"
},
{
"source": "secalert@redhat.com",
"url": "http://www.osvdb.org/34879"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36467"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065598.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=tomcat-dev\u0026m=110476790331536\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=tomcat-dev\u0026m=110477195116951\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2008-0630.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/13737"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/31493"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securitytracker.com/id?1012793"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oliverkarow.de/research/jakarta556_xss.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/12721"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/34878"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/34879"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36467"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-09-05 19:17
Modified
2025-04-09 00:30
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in cal2.jsp in the calendar examples application in Apache Tomcat 4.1.31 allows remote attackers to add events as arbitrary users via the time and description parameters.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.31:*:*:*:*:*:*:*",
"matchCriteriaId": "17522878-4266-432A-859D-C02096C8AC0E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in cal2.jsp in the calendar examples application in Apache Tomcat 4.1.31 allows remote attackers to add events as arbitrary users via the time and description parameters."
},
{
"lang": "es",
"value": "Vulnerabilidad de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en cal2.jsp en la aplicaci\u00f3n de ejemplos de calendario de Apache Tomcat 4.1.31 permite a atacantes remotos a\u00f1adir eventos como usuarios de su elecci\u00f3n mediante los par\u00e1metros time y description."
}
],
"id": "CVE-2007-4724",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-09-05T19:17:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://archives.neohapsis.com/archives/bugtraq/2007-09/0040.html"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/41029"
},
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/3094"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/478491/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://archives.neohapsis.com/archives/bugtraq/2007-09/0040.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/41029"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/3094"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/478491/100/0/threaded"
}
],
"sourceIdentifier": "cve@mitre.org",
"vendorComments": [
{
"comment": "This name is a duplicate of CVE-2006-7196. This issue was fixed in Apache Tomcat 4.1.32 and 5.5.16.",
"lastModified": "2007-09-06T00:00:00",
"organization": "Apache"
}
],
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-08-02 14:29
Modified
2024-11-21 04:13
Severity ?
Summary
If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | tomcat | * | |
| apache | tomcat | * | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| debian | debian_linux | 9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C0C7AA4C-A38E-4A72-A6E5-FCB7B8DB9BF7",
"versionEndIncluding": "8.5.31",
"versionStartIncluding": "8.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DFDCC646-7CAB-45FF-B53B-AFBFFEF393D8",
"versionEndIncluding": "9.0.9",
"versionStartIncluding": "9.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7C6119C4-1200-4EBE-89AB-6AB755C6DE3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "89B129B2-FB6F-4EF9-BF12-E589A87996CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "8B6787B6-54A8-475E-BA1C-AB99334B2535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "EABB6FBC-7486-44D5-A6AD-FFF1D3F677E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*",
"matchCriteriaId": "E10C03BC-EE6B-45B2-83AE-9E8DFB58D7DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*",
"matchCriteriaId": "8A6DA0BE-908C-4DA8-A191-A0113235E99A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*",
"matchCriteriaId": "39029C72-28B4-46A4-BFF5-EC822CFB2A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*",
"matchCriteriaId": "1A2E05A3-014F-4C4D-81E5-88E725FBD6AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*",
"matchCriteriaId": "166C533C-0833-41D5-99B6-17A4FAB3CAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*",
"matchCriteriaId": "D3768C60-21FA-4B92-B98C-C3A2602D1BC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*",
"matchCriteriaId": "DDD510FA-A2E4-4BAF-A0DE-F4E5777E9325",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*",
"matchCriteriaId": "C2409CC7-6A85-4A66-A457-0D62B9895DC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*",
"matchCriteriaId": "B392A7E5-4455-4B1C-8FAC-AE6DDC70689E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*",
"matchCriteriaId": "EF411DDA-2601-449A-9046-D250419A0E1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*",
"matchCriteriaId": "D7D8F2F4-AFE2-47EA-A3FD-79B54324DE02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*",
"matchCriteriaId": "1B4FBF97-DE16-4E5E-BE19-471E01818D40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*",
"matchCriteriaId": "3B266B1E-24B5-47EE-A421-E0E3CC0C7471",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*",
"matchCriteriaId": "29614C3A-6FB3-41C7-B56E-9CC3F45B04F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*",
"matchCriteriaId": "C6AB156C-8FF6-4727-AF75-590D0DCB3F9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "ED6273F2-1165-47A4-8DD7-9E9B2472941B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31."
},
{
"lang": "es",
"value": "Si la aplicaci\u00f3n completaba una petici\u00f3n async al mismo tiempo que el contenedor activaba el tiempo de espera de async, exist\u00eda una condici\u00f3n de carrera que pod\u00eda hacer que un usuario viera una respuesta destinada a otro usuario. Un problema adicional estaba presente en los conectores NIO y NIO2 que no rastreaban correctamente el cierre de la conexi\u00f3n cuando la aplicaci\u00f3n completaba una petici\u00f3n async, la completaba la aplicaci\u00f3n y expiraba por el contenedor al mismo tiempo. Esto tambi\u00e9n podr\u00eda dar lugar a que un usuario vea una respuesta destinada a otro usuario. Versiones afectadas: Apache Tomcat desde la versi\u00f3n 9.0.0.M9 hasta la 9.0.9 y desde la 8.5.5 hasta la 8.5.31."
}
],
"id": "CVE-2018-8037",
"lastModified": "2024-11-21T04:13:09.157",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-08-02T14:29:00.363",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722090623.GA92700%40minotaur.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "http://mail-archives.us.apache.org/mod_mbox/www-announce/201808.mbox/%3C0c616b4d-4e81-e7f8-b81d-1bb4c575aa33%40apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/104894"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1041376"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2867"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2868"
},
{
"source": "security@apache.org",
"url": "https://access.redhat.com/errata/RHSA-2019:1529"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/2ee3af8a43cb019e7898c9330cc8e73306553a27f2e4735dfb522d39%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/5d15316dfb4adf75d96d394745f8037533fa3bcc1ac8f619bf5c044c%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20180817-0001/"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2018/dsa-4281"
},
{
"source": "security@apache.org",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"source": "security@apache.org",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722090623.GA92700%40minotaur.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "http://mail-archives.us.apache.org/mod_mbox/www-announce/201808.mbox/%3C0c616b4d-4e81-e7f8-b81d-1bb4c575aa33%40apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/104894"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1041376"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2867"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2868"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2019:1529"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/2ee3af8a43cb019e7898c9330cc8e73306553a27f2e4735dfb522d39%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/5d15316dfb4adf75d96d394745f8037533fa3bcc1ac8f619bf5c044c%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20180817-0001/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2018/dsa-4281"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-362"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-12-19 11:55
Modified
2025-04-11 00:51
Severity ?
Summary
org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote attackers to bypass security-constraint checks by leveraging a previous setUserPrincipal call and then placing /j_security_check at the end of a URI.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D11D6FB7-CBDB-48C1-98CB-1B3CAA36C5D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49E3C039-A949-4F1B-892A-57147EECB249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.0:alpha:*:*:*:*:*:*",
"matchCriteriaId": "0A354C34-A3FE-4B8A-9985-8874A0634BC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F28C7801-41B9-4552-BA1E-577967BCBBEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.1:alpha:*:*:*:*:*:*",
"matchCriteriaId": "CFE300CC-FD4A-444E-8506-E5E269D0A0A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "25B21085-7259-4685-9D1F-FF98E6489E10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:alpha:*:*:*:*:*:*",
"matchCriteriaId": "F50A3EC9-516E-48A7-839B-A73F491B5B9F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:beta:*:*:*:*:*:*",
"matchCriteriaId": "8C28F09D-5CAA-4CA7-A2B5-3B2820F5F409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "635EE321-2A1F-4FF8-95BE-0C26591969D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "9A81B035-8598-4D2C-B45F-C6C9D4B10C2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E1096947-82A6-4EA8-A4F2-00D91E3F7DAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0EBFA1D3-16A6-4041-BB30-51D2EE0F2AF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "B70B372F-EFFD-4AF7-99B5-7D1B23A0C54C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "9C95ADA4-66F5-45C4-A677-ACE22367A75A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "11951A10-39A2-4FF5-8C43-DF94730FB794",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.9:beta:*:*:*:*:*:*",
"matchCriteriaId": "8B79F2EA-C893-4359-80EC-24AE38D982E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "351E5BCF-A56B-4D91-BA3C-21A4B77D529A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2DC2BBB4-171E-4EFF-A575-A5B7FF031755",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "6B6B0504-27C1-4824-A928-A878CBBAB32D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "CE81AD36-ACD1-4C6C-8E7C-5326D1DA3045",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "D903956B-14F5-4177-AF12-0A5F1846D3C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "81F847DC-A2F5-456C-9038-16A0E85F4C3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3EBD00-1E1E-452D-AFFB-08A6BD111DDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "C6B93A3A-D487-4CA1-8257-26F8FE287B8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "BD8802B2-57E0-4AA6-BC8E-00DE60468569",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "8461DF95-18DC-4BF5-A703-7F19DA88DC30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "1F4C9BCF-9C73-4991-B02F-E08C5DA06EBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "2823789C-2CB6-4300-94DB-BDBE83ABA8E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "C5416C76-46ED-4CB1-A7F8-F24EA16DE7F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "A61429EE-4331-430C-9830-58DCCBCBCB58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "31B3593F-CEDF-423C-90F8-F88EED87DC3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "AE7862B2-E1FA-4E16-92CD-8918AB461D9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "A9E03BE3-60CC-4415-B993-D0BB00F87A30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.31:*:*:*:*:*:*:*",
"matchCriteriaId": "CE92E59A-FF0D-4D1A-8B12-CC41A7E1FD3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.32:*:*:*:*:*:*:*",
"matchCriteriaId": "BFD64FE7-ABAF-49F3-B8D0-91C37C822F4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.33:*:*:*:*:*:*:*",
"matchCriteriaId": "48E5E8C3-21AD-4230-B945-AB7DE66307B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.35:*:*:*:*:*:*:*",
"matchCriteriaId": "4945C8C1-C71B-448B-9075-07C6C92599CF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0F8C62EF-1B67-456A-9C66-755439CF8556",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "33E9607B-4D28-460D-896B-E4B7FA22441E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A819E245-D641-4F19-9139-6C940504F6E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8C381275-10C5-4939-BCE3-0D1F3B3CB2EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*",
"matchCriteriaId": "81A31CA0-A209-4C49-AA06-C38E165E5B68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7205475A-6D04-4042-B24E-1DA5A57029B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "08022987-B36B-4F63-88A5-A8F59195DF4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*",
"matchCriteriaId": "0AA563BF-A67A-477D-956A-167ABEF885C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "FF4B7557-EF35-451E-B55D-3296966695AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8980E61E-27BE-4858-82B3-C0E8128AF521",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "8756BF9B-3E24-4677-87AE-31CE776541F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "88CE057E-2092-4C98-8D0C-75CF439D0A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8F194580-EE6D-4E38-87F3-F0661262256B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A9731BAA-4C6C-4259-B786-F577D8A90FA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "1F74A421-D019-4248-84B8-C70D4D9A8A95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "2BA27FF9-4C66-4E17-95C0-1CB2DAA6AFC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "05346F5A-FB52-4376-AAC7-9A5308216545",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "305688F2-50A6-41FB-8614-BC589DB9A789",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "D24AA431-C436-4AA5-85DF-B9AAFF2548FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "25966344-15D5-4101-9346-B06BFD2DFFF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "11F4CBAC-27B1-4EFF-955A-A63B457D0578",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "FD55B338-9DBE-4643-ABED-A08964D3AF7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0D4F710E-06EA-48F4-AC6A-6F143950F015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "2C4936C2-0B2D-4C44-98C3-443090965F5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*",
"matchCriteriaId": "48453405-2319-4327-9F4C-6F70B49452C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*",
"matchCriteriaId": "49DD9544-6424-41A6-AEC0-EC19B8A10E71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*",
"matchCriteriaId": "E4670E65-2E11-49A4-B661-57C2F60D411F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*",
"matchCriteriaId": "31002A23-4788-4BC7-AE11-A3C2AA31716D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "7D731065-626B-4425-8E49-F708DD457824",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote attackers to bypass security-constraint checks by leveraging a previous setUserPrincipal call and then placing /j_security_check at the end of a URI."
},
{
"lang": "es",
"value": "org/apache/catalina/campo/RealmBase.java en Apache Tomcat v6.x antes de v6.0.36 y v7.x antes de v7.0.30, cuando se utiliza la autenticaci\u00f3n de formularios, permite a atacantes remotos evitar restricciones de seguridad aprovech\u00e1ndose de una llamada setUserPrincipal anterior para luego colocar /j_security_check al final de una URI.\r\n"
}
],
"id": "CVE-2012-3546",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-12-19T11:55:54.517",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-12/0044.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00090.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2013-01/msg00037.html"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=136612293908376\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=136612293908376\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=139344343412337\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0004.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0005.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0146.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0147.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0151.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0157.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0158.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0162.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0163.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0164.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0191.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0192.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0193.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0194.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0195.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0196.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0197.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0198.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0221.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0235.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0623.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0640.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0641.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0642.html"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/51984"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/52054"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/57126"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/RealmBase.java?r1=1377892\u0026r2=1377891\u0026pathrev=1377892"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?r1=1377892\u0026r2=1377891\u0026pathrev=1377892"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1377892"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/56812"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id?1027833"
},
{
"source": "secalert@redhat.com",
"url": "http://www.ubuntu.com/usn/USN-1685-1"
},
{
"source": "secalert@redhat.com",
"url": "https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03748878"
},
{
"source": "secalert@redhat.com",
"url": "https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03748878"
},
{
"source": "secalert@redhat.com",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19305"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-12/0044.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00090.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2013-01/msg00037.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=136612293908376\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=136612293908376\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=139344343412337\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0004.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0005.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0146.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0147.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0151.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0157.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0158.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0162.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0163.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0164.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0191.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0192.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0193.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0194.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0195.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0196.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0197.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0198.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0221.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0235.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0623.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0640.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0641.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0642.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/51984"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/52054"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/57126"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/RealmBase.java?r1=1377892\u0026r2=1377891\u0026pathrev=1377892"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?r1=1377892\u0026r2=1377891\u0026pathrev=1377892"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1377892"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/56812"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id?1027833"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ubuntu.com/usn/USN-1685-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03748878"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03748878"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19305"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-05-10 00:19
Modified
2025-04-09 00:30
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the calendar application example in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.15 allows remote attackers to inject arbitrary web script or HTML via the time parameter to cal2.jsp and possibly unspecified other vectors. NOTE: this may be related to CVE-2006-0254.1.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CBB47E3B-ECDD-4A05-9920-90696089C4C0",
"versionEndIncluding": "4.1.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "914E1404-01A2-4F94-AA40-D5EA20F55AD3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "81FB1106-B26D-45BE-A511-8E69131BBA52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "401A213A-FED3-49C0-B823-2E02EA528905",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0BFE5AD8-DB14-4632-9D2A-F2013579CA7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "7641278D-3B8B-4CD2-B284-2047B65514A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BB7B9911-E836-4A96-A0E8-D13C957EC0EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D2341C51-A239-4A4A-B0DC-30F18175442C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "13D9B12F-F36A-424E-99BB-E00EF0FCA277",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2A8FEEF0-8E57-43B1-8316-228B76E458D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D82F3FAE-91AD-4F0B-A1F7-11C1A97C5ECB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A3B2802B-E56C-462A-9601-361A9166B5F1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "190FB4FD-22A5-4771-8F99-1E260A36A474",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "4BD3785E-3A09-4BE4-96C7-619B8A7D5062",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "285F7969-09F6-48CC-89CE-928225A53CDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "3B9EDACC-0300-4DA7-B1CD-5F7A6029AF38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "6B387EF0-94AD-4C8E-8CD4-4F5F706481BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "DA486065-18D5-4425-ADA5-284101919564",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A0141E20-2E3D-4CD0-A757-D7CA98499CCE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "9E62493D-FEAE-49E8-A293-CE18451D0264",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "FA01AB58-CAB2-420A-9899-EAB153DD898A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "D731AFDD-9C33-4DC8-9BC6-06BB51048752",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "01706205-1369-4E5D-8936-723DA980CA9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "0DC4A52C-6FBC-420A-885A-F72BC1DBAEC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "3A1C882D-949B-40B9-BC9F-E7FCE4FE7C3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "9A1451D2-B905-4AD7-9BD7-10CF2A12BA34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "C505696B-10E4-4B99-A598-40FA0DA39F7B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "9EB2F3D8-25A1-408E-80D0-59D52A901284",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.21:*:*:*:*:*:*:*",
"matchCriteriaId": "C3904E9A-585A-4005-B2E9-13538535383D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.22:*:*:*:*:*:*:*",
"matchCriteriaId": "AA1934BF-83E3-4B0B-A1DF-391A5332CE39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.23:*:*:*:*:*:*:*",
"matchCriteriaId": "F06B9809-5BFA-4DB9-8753-1D8319713879",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "DF6631B0-9F2E-4C5F-AB21-F085A8C1559B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.25:*:*:*:*:*:*:*",
"matchCriteriaId": "15625451-E56D-405F-BE9B-B3CB1A35E929",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "97ADBDC4-B669-467D-9A07-9A2DD8B68374",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "8DA876C8-4417-4C35-9FEC-278D45CE6E92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "03C08A88-9377-4B32-8173-EE2D121B06D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "F7225A43-8EAE-4DA6-BBDC-4418D5444767",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "A46C0933-3B19-40EA-8DED-2BF25AB85C17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EB203AEC-2A94-48CA-A0E0-B5A8EBF028B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6E98B82A-22E5-4E6C-90AE-56F5780EA147",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "34672E90-C220-436B-9143-480941227933",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "92883AFA-A02F-41A5-9977-ABEAC8AD2970",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "989A78F8-EE92-465F-8A8D-ECF0B58AFE7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "1F5B6627-B4A4-4E2D-B96C-CA37CCC8C804",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "ACFB09F3-32D1-479C-8C39-D7329D9A6623",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "D56581E2-9ECD-426A-96D8-A9D958900AD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "717F6995-5AF0-484C-90C0-A82F25FD2E32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "5B0C01D5-773F-469C-9E69-170C2844AAA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.10:*:*:*:*:*:*:*",
"matchCriteriaId": "EB03FDFB-4DBF-4B70-BFA3-570D1DE67695",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.11:*:*:*:*:*:*:*",
"matchCriteriaId": "9F5CF79C-759B-4FF9-90EE-847264059E93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.12:*:*:*:*:*:*:*",
"matchCriteriaId": "357651FD-392E-4775-BF20-37A23B3ABAE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.13:*:*:*:*:*:*:*",
"matchCriteriaId": "585B9476-6B86-4809-9B9E-26112114CB59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.14:*:*:*:*:*:*:*",
"matchCriteriaId": "6145036D-4FCE-4EBE-A137-BDFA69BA54F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.15:*:*:*:*:*:*:*",
"matchCriteriaId": "E437055A-0A81-413F-AB08-0E9D0DC9EA30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the calendar application example in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.15 allows remote attackers to inject arbitrary web script or HTML via the time parameter to cal2.jsp and possibly unspecified other vectors. NOTE: this may be related to CVE-2006-0254.1."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross-Site Scripting (XSS) en el ejemplo de aplicaci\u00f3n de calendario en Apache Tomcat versi\u00f3n 4.0.0 hasta 4.0.6, versi\u00f3n 4.1.0 hasta 4.1.31, versi\u00f3n 5.0.0 hasta 5.0.30 y versi\u00f3n 5.5.0 hasta 5.5.15 permite a atacantes remotos inyectar script web o HTML arbitrarias por medio del par\u00e1metro time hacia el archivo cal2.jsp y posiblemente otros vectores no especificados. NOTA: esto puede estar relacionado con CVE-2006-0254.1."
}
],
"id": "CVE-2006-7196",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2007-05-10T00:19:00.000",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html"
},
{
"source": "secalert@redhat.com",
"url": "http://osvdb.org/34888"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/29242"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/33668"
},
{
"source": "secalert@redhat.com",
"url": "http://support.avaya.com/elmodocs2/security/ASA-2007-206.htm"
},
{
"source": "secalert@redhat.com",
"url": "http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540"
},
{
"source": "secalert@redhat.com",
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "secalert@redhat.com",
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/478491/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/478609/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/500396/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/500412/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/25531"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2007/1729"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2009/0233"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/34888"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/29242"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/33668"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.avaya.com/elmodocs2/security/ASA-2007-206.htm"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/478491/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/478609/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/500396/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/500412/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/25531"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2007/1729"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2009/0233"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-03-14 19:55
Modified
2025-04-11 00:51
Severity ?
Summary
Apache Tomcat 7.x before 7.0.10 does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0F8C62EF-1B67-456A-9C66-755439CF8556",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "33E9607B-4D28-460D-896B-E4B7FA22441E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A819E245-D641-4F19-9139-6C940504F6E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8C381275-10C5-4939-BCE3-0D1F3B3CB2EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7205475A-6D04-4042-B24E-1DA5A57029B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "08022987-B36B-4F63-88A5-A8F59195DF4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "FF4B7557-EF35-451E-B55D-3296966695AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8980E61E-27BE-4858-82B3-C0E8128AF521",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "8756BF9B-3E24-4677-87AE-31CE776541F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "88CE057E-2092-4C98-8D0C-75CF439D0A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8F194580-EE6D-4E38-87F3-F0661262256B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Tomcat 7.x before 7.0.10 does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application."
},
{
"lang": "es",
"value": "Apache Tomcat v7.x anterior a v7.0.10 no sigue anotaciones ServletSecurity, lo que permite a atacantes remotos evitar las restricciones de acceso a trav\u00e9s de peticiones HTTP a una aplicaci\u00f3n web."
}
],
"id": "CVE-2011-1088",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-03-14T19:55:02.167",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://mail-archives.apache.org/mod_mbox/www-announce/201103.mbox/%3C4D6E74FF.7050106%40apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "http://markmail.org/message/lzx5273wsgl5pob6"
},
{
"source": "secalert@redhat.com",
"url": "http://markmail.org/message/yzmyn44f5aetmm2r"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/43684"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1076586"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1076587"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1077995"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.osvdb.org/71027"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/517013/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/46685"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id?1025215"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2011/0563"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/65971"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://mail-archives.apache.org/mod_mbox/www-announce/201103.mbox/%3C4D6E74FF.7050106%40apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://markmail.org/message/lzx5273wsgl5pob6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://markmail.org/message/yzmyn44f5aetmm2r"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/43684"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1076586"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1076587"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1077995"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/71027"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/517013/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/46685"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id?1025215"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2011/0563"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/65971"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-06-14 23:30
Modified
2025-04-09 00:30
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary web script or HTML via the portion of the URI after the ';' character, as demonstrated by a URI containing a "snp/snoop.jsp;" sequence.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A2F21F74-F36E-477D-9E5A-6EA1D210A408",
"versionEndIncluding": "4.1.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "914E1404-01A2-4F94-AA40-D5EA20F55AD3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "81FB1106-B26D-45BE-A511-8E69131BBA52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "401A213A-FED3-49C0-B823-2E02EA528905",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0BFE5AD8-DB14-4632-9D2A-F2013579CA7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "7641278D-3B8B-4CD2-B284-2047B65514A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BB7B9911-E836-4A96-A0E8-D13C957EC0EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "13D9B12F-F36A-424E-99BB-E00EF0FCA277",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2A8FEEF0-8E57-43B1-8316-228B76E458D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D82F3FAE-91AD-4F0B-A1F7-11C1A97C5ECB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A3B2802B-E56C-462A-9601-361A9166B5F1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "190FB4FD-22A5-4771-8F99-1E260A36A474",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "4BD3785E-3A09-4BE4-96C7-619B8A7D5062",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "285F7969-09F6-48CC-89CE-928225A53CDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "3B9EDACC-0300-4DA7-B1CD-5F7A6029AF38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "6B387EF0-94AD-4C8E-8CD4-4F5F706481BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "DA486065-18D5-4425-ADA5-284101919564",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A0141E20-2E3D-4CD0-A757-D7CA98499CCE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "9E62493D-FEAE-49E8-A293-CE18451D0264",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "FA01AB58-CAB2-420A-9899-EAB153DD898A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "D731AFDD-9C33-4DC8-9BC6-06BB51048752",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "01706205-1369-4E5D-8936-723DA980CA9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "0DC4A52C-6FBC-420A-885A-F72BC1DBAEC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "3A1C882D-949B-40B9-BC9F-E7FCE4FE7C3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "9A1451D2-B905-4AD7-9BD7-10CF2A12BA34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "C505696B-10E4-4B99-A598-40FA0DA39F7B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "9EB2F3D8-25A1-408E-80D0-59D52A901284",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.21:*:*:*:*:*:*:*",
"matchCriteriaId": "C3904E9A-585A-4005-B2E9-13538535383D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.22:*:*:*:*:*:*:*",
"matchCriteriaId": "AA1934BF-83E3-4B0B-A1DF-391A5332CE39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.23:*:*:*:*:*:*:*",
"matchCriteriaId": "F06B9809-5BFA-4DB9-8753-1D8319713879",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "DF6631B0-9F2E-4C5F-AB21-F085A8C1559B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.25:*:*:*:*:*:*:*",
"matchCriteriaId": "15625451-E56D-405F-BE9B-B3CB1A35E929",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "97ADBDC4-B669-467D-9A07-9A2DD8B68374",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "8DA876C8-4417-4C35-9FEC-278D45CE6E92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "03C08A88-9377-4B32-8173-EE2D121B06D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "F7225A43-8EAE-4DA6-BBDC-4418D5444767",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "A46C0933-3B19-40EA-8DED-2BF25AB85C17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EB203AEC-2A94-48CA-A0E0-B5A8EBF028B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6E98B82A-22E5-4E6C-90AE-56F5780EA147",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "34672E90-C220-436B-9143-480941227933",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "92883AFA-A02F-41A5-9977-ABEAC8AD2970",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "989A78F8-EE92-465F-8A8D-ECF0B58AFE7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "1F5B6627-B4A4-4E2D-B96C-CA37CCC8C804",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "ACFB09F3-32D1-479C-8C39-D7329D9A6623",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "D56581E2-9ECD-426A-96D8-A9D958900AD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "717F6995-5AF0-484C-90C0-A82F25FD2E32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "5B0C01D5-773F-469C-9E69-170C2844AAA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.10:*:*:*:*:*:*:*",
"matchCriteriaId": "EB03FDFB-4DBF-4B70-BFA3-570D1DE67695",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.11:*:*:*:*:*:*:*",
"matchCriteriaId": "9F5CF79C-759B-4FF9-90EE-847264059E93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.12:*:*:*:*:*:*:*",
"matchCriteriaId": "357651FD-392E-4775-BF20-37A23B3ABAE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.13:*:*:*:*:*:*:*",
"matchCriteriaId": "585B9476-6B86-4809-9B9E-26112114CB59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.14:*:*:*:*:*:*:*",
"matchCriteriaId": "6145036D-4FCE-4EBE-A137-BDFA69BA54F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.15:*:*:*:*:*:*:*",
"matchCriteriaId": "E437055A-0A81-413F-AB08-0E9D0DC9EA30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.16:*:*:*:*:*:*:*",
"matchCriteriaId": "9276A093-9C98-4617-9941-2276995F5848",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.17:*:*:*:*:*:*:*",
"matchCriteriaId": "97C9C36C-EF7E-4D42-9749-E2FF6CE35A2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.18:*:*:*:*:*:*:*",
"matchCriteriaId": "C98575E2-E39A-4A8F-B5B5-BD280B8367BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.19:*:*:*:*:*:*:*",
"matchCriteriaId": "5BDA08E7-A417-44E8-9C89-EB22BEEC3B9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.20:*:*:*:*:*:*:*",
"matchCriteriaId": "DCD1B6BE-CF07-4DA8-A703-4A48506C8AD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.21:*:*:*:*:*:*:*",
"matchCriteriaId": "5878E08E-2741-4798-94E9-BA8E07386B12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.22:*:*:*:*:*:*:*",
"matchCriteriaId": "69F6BAB7-C099-4345-A632-7287AEA555B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49E3C039-A949-4F1B-892A-57147EECB249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F28C7801-41B9-4552-BA1E-577967BCBBEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "25B21085-7259-4685-9D1F-FF98E6489E10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "635EE321-2A1F-4FF8-95BE-0C26591969D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "9A81B035-8598-4D2C-B45F-C6C9D4B10C2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E1096947-82A6-4EA8-A4F2-00D91E3F7DAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0EBFA1D3-16A6-4041-BB30-51D2EE0F2AF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "B70B372F-EFFD-4AF7-99B5-7D1B23A0C54C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "9C95ADA4-66F5-45C4-A677-ACE22367A75A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "351E5BCF-A56B-4D91-BA3C-21A4B77D529A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2DC2BBB4-171E-4EFF-A575-A5B7FF031755",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "6B6B0504-27C1-4824-A928-A878CBBAB32D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "CE81AD36-ACD1-4C6C-8E7C-5326D1DA3045",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary web script or HTML via the portion of the URI after the \u0027;\u0027 character, as demonstrated by a URI containing a \"snp/snoop.jsp;\" sequence."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en ciertos ficheros JSP en la aplicaci\u00f3n web de ejemplo en el Apache Tomcat 4.0.0 hasta el 4.0.6, 4.1.0 hasta el 4.1.36, 5.0.0 hasta el 5.0.30, 5.5.0 hasta el 5.5.24 y el 6.0.0 hasta el 6.0.13 permiten a atacantes remotos la inyecci\u00f3n de secuencias de comandos web o HTML de su elecci\u00f3n a trav\u00e9s de la porci\u00f3n de URI despu\u00e9s del caracter \u0027;\u0027, como lo demostrado utilizando una URI que conten\u00eda una secuencia \"snp/snoop.jsp;\"."
}
],
"id": "CVE-2007-2449",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-06-14T23:30:00.000",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx"
},
{
"source": "secalert@redhat.com",
"url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795"
},
{
"source": "secalert@redhat.com",
"url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00008.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
},
{
"source": "secalert@redhat.com",
"url": "http://osvdb.org/36080"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2008-0630.html"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/26076"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/27037"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/27727"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/29392"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/30802"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/31493"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/33668"
},
{
"source": "secalert@redhat.com",
"url": "http://securityreason.com/securityalert/2804"
},
{
"source": "secalert@redhat.com",
"url": "http://support.apple.com/kb/HT2163"
},
{
"source": "secalert@redhat.com",
"url": "http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540"
},
{
"source": "secalert@redhat.com",
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "secalert@redhat.com",
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2007:241"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2007-0569.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/471351/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/500396/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/500412/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/24476"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id?1018245"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2007/2213"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2007/3386"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2008/1981/references"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2009/0233"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34869"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10578"
},
{
"source": "secalert@redhat.com",
"url": "https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00008.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/36080"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2008-0630.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/26076"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/27037"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/27727"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/29392"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/30802"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/31493"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/33668"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/2804"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.apple.com/kb/HT2163"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2007:241"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2007-0569.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/471351/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/500396/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/500412/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/24476"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id?1018245"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2007/2213"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2007/3386"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/1981/references"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2009/0233"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34869"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10578"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-04-06 21:59
Modified
2025-04-20 01:37
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
References
Impacted products
{
"cisaActionDue": "2023-06-02",
"cisaExploitAdd": "2023-05-12",
"cisaRequiredAction": "Apply updates per vendor instructions.",
"cisaVulnerabilityName": "Apache Tomcat Remote Code Execution Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BDAB7E8F-98DA-43F2-B2AE-F0C5F1581B4A",
"versionEndExcluding": "6.0.48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "39AB06BF-6948-44FA-AE78-CDEF64D7B771",
"versionEndExcluding": "7.0.73",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FBC4F54A-F99A-4B1A-AAE4-0C64950C118D",
"versionEndExcluding": "8.0.39",
"versionStartIncluding": "8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EE43E8ED-8C32-42AF-A76F-8731C0F8DE7D",
"versionEndExcluding": "8.5.7",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "67BBBD83-E232-4198-9748-C512D9E0EEDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "9D0689FE-4BC0-4F53-8C79-34B21F9B86C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "89B129B2-FB6F-4EF9-BF12-E589A87996CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "8B6787B6-54A8-475E-BA1C-AB99334B2535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "9F542E12-6BA8-4504-A494-DA83E7E19BD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "C0C5F004-F7D8-45DB-B173-351C50B0EC16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "D1902D2E-1896-4D3D-9E1C-3A675255072C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "49AAF4DF-F61D-47A8-8788-A21E317A145D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "454211D0-60A2-4661-AECA-4C0121413FEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "0686F977-889F-4960-8E0B-7784B73A7F2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "558703AE-DB5E-4DFF-B497-C36694DD7B24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "ED6273F2-1165-47A4-8DD7-9E9B2472941B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*",
"matchCriteriaId": "7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netapp:7-mode_transition_tool:-:*:*:*:*:*:*:*",
"matchCriteriaId": "7EF6650C-558D-45C8-AE7D-136EE70CB6D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F1BE6C1F-2565-4E97-92AA-16563E5660A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:oncommand_shift:-:*:*:*:*:*:*:*",
"matchCriteriaId": "3BD81527-A341-42C3-9AB9-880D3DB04B08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*",
"matchCriteriaId": "9F4754FB-E3EB-454A-AB1A-AE3835C5350C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_web_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8E2F2F98-DB90-43F6-8F28-3656207B6188",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:agile_engineering_data_management:6.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "61C5D278-11E5-4A2F-9860-6FFA579398CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:agile_engineering_data_management:6.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1B21D189-0E7D-4878-91A0-BE38A4ABA1FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "80C9DBB8-3D50-4D5D-859A-B022EB7C2E64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "ED43772F-D280-42F6-A292-7198284D6FE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*",
"matchCriteriaId": "C650FEDB-E903-4C2D-AD40-282AB5F2E3C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:communications_application_session_controller:3.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "CC967A48-D834-4E9B-8CEC-057E7D5B8174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:communications_application_session_controller:3.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F920CDE4-DF29-4611-93E9-A386C89EDB62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "622B95F1-8FA4-4AA6-9B68-5FE4302BA150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C510CE66-DD71-45C8-B678-9BD81EC7FFBB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:communications_interactive_session_recorder:6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BF0A211C-7C3D-46AE-B525-890A9194C422",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:communications_interactive_session_recorder:6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B1AD7C68-81DF-4332-AEB3-B368E0221F52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1A3DC116-2844-47A1-BEC2-D0675DD97148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E0F1DF3E-0F2D-4EFC-9A3E-F72149C8AE94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:micros_relate_crm_software:10.8:*:*:*:*:*:*:*",
"matchCriteriaId": "BDE82F56-65B9-490B-8096-037ADD9819AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:micros_relate_crm_software:11.4:*:*:*:*:*:*:*",
"matchCriteriaId": "EE3A1A04-5AAE-40D9-842A-8B46211C5D95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78933DD0-F774-4E60-BC66-D5A57919717A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8ECA7A7E-8177-4FD4-B9B9-F4B1B6F43F98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "73C9A2AD-F384-44D5-AB33-86B7250760A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.7.7:*:*:*:*:*:*:*",
"matchCriteriaId": "CD8F1BF2-C047-4296-815B-B21A2A673DFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA3F5761-E2A0-4F67-BAE1-503877676BF3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C1E3C86B-4483-430A-856D-7EAB7D388D2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CC2D40A0-F2F0-476C-959E-39CA64B430ED",
"versionEndIncluding": "3.2.8.2223",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C992CCD1-54C9-4BC2-876F-7A5D76571DEA",
"versionEndIncluding": "3.3.4.3247",
"versionStartIncluding": "3.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BEBB610E-4FE2-41C2-B3A3-D67077A60F82",
"versionEndIncluding": "3.4.2.4181",
"versionStartIncluding": "3.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:retail_convenience_and_fuel_pos_software:2.1.132:*:*:*:*:*:*:*",
"matchCriteriaId": "DA5B8931-D3B4-46A9-B1A0-9A6BBA365FC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:transportation_management:6.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "231DDD84-5AF3-4F0D-81D8-DA0F942E78F1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:transportation_management:6.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E7A714FB-050A-4040-BC57-C22FA4DD58D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:transportation_management:6.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A775321B-6DFB-4770-8F6D-D34D655438AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:transportation_management:6.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "835BB7D9-633C-4CB3-8E8F-CA6FD62E587A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:transportation_management:6.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "48FE41BA-1E3C-4626-930F-3F8FEE124A78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:transportation_management:6.3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "40F284EF-05CF-4CF5-B7CA-F58AE01DA3B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:transportation_management:6.3.6:*:*:*:*:*:*:*",
"matchCriteriaId": "C09892E8-D580-488A-A80E-B358D682A25A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:transportation_management:6.3.7:*:*:*:*:*:*:*",
"matchCriteriaId": "A58642E0-CA59-4DE6-A83C-F551FC621C32",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn\u0027t updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types."
},
{
"lang": "es",
"value": "La ejecuci\u00f3n remota de c\u00f3digo es posible con Apache Tomcat en versiones anteriores a 6.0.48, 7.x en versiones anteriores a 7.0.73, 8.x en versiones anteriores a 8.0.39, 8.5.x en versiones anteriores a 8.5.7 y 9.x en versiones anteriores a 9.0.0.M12 si JmxRemoteLifecycleListener es utilizado y un atacante puede llegar a los puertos JMX. El problema existe porque este oyente no se actualiz\u00f3 por coherencia con el parche de Oracle CVE-2016-3427 que afect\u00f3 a los tipos de credenciales."
}
],
"id": "CVE-2016-8735",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2017-04-06T21:59:00.243",
"references": [
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0457.html"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Mitigation",
"Third Party Advisory"
],
"url": "http://seclists.org/oss-sec/2016/q4/502"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Broken Link"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1767644"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Broken Link"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1767656"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Broken Link"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1767676"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Broken Link"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1767684"
},
{
"source": "security@apache.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "security@apache.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "security@apache.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-8.html"
},
{
"source": "security@apache.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-9.html"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2016/dsa-3738"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"source": "security@apache.org",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94463"
},
{
"source": "security@apache.org",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1037331"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2017:0455"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2017:0456"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20180607-0001/"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4557-1/"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0457.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Mitigation",
"Third Party Advisory"
],
"url": "http://seclists.org/oss-sec/2016/q4/502"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Broken Link"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1767644"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Broken Link"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1767656"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Broken Link"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1767676"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Broken Link"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1767684"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-8.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-9.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2016/dsa-3738"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94463"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1037331"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2017:0455"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2017:0456"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20180607-0001/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4557-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-06-21 11:15
Modified
2024-11-21 08:07
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for the response which in turn meant that at least one AJP proxy (mod_proxy_ajp) would use the response headers from the previous request leading to an information leak.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/j1ksjh9m9gx1q60rtk1sbzmxhvj5h5qz | Mailing List, Vendor Advisory | |
| security@apache.org | https://security.netapp.com/advisory/ntap-20230714-0003/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/j1ksjh9m9gx1q60rtk1sbzmxhvj5h5qz | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20230714-0003/ | Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.88:*:*:*:*:*:*:*",
"matchCriteriaId": "E6EE9DE8-16EA-44D0-A03D-69F319D7DA00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.74:*:*:*:*:*:*:*",
"matchCriteriaId": "16971568-BE35-4653-B828-B66982DF6E21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "74C4852D-81E8-46EC-8B54-313CB096B34A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "538E68C4-0BA4-495F-AEF8-4EF6EE7963CF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for the response which in turn meant that at least one AJP proxy (mod_proxy_ajp) would use the response headers from the previous request leading to an information leak."
}
],
"id": "CVE-2023-34981",
"lastModified": "2024-11-21T08:07:46.027",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-06-21T11:15:09.410",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/j1ksjh9m9gx1q60rtk1sbzmxhvj5h5qz"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20230714-0003/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/j1ksjh9m9gx1q60rtk1sbzmxhvj5h5qz"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20230714-0003/"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-10-15 18:17
Modified
2025-04-09 00:30
Severity ?
Summary
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | tomcat | 4.0.0 | |
| apache | tomcat | 4.0.1 | |
| apache | tomcat | 4.0.2 | |
| apache | tomcat | 4.0.3 | |
| apache | tomcat | 4.0.4 | |
| apache | tomcat | 4.0.5 | |
| apache | tomcat | 4.0.6 | |
| apache | tomcat | 4.1.0 | |
| apache | tomcat | 4.1.1 | |
| apache | tomcat | 4.1.2 | |
| apache | tomcat | 4.1.3 | |
| apache | tomcat | 4.1.4 | |
| apache | tomcat | 4.1.5 | |
| apache | tomcat | 4.1.6 | |
| apache | tomcat | 4.1.7 | |
| apache | tomcat | 4.1.8 | |
| apache | tomcat | 4.1.9 | |
| apache | tomcat | 4.1.10 | |
| apache | tomcat | 4.1.11 | |
| apache | tomcat | 4.1.12 | |
| apache | tomcat | 4.1.13 | |
| apache | tomcat | 4.1.14 | |
| apache | tomcat | 4.1.15 | |
| apache | tomcat | 4.1.16 | |
| apache | tomcat | 4.1.17 | |
| apache | tomcat | 4.1.18 | |
| apache | tomcat | 4.1.19 | |
| apache | tomcat | 4.1.20 | |
| apache | tomcat | 4.1.21 | |
| apache | tomcat | 4.1.22 | |
| apache | tomcat | 4.1.23 | |
| apache | tomcat | 4.1.24 | |
| apache | tomcat | 4.1.25 | |
| apache | tomcat | 4.1.26 | |
| apache | tomcat | 4.1.27 | |
| apache | tomcat | 4.1.28 | |
| apache | tomcat | 4.1.29 | |
| apache | tomcat | 4.1.30 | |
| apache | tomcat | 4.1.31 | |
| apache | tomcat | 4.1.32 | |
| apache | tomcat | 4.1.33 | |
| apache | tomcat | 4.1.34 | |
| apache | tomcat | 4.1.35 | |
| apache | tomcat | 4.1.36 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "914E1404-01A2-4F94-AA40-D5EA20F55AD3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "81FB1106-B26D-45BE-A511-8E69131BBA52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "401A213A-FED3-49C0-B823-2E02EA528905",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0BFE5AD8-DB14-4632-9D2A-F2013579CA7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "7641278D-3B8B-4CD2-B284-2047B65514A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BB7B9911-E836-4A96-A0E8-D13C957EC0EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D2341C51-A239-4A4A-B0DC-30F18175442C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0E300013-0CE7-4313-A553-74A6A247B3E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E08D7414-8D0C-45D6-8E87-679DF0201D55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AB15C5DB-0DBE-4DAD-ACBD-FAE23F768D01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "60CFD9CA-1878-4C74-A9BD-5D581736E6B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "02860646-1D72-4D9A-AE2A-5868C8EDB3AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "5BE4B9B5-9C2E-47E1-9483-88A17264594F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "5BE92A9B-4B8C-468E-9162-A56ED5313E17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "AE21D455-5B38-4B07-8E25-4EE782501EB3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "B9AE125C-EB8E-4D33-BB64-1E2AEE18BF81",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "47588ABB-FCE6-478D-BEAD-FC9A0C7D66DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C92F3744-C8F9-4E29-BF1A-25E03A32F2C0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.11:*:*:*:*:*:*:*",
"matchCriteriaId": "084B3227-FE22-43E3-AE06-7BB257018690",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.12:*:*:*:*:*:*:*",
"matchCriteriaId": "F7DDA1D1-1DB2-4FD6-90A6-7DDE2FDD73F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.13:*:*:*:*:*:*:*",
"matchCriteriaId": "D2BFF1D5-2E34-4A01-83A7-6AA3A112A1B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.14:*:*:*:*:*:*:*",
"matchCriteriaId": "6D536FF4-7582-4351-ABE3-876E20F8E7FE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.15:*:*:*:*:*:*:*",
"matchCriteriaId": "1C03E4C9-34E3-42F7-8B73-D3C595FD7EE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.16:*:*:*:*:*:*:*",
"matchCriteriaId": "FB43F47F-5BF9-43A0-BF0E-451B4A8F7137",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.17:*:*:*:*:*:*:*",
"matchCriteriaId": "DFFFE700-AAFE-4F5B-B0E2-C3DA76DE492D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.18:*:*:*:*:*:*:*",
"matchCriteriaId": "11DDD82E-5D83-4581-B2F3-F12655BBF817",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.19:*:*:*:*:*:*:*",
"matchCriteriaId": "8A0F0C91-171E-421D-BE86-11567DEFC7BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.20:*:*:*:*:*:*:*",
"matchCriteriaId": "F22D2621-D305-43CE-B00D-9A7563B061F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.21:*:*:*:*:*:*:*",
"matchCriteriaId": "9A5D55E8-D3A3-4784-8AC6-CCB07E470AB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.22:*:*:*:*:*:*:*",
"matchCriteriaId": "7F4245BA-B05C-49DE-B2E0-1E588209ED3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.23:*:*:*:*:*:*:*",
"matchCriteriaId": "8633532B-9785-4259-8840-B08529E20DCC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.24:*:*:*:*:*:*:*",
"matchCriteriaId": "B1D9BD7E-FCC2-404B-A057-1A10997DAFF9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.25:*:*:*:*:*:*:*",
"matchCriteriaId": "F935ED72-58F4-49C1-BD9F-5473E0B9D8CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.26:*:*:*:*:*:*:*",
"matchCriteriaId": "FADB75DC-8713-4F0C-9F06-30DA6F6EF6B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.27:*:*:*:*:*:*:*",
"matchCriteriaId": "2EA52901-2D16-4F7E-BF5E-780B42A55D6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.28:*:*:*:*:*:*:*",
"matchCriteriaId": "6A79DA2C-35F3-47DE-909B-8D8D1AE111C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.29:*:*:*:*:*:*:*",
"matchCriteriaId": "8BF6952D-6308-4029-8B63-0BD9C648C60F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.30:*:*:*:*:*:*:*",
"matchCriteriaId": "94941F86-0BBF-4F30-8F13-FB895A11ED69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.31:*:*:*:*:*:*:*",
"matchCriteriaId": "17522878-4266-432A-859D-C02096C8AC0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.32:*:*:*:*:*:*:*",
"matchCriteriaId": "951FFCD7-EAC2-41E6-A53B-F90C540327E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.33:*:*:*:*:*:*:*",
"matchCriteriaId": "BF1F2738-C7D6-4206-9227-43F464887FF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.34:*:*:*:*:*:*:*",
"matchCriteriaId": "98EEB6F2-A721-45CF-A856-0E01B043C317",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.35:*:*:*:*:*:*:*",
"matchCriteriaId": "02FDE602-A56A-477E-B704-41AF92EEBB9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.36:*:*:*:*:*:*:*",
"matchCriteriaId": "5A28B11A-3BC7-41BC-8970-EE075B029F5C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag."
},
{
"lang": "es",
"value": "Vulnerabilidad de salto de ruta absoluta en Apache Tomcat 4.0.0 hasta la versi\u00f3n 4.0.6, 4.1.0, 5.0.0, 5.5.0 hasta la versi\u00f3n 5.5.25 y 6.0.0 hasta la versi\u00f3n 6.0.14, bajo determinadas configuraciones, permite a usuarios remotos autenticados leer archivos arbitrarios a trav\u00e9s de una petici\u00f3n de escritura WebDAV que especifica una entidad con una etiqueta SYSTEM."
}
],
"id": "CVE-2007-5461",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-10-15T18:17:00.000",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://geronimo.apache.org/2007/10/18/potential-vulnerability-in-apache-tomcat-webdav-servlet.html"
},
{
"source": "secalert@redhat.com",
"url": "http://issues.apache.org/jira/browse/GERONIMO-3549"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
},
{
"source": "secalert@redhat.com",
"url": "http://mail-archives.apache.org/mod_mbox/tomcat-users/200710.mbox/%3C47135C2D.1000705%40apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=139344343412337\u0026w=2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "http://marc.info/?l=full-disclosure\u0026m=119239530508382"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2008-0630.html"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/27398"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/27446"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/27481"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/27727"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/28317"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/28361"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/29242"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/29313"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/29711"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/30676"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/30802"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/30899"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/30908"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/31493"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/32120"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/32222"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/32266"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/37460"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/57126"
},
{
"source": "secalert@redhat.com",
"url": "http://security.gentoo.org/glsa/glsa-200804-10.xml"
},
{
"source": "secalert@redhat.com",
"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1"
},
{
"source": "secalert@redhat.com",
"url": "http://support.apple.com/kb/HT2163"
},
{
"source": "secalert@redhat.com",
"url": "http://support.apple.com/kb/HT3216"
},
{
"source": "secalert@redhat.com",
"url": "http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm"
},
{
"source": "secalert@redhat.com",
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "secalert@redhat.com",
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "secalert@redhat.com",
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www-1.ibm.com/support/docview.wss?uid=swg21286112"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2008/dsa-1447"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2008/dsa-1453"
},
{
"source": "secalert@redhat.com",
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2007:241"
},
{
"source": "secalert@redhat.com",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:136"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0042.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0195.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0862.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/507985/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/26070"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/31681"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id?1018864"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vmware.com/security/advisories/VMSA-2008-0010.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2007/3622"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2007/3671"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2007/3674"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2008/1856/references"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2008/1979/references"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2008/1981/references"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2008/2780"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2008/2823"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2009/3316"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/37243"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9202"
},
{
"source": "secalert@redhat.com",
"url": "https://www.exploit-db.com/exploits/4530"
},
{
"source": "secalert@redhat.com",
"url": "https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://geronimo.apache.org/2007/10/18/potential-vulnerability-in-apache-tomcat-webdav-servlet.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://issues.apache.org/jira/browse/GERONIMO-3549"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://mail-archives.apache.org/mod_mbox/tomcat-users/200710.mbox/%3C47135C2D.1000705%40apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=139344343412337\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://marc.info/?l=full-disclosure\u0026m=119239530508382"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2008-0630.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/27398"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/27446"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/27481"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/27727"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/28317"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/28361"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/29242"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/29313"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/29711"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/30676"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/30802"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/30899"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/30908"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/31493"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/32120"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/32222"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/32266"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/37460"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/57126"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://security.gentoo.org/glsa/glsa-200804-10.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.apple.com/kb/HT2163"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.apple.com/kb/HT3216"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www-1.ibm.com/support/docview.wss?uid=swg21286112"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2008/dsa-1447"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2008/dsa-1453"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2007:241"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:136"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0042.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0195.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0862.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/507985/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/26070"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/31681"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id?1018864"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vmware.com/security/advisories/VMSA-2008-0010.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2007/3622"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2007/3671"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2007/3674"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/1856/references"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/1979/references"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/1981/references"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/2780"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/2823"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2009/3316"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/37243"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9202"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/4530"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-07-04 22:59
Modified
2025-04-12 10:46
Severity ?
Summary
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hp:icewall_identity_manager:5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EE418D71-EAD6-4BB6-B6D6-88CE0FFA5A53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hp:icewall_sso_agent_option:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "531FE660-C1A9-4C83-90BE-E38AA493D4F7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "9D0689FE-4BC0-4F53-8C79-34B21F9B86C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "C0C5F004-F7D8-45DB-B173-351C50B0EC16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "D1902D2E-1896-4D3D-9E1C-3A675255072C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "454211D0-60A2-4661-AECA-4C0121413FEB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4752862B-7D26-4285-B8A0-CF082C758353",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*",
"matchCriteriaId": "58EA7199-3373-4F97-9907-3A479A02155E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "4693BD36-E522-4C8E-9667-8F3E14A05EF3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "2BBBC5EA-012C-4C5D-A61B-BAF134B300DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2A358FDF-C249-4D7A-9445-8B9E7D9D40AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "AFF96F96-34DB-4EB3-BF59-11220673FA26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "EDF3E379-47D2-4C86-8C6D-8B3C25A0E1C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "61E008F8-2F01-4DD8-853A-337B4B4163C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "701424A2-BB06-44B5-B468-7164E4F95529",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "1BA6388C-5B6E-4651-8AE3-EBCCF61C27E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "8F9A5B7E-33A9-4651-9BE1-371A0064B661",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "F99252E8-A59C-48E1-B251-718D7FB3E399",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "4E0DDEF6-A8EE-46C4-A046-A1F26E7C4E87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "14B38892-9C00-4510-B7BA-F2A8F2CACCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "7409B064-D43E-489E-AEC6-0A767FB21737",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.21:*:*:*:*:*:*:*",
"matchCriteriaId": "F019268F-80C4-48FE-8164-E9DA0A3BAFF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.22:*:*:*:*:*:*:*",
"matchCriteriaId": "1EFBD214-FCFE-4F04-A903-66EFDA764B9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.23:*:*:*:*:*:*:*",
"matchCriteriaId": "425D86B3-6BB9-410D-8125-F7CF87290AD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "3EE3BB0D-1002-41E4-9BE8-875D97330057",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "6622472B-8644-4D45-A54B-A215C3D64B83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "B338F95B-2924-435B-827F-E64420A93244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "209D1349-7740-4DBE-80A5-E6343C62BAB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "09E77C24-C265-403D-A193-B3739713F6B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "28616FA3-9A98-4AAE-9F94-3E77A14156EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.32:*:*:*:*:*:*:*",
"matchCriteriaId": "603A14BF-72BB-4A3D-8CBC-932DC45CEC06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.33:*:*:*:*:*:*:*",
"matchCriteriaId": "4C2E1C55-3C89-4F26-A981-1195BCC9BB5C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.35:*:*:*:*:*:*:*",
"matchCriteriaId": "31BB906B-812F-462C-9AEE-147C1418D865",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "69A7FC28-A0EC-4516-9776-700343D2F4DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D4D811A9-4988-4C11-AA27-F5BE2B93D8D4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:*",
"matchCriteriaId": "63CCC942-8906-421A-A1C8-E105B54912D5",
"versionEndIncluding": "1.3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "B6B7CAD7-9D4E-4FDB-88E3-1E583210A01F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*",
"matchCriteriaId": "E88A537F-F4D0-46B9-9E37-965233C2A355",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0F8C62EF-1B67-456A-9C66-755439CF8556",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "33E9607B-4D28-460D-896B-E4B7FA22441E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A819E245-D641-4F19-9139-6C940504F6E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8C381275-10C5-4939-BCE3-0D1F3B3CB2EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*",
"matchCriteriaId": "81A31CA0-A209-4C49-AA06-C38E165E5B68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "08022987-B36B-4F63-88A5-A8F59195DF4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*",
"matchCriteriaId": "0AA563BF-A67A-477D-956A-167ABEF885C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "FF4B7557-EF35-451E-B55D-3296966695AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.5:beta:*:*:*:*:*:*",
"matchCriteriaId": "6F1B937B-57E0-4E88-9E39-39012A924525",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8980E61E-27BE-4858-82B3-C0E8128AF521",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "88CE057E-2092-4C98-8D0C-75CF439D0A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A9731BAA-4C6C-4259-B786-F577D8A90FA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "1F74A421-D019-4248-84B8-C70D4D9A8A95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "2BA27FF9-4C66-4E17-95C0-1CB2DAA6AFC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "305688F2-50A6-41FB-8614-BC589DB9A789",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "25966344-15D5-4101-9346-B06BFD2DFFF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0D4F710E-06EA-48F4-AC6A-6F143950F015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "2C4936C2-0B2D-4C44-98C3-443090965F5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*",
"matchCriteriaId": "48453405-2319-4327-9F4C-6F70B49452C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*",
"matchCriteriaId": "49DD9544-6424-41A6-AEC0-EC19B8A10E71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*",
"matchCriteriaId": "E4670E65-2E11-49A4-B661-57C2F60D411F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*",
"matchCriteriaId": "31002A23-4788-4BC7-AE11-A3C2AA31716D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "7144EDDF-8265-4642-8EEB-ED52527E0A26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "DF06B5C1-B9DD-4673-A101-56E1E593ACDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "7D731065-626B-4425-8E49-F708DD457824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "B3D850EA-E537-42C8-93B9-96E15CB26747",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "E037DA05-2BEF-4F64-B8BB-307247B6A05C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*",
"matchCriteriaId": "D395D95B-1F4A-420E-A0F6-609360AF7B69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*",
"matchCriteriaId": "9BD221BA-0AB6-4972-8AD9-5D37AC07762F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*",
"matchCriteriaId": "E55B6565-96CB-4F6A-9A80-C3FB82F30546",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*",
"matchCriteriaId": "D3300AFE-49A4-4904-B9A0-5679F09FA01E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*",
"matchCriteriaId": "7BD93669-1B30-4BF8-AD7D-F60DD8D63CC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*",
"matchCriteriaId": "B8C8C97F-6C9D-4647-AB8A-ADAA5536DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*",
"matchCriteriaId": "2C6109D1-BC36-40C5-A02A-7AEBC949BAC0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*",
"matchCriteriaId": "DA8A7333-B4C3-4876-AE01-62F2FD315504",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*",
"matchCriteriaId": "92993E23-D805-407B-8B87-11CEEE8B212F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*",
"matchCriteriaId": "6AA28D3A-3EE5-4F90-B8F5-4943F7607DA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*",
"matchCriteriaId": "C947E549-2459-4AFB-84A7-36BDA30B5F29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*",
"matchCriteriaId": "5D55DF79-F9BE-4907-A4D8-96C4B11189ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*",
"matchCriteriaId": "14AB5787-82D7-4F78-BE93-4556AB7A7D0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*",
"matchCriteriaId": "F8E9453E-BC9B-4F77-85FA-BA15AC55C245",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*",
"matchCriteriaId": "A7EF0518-73F9-47DB-8946-A8334936BEFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*",
"matchCriteriaId": "95AA8778-7833-4572-A71B-5FD89938CE94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*",
"matchCriteriaId": "242E47CE-EF69-4F8F-AB40-5AF2811674CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*",
"matchCriteriaId": "CDA1555C-E55A-4E14-B786-BFEE3F09220B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*",
"matchCriteriaId": "F8075E9A-DA7F-4A0B-8B4D-0CD951369111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*",
"matchCriteriaId": "335A5320-6086-4B45-9903-82F6F92A584F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*",
"matchCriteriaId": "46B33408-C2E2-4E7C-9334-6AB98F13468C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*",
"matchCriteriaId": "9F036676-9EFB-4A92-828E-A38905D594E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*",
"matchCriteriaId": "E9728EE8-6029-4DF3-942E-E4ACC09111A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:*",
"matchCriteriaId": "34E7DAC8-8419-45D1-A28F-14CF2FE1B6EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.68:*:*:*:*:*:*:*",
"matchCriteriaId": "89B87EB5-4902-4C2A-878A-45185F7D0FA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.69:*:*:*:*:*:*:*",
"matchCriteriaId": "C0596E6C-9ACE-4106-A2FF-BED7967C323F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string."
},
{
"lang": "es",
"value": "La clase MultipartStream en Apache Commons Fileupload en versiones anteriores a 1.3.2, tal como se utiliza en Apache Tomcat 7.x en versiones anteriores a 7.0.70, 8.x en versiones anteriores a 8.0.36, 8.5.x en versiones anteriores a 8.5.3 y 9.x en versiones anteriores a 9.0.0.M7 y otros productos, permite a atacantes remotos provocar una denegaci\u00f3n de servicio (consumo de CPU) a trav\u00e9s de una cadena de l\u00edmite largo."
}
],
"id": "CVE-2016-3092",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-07-04T22:59:04.303",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://jvn.jp/en/jp/JVN89379547/index.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"VDB Entry",
"Vendor Advisory"
],
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000121"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List"
],
"url": "http://mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3E"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2068.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2069.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2070.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2071.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2072.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2599.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2807.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2808.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0457.html"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1743480"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1743722"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1743738"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1743742"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-8.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-9.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2016/dsa-3609"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2016/dsa-3611"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2016/dsa-3614"
},
{
"source": "secalert@redhat.com",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/91453"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1036427"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1036900"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1037029"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1039606"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.ubuntu.com/usn/USN-3024-1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.ubuntu.com/usn/USN-3027-1"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2017:0455"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2017:0456"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1349468"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Permissions Required",
"Third Party Advisory"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371"
},
{
"source": "secalert@redhat.com",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840"
},
{
"source": "secalert@redhat.com",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://security.gentoo.org/glsa/201705-09"
},
{
"source": "secalert@redhat.com",
"url": "https://security.gentoo.org/glsa/202107-39"
},
{
"source": "secalert@redhat.com",
"url": "https://security.netapp.com/advisory/ntap-20190212-0001/"
},
{
"source": "secalert@redhat.com",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"source": "secalert@redhat.com",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://jvn.jp/en/jp/JVN89379547/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"VDB Entry",
"Vendor Advisory"
],
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000121"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2068.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2069.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2070.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2071.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2072.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2599.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2807.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2808.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0457.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1743480"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1743722"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1743738"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1743742"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-8.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-9.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2016/dsa-3609"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2016/dsa-3611"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2016/dsa-3614"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/91453"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1036427"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1036900"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1037029"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1039606"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.ubuntu.com/usn/USN-3024-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.ubuntu.com/usn/USN-3027-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2017:0455"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2017:0456"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1349468"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Permissions Required",
"Third Party Advisory"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.gentoo.org/glsa/201705-09"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.gentoo.org/glsa/202107-39"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20190212-0001/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-10-04 13:29
Modified
2024-11-21 03:44
Severity ?
Summary
When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "685846FE-E90A-45AA-9AD1-C15AEFE6928C",
"versionEndIncluding": "7.0.90",
"versionStartIncluding": "7.0.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E7530550-BDF3-4F91-B20C-0B79B40F0E6B",
"versionEndIncluding": "8.5.33",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B0B520E7-9CB1-4FE7-88F7-66419AC81B90",
"versionEndIncluding": "9.0.11",
"versionStartIncluding": "9.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7C6119C4-1200-4EBE-89AB-6AB755C6DE3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "9D0689FE-4BC0-4F53-8C79-34B21F9B86C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "89B129B2-FB6F-4EF9-BF12-E589A87996CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "8B6787B6-54A8-475E-BA1C-AB99334B2535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "EABB6FBC-7486-44D5-A6AD-FFF1D3F677E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*",
"matchCriteriaId": "E10C03BC-EE6B-45B2-83AE-9E8DFB58D7DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*",
"matchCriteriaId": "8A6DA0BE-908C-4DA8-A191-A0113235E99A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*",
"matchCriteriaId": "39029C72-28B4-46A4-BFF5-EC822CFB2A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*",
"matchCriteriaId": "1A2E05A3-014F-4C4D-81E5-88E725FBD6AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*",
"matchCriteriaId": "166C533C-0833-41D5-99B6-17A4FAB3CAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*",
"matchCriteriaId": "D3768C60-21FA-4B92-B98C-C3A2602D1BC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*",
"matchCriteriaId": "DDD510FA-A2E4-4BAF-A0DE-F4E5777E9325",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "9F542E12-6BA8-4504-A494-DA83E7E19BD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*",
"matchCriteriaId": "C2409CC7-6A85-4A66-A457-0D62B9895DC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*",
"matchCriteriaId": "B392A7E5-4455-4B1C-8FAC-AE6DDC70689E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*",
"matchCriteriaId": "EF411DDA-2601-449A-9046-D250419A0E1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*",
"matchCriteriaId": "D7D8F2F4-AFE2-47EA-A3FD-79B54324DE02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*",
"matchCriteriaId": "1B4FBF97-DE16-4E5E-BE19-471E01818D40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*",
"matchCriteriaId": "3B266B1E-24B5-47EE-A421-E0E3CC0C7471",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*",
"matchCriteriaId": "29614C3A-6FB3-41C7-B56E-9CC3F45B04F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*",
"matchCriteriaId": "C6AB156C-8FF6-4727-AF75-590D0DCB3F9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "C0C5F004-F7D8-45DB-B173-351C50B0EC16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "D1902D2E-1896-4D3D-9E1C-3A675255072C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "49AAF4DF-F61D-47A8-8788-A21E317A145D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "454211D0-60A2-4661-AECA-4C0121413FEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "0686F977-889F-4960-8E0B-7784B73A7F2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "558703AE-DB5E-4DFF-B497-C36694DD7B24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "ED6273F2-1165-47A4-8DD7-9E9B2472941B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*",
"matchCriteriaId": "9F4754FB-E3EB-454A-AB1A-AE3835C5350C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "33C068A4-3780-4EAB-A937-6082DF847564",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "51EF4996-72F4-4FA4-814F-F5991E7A8318",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:7.6:*:*:*:*:*:*:*",
"matchCriteriaId": "5E92F9B3-3841-4C05-88F0-CEB0735EA4BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*",
"matchCriteriaId": "B353CE99-D57C-465B-AAB0-73EF581127D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*",
"matchCriteriaId": "BF77CDCF-B9C9-427D-B2BF-36650FB2148C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*",
"matchCriteriaId": "B76AA310-FEC7-497F-AF04-C3EC1E76C4CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "825ECE2D-E232-46E0-A047-074B34DB1E97",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:communications_application_session_controller:3.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "CC967A48-D834-4E9B-8CEC-057E7D5B8174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:communications_application_session_controller:3.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F920CDE4-DF29-4611-93E9-A386C89EDB62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1A3DC116-2844-47A1-BEC2-D0675DD97148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E0F1DF3E-0F2D-4EFC-9A3E-F72149C8AE94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*",
"matchCriteriaId": "82EA4BA7-C38B-4AF3-8914-9E3D089EBDD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B9C9BC66-FA5F-4774-9BDA-7AB88E2839C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7F69B9A5-F21B-4904-9F27-95C0F7A628E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:retail_order_broker:5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EAA4DF85-9225-4422-BF10-D7DAE7DCE007",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:retail_order_broker:5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "77C2A2A4-285B-40A1-B9AD-42219D742DD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EE8CF045-09BB-4069-BCEC-496D5AE3B780",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:secure_global_desktop:5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B5265C91-FF5C-4451-A7C2-D388A65ACFA2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to \u0027/foo/\u0027 when the user requested \u0027/foo\u0027) a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice."
},
{
"lang": "es",
"value": "Cuando el servlet por defecto en Apache Tomcat en versiones de la 9.0.0.M1 a la 9.0.11, de la 8.5.0 a la 8.5.33 y de la 7.0.23 a la 7.0.90 devolv\u00eda una redirecci\u00f3n a un directorio (por ejemplo, redirigiendo a \"/foo/\u0027\u0027 cuando el usuario solicit\u00f3 \u0027\"/foo\") se pudo usar una URL especialmente manipulada para hacer que la redirecci\u00f3n se generara a cualquier URI de la elecci\u00f3n del atacante."
}
],
"id": "CVE-2018-11784",
"lastModified": "2024-11-21T03:44:01.827",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-10-04T13:29:00.330",
"references": [
{
"source": "security@apache.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html"
},
{
"source": "security@apache.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00056.html"
},
{
"source": "security@apache.org",
"url": "http://packetstormsecurity.com/files/163456/Apache-Tomcat-9.0.0M1-Open-Redirect.html"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/105524"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0130"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0131"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0485"
},
{
"source": "security@apache.org",
"url": "https://access.redhat.com/errata/RHSA-2019:1529"
},
{
"source": "security@apache.org",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10284"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/23134c9b5a23892a205dc140cdd8c9c0add233600f76b313dda6bd75%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00005.html"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00006.html"
},
{
"source": "security@apache.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZ4PX4B3QTKRM35VJAVIEOPZAF76RPBP/"
},
{
"source": "security@apache.org",
"url": "https://seclists.org/bugtraq/2019/Dec/43"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20181014-0002/"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3787-1/"
},
{
"source": "security@apache.org",
"url": "https://www.debian.org/security/2019/dsa-4596"
},
{
"source": "security@apache.org",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"source": "security@apache.org",
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"source": "security@apache.org",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"source": "security@apache.org",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00056.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/163456/Apache-Tomcat-9.0.0M1-Open-Redirect.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/105524"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0130"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0131"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0485"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2019:1529"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10284"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/23134c9b5a23892a205dc140cdd8c9c0add233600f76b313dda6bd75%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00005.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00006.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZ4PX4B3QTKRM35VJAVIEOPZAF76RPBP/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://seclists.org/bugtraq/2019/Dec/43"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20181014-0002/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3787-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.debian.org/security/2019/dsa-4596"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-02-25 01:59
Modified
2025-04-12 10:46
Severity ?
Summary
The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49E3C039-A949-4F1B-892A-57147EECB249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.0:alpha:*:*:*:*:*:*",
"matchCriteriaId": "0A354C34-A3FE-4B8A-9985-8874A0634BC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F28C7801-41B9-4552-BA1E-577967BCBBEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.1:alpha:*:*:*:*:*:*",
"matchCriteriaId": "CFE300CC-FD4A-444E-8506-E5E269D0A0A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "25B21085-7259-4685-9D1F-FF98E6489E10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:alpha:*:*:*:*:*:*",
"matchCriteriaId": "F50A3EC9-516E-48A7-839B-A73F491B5B9F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:beta:*:*:*:*:*:*",
"matchCriteriaId": "8C28F09D-5CAA-4CA7-A2B5-3B2820F5F409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "9A81B035-8598-4D2C-B45F-C6C9D4B10C2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.4:alpha:*:*:*:*:*:*",
"matchCriteriaId": "FAC2FC75-97D2-4EA1-A1A0-F592A6D7C1F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "351E5BCF-A56B-4D91-BA3C-21A4B77D529A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2DC2BBB4-171E-4EFF-A575-A5B7FF031755",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "CE81AD36-ACD1-4C6C-8E7C-5326D1DA3045",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "D903956B-14F5-4177-AF12-0A5F1846D3C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3EBD00-1E1E-452D-AFFB-08A6BD111DDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "BD8802B2-57E0-4AA6-BC8E-00DE60468569",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "1F4C9BCF-9C73-4991-B02F-E08C5DA06EBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "2823789C-2CB6-4300-94DB-BDBE83ABA8E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "C5416C76-46ED-4CB1-A7F8-F24EA16DE7F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "31B3593F-CEDF-423C-90F8-F88EED87DC3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "AE7862B2-E1FA-4E16-92CD-8918AB461D9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "A9E03BE3-60CC-4415-B993-D0BB00F87A30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.32:*:*:*:*:*:*:*",
"matchCriteriaId": "BFD64FE7-ABAF-49F3-B8D0-91C37C822F4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.33:*:*:*:*:*:*:*",
"matchCriteriaId": "48E5E8C3-21AD-4230-B945-AB7DE66307B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.35:*:*:*:*:*:*:*",
"matchCriteriaId": "4945C8C1-C71B-448B-9075-07C6C92599CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.36:*:*:*:*:*:*:*",
"matchCriteriaId": "ED4730B0-2E09-408B-AFD4-FE00F73700FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.37:*:*:*:*:*:*:*",
"matchCriteriaId": "B8DE8A8A-7643-4292-BCC1-758AE0940207",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.39:*:*:*:*:*:*:*",
"matchCriteriaId": "E9B54FCD-CF7C-47E2-8513-40419E47AF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.41:*:*:*:*:*:*:*",
"matchCriteriaId": "D87EFB6D-B626-469F-907C-40C771A55833",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.43:*:*:*:*:*:*:*",
"matchCriteriaId": "6330B97B-8FC5-4D7E-A960-5D94EDD0C378",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.44:*:*:*:*:*:*:*",
"matchCriteriaId": "2A0B2FA4-772E-4B23-8B3F-CC86515E4226",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "33E9607B-4D28-460D-896B-E4B7FA22441E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*",
"matchCriteriaId": "81A31CA0-A209-4C49-AA06-C38E165E5B68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*",
"matchCriteriaId": "0AA563BF-A67A-477D-956A-167ABEF885C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.5:beta:*:*:*:*:*:*",
"matchCriteriaId": "6F1B937B-57E0-4E88-9E39-39012A924525",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8980E61E-27BE-4858-82B3-C0E8128AF521",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A9731BAA-4C6C-4259-B786-F577D8A90FA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "1F74A421-D019-4248-84B8-C70D4D9A8A95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "2BA27FF9-4C66-4E17-95C0-1CB2DAA6AFC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "305688F2-50A6-41FB-8614-BC589DB9A789",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "25966344-15D5-4101-9346-B06BFD2DFFF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0D4F710E-06EA-48F4-AC6A-6F143950F015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "2C4936C2-0B2D-4C44-98C3-443090965F5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*",
"matchCriteriaId": "48453405-2319-4327-9F4C-6F70B49452C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*",
"matchCriteriaId": "49DD9544-6424-41A6-AEC0-EC19B8A10E71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*",
"matchCriteriaId": "E4670E65-2E11-49A4-B661-57C2F60D411F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*",
"matchCriteriaId": "31002A23-4788-4BC7-AE11-A3C2AA31716D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "7144EDDF-8265-4642-8EEB-ED52527E0A26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "DF06B5C1-B9DD-4673-A101-56E1E593ACDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "7D731065-626B-4425-8E49-F708DD457824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "B3D850EA-E537-42C8-93B9-96E15CB26747",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "E037DA05-2BEF-4F64-B8BB-307247B6A05C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*",
"matchCriteriaId": "D395D95B-1F4A-420E-A0F6-609360AF7B69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*",
"matchCriteriaId": "9BD221BA-0AB6-4972-8AD9-5D37AC07762F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*",
"matchCriteriaId": "E55B6565-96CB-4F6A-9A80-C3FB82F30546",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*",
"matchCriteriaId": "D3300AFE-49A4-4904-B9A0-5679F09FA01E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*",
"matchCriteriaId": "7BD93669-1B30-4BF8-AD7D-F60DD8D63CC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*",
"matchCriteriaId": "B8C8C97F-6C9D-4647-AB8A-ADAA5536DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*",
"matchCriteriaId": "2C6109D1-BC36-40C5-A02A-7AEBC949BAC0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*",
"matchCriteriaId": "DA8A7333-B4C3-4876-AE01-62F2FD315504",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*",
"matchCriteriaId": "92993E23-D805-407B-8B87-11CEEE8B212F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*",
"matchCriteriaId": "6AA28D3A-3EE5-4F90-B8F5-4943F7607DA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*",
"matchCriteriaId": "C947E549-2459-4AFB-84A7-36BDA30B5F29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*",
"matchCriteriaId": "5D55DF79-F9BE-4907-A4D8-96C4B11189ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*",
"matchCriteriaId": "14AB5787-82D7-4F78-BE93-4556AB7A7D0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*",
"matchCriteriaId": "F8E9453E-BC9B-4F77-85FA-BA15AC55C245",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*",
"matchCriteriaId": "A7EF0518-73F9-47DB-8946-A8334936BEFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*",
"matchCriteriaId": "95AA8778-7833-4572-A71B-5FD89938CE94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*",
"matchCriteriaId": "242E47CE-EF69-4F8F-AB40-5AF2811674CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*",
"matchCriteriaId": "CDA1555C-E55A-4E14-B786-BFEE3F09220B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*",
"matchCriteriaId": "F8075E9A-DA7F-4A0B-8B4D-0CD951369111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*",
"matchCriteriaId": "335A5320-6086-4B45-9903-82F6F92A584F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*",
"matchCriteriaId": "46B33408-C2E2-4E7C-9334-6AB98F13468C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*",
"matchCriteriaId": "9F036676-9EFB-4A92-828E-A38905D594E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*",
"matchCriteriaId": "E9728EE8-6029-4DF3-942E-E4ACC09111A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4752862B-7D26-4285-B8A0-CF082C758353",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*",
"matchCriteriaId": "58EA7199-3373-4F97-9907-3A479A02155E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "F963D737-2E95-4D7C-92C7-DACF3F36D1E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "2BBBC5EA-012C-4C5D-A61B-BAF134B300DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2A358FDF-C249-4D7A-9445-8B9E7D9D40AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "AFF96F96-34DB-4EB3-BF59-11220673FA26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "701424A2-BB06-44B5-B468-7164E4F95529",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "1BA6388C-5B6E-4651-8AE3-EBCCF61C27E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "8F9A5B7E-33A9-4651-9BE1-371A0064B661",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "F99252E8-A59C-48E1-B251-718D7FB3E399",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "4E0DDEF6-A8EE-46C4-A046-A1F26E7C4E87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "14B38892-9C00-4510-B7BA-F2A8F2CACCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "7409B064-D43E-489E-AEC6-0A767FB21737",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.21:*:*:*:*:*:*:*",
"matchCriteriaId": "F019268F-80C4-48FE-8164-E9DA0A3BAFF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.22:*:*:*:*:*:*:*",
"matchCriteriaId": "1EFBD214-FCFE-4F04-A903-66EFDA764B9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.23:*:*:*:*:*:*:*",
"matchCriteriaId": "425D86B3-6BB9-410D-8125-F7CF87290AD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "3EE3BB0D-1002-41E4-9BE8-875D97330057",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "6622472B-8644-4D45-A54B-A215C3D64B83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "B338F95B-2924-435B-827F-E64420A93244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "209D1349-7740-4DBE-80A5-E6343C62BAB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "09E77C24-C265-403D-A193-B3739713F6B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "9D0689FE-4BC0-4F53-8C79-34B21F9B86C2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "B6B7CAD7-9D4E-4FDB-88E3-1E583210A01F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*",
"matchCriteriaId": "E88A537F-F4D0-46B9-9E37-965233C2A355",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character."
},
{
"lang": "es",
"value": "El componente Mapper en Apache Tomcat 6.x en versiones anteriores a 6.0.45, 7.x en versiones anteriores a 7.0.68, 8.x en versiones anteriores a 8.0.30, y 9.x en versiones anteriores a 9.0.0.M2 procesa redirecciones antes de considerar las restricciones y Filtros de seguridad, lo que permite a atacantes remotos determinar la existencia de un directorio a trav\u00e9s de una URL que carece de un car\u00e1cter / (barra) final."
}
],
"id": "CVE-2015-5345",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-02-25T01:59:01.137",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00082.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=145974991225029\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://packetstormsecurity.com/files/135892/Apache-Tomcat-Directory-Disclosure.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1089.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2045.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2599.html"
},
{
"source": "secalert@redhat.com",
"url": "http://seclists.org/bugtraq/2016/Feb/146"
},
{
"source": "secalert@redhat.com",
"url": "http://seclists.org/fulldisclosure/2016/Feb/122"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1715206"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1715207"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1715213"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1715216"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1716882"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1716894"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1717209"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1717212"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1717216"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-8.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-9.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2016/dsa-3530"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2016/dsa-3552"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2016/dsa-3609"
},
{
"source": "secalert@redhat.com",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.qcsec.com/blog/CVE-2015-5345-apache-tomcat-vulnerability.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/83328"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1035071"
},
{
"source": "secalert@redhat.com",
"url": "http://www.ubuntu.com/usn/USN-3024-1"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2016:1087"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2016:1088"
},
{
"source": "secalert@redhat.com",
"url": "https://bto.bluecoat.com/security-advisory/sa118"
},
{
"source": "secalert@redhat.com",
"url": "https://bz.apache.org/bugzilla/show_bug.cgi?id=58765"
},
{
"source": "secalert@redhat.com",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964"
},
{
"source": "secalert@redhat.com",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442"
},
{
"source": "secalert@redhat.com",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626"
},
{
"source": "secalert@redhat.com",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10156"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://security.gentoo.org/glsa/201705-09"
},
{
"source": "secalert@redhat.com",
"url": "https://security.netapp.com/advisory/ntap-20180531-0001/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00082.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=145974991225029\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/135892/Apache-Tomcat-Directory-Disclosure.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1089.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2045.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2599.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/bugtraq/2016/Feb/146"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2016/Feb/122"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1715206"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1715207"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1715213"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1715216"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1716882"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1716894"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1717209"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1717212"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1717216"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-8.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-9.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3530"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3552"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3609"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.qcsec.com/blog/CVE-2015-5345-apache-tomcat-vulnerability.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/83328"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1035071"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ubuntu.com/usn/USN-3024-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2016:1087"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2016:1088"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://bto.bluecoat.com/security-advisory/sa118"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://bz.apache.org/bugzilla/show_bug.cgi?id=58765"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10156"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.gentoo.org/glsa/201705-09"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20180531-0001/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-02-28 20:29
Modified
2024-11-21 03:59
Severity ?
Summary
The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0204E778-1E01-4781-8B75-B9246B2AFCCF",
"versionEndIncluding": "7.0.84",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FF49B49E-FE51-4731-81F4-75489CEB5270",
"versionEndIncluding": "8.0.49",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "760F85D9-4F6A-479B-987A-A096F0EF888A",
"versionEndIncluding": "8.5.27",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F81CB598-6F12-4934-ACCF-4498CF07C898",
"versionEndIncluding": "9.0.4",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4752862B-7D26-4285-B8A0-CF082C758353",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "9D0689FE-4BC0-4F53-8C79-34B21F9B86C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "89B129B2-FB6F-4EF9-BF12-E589A87996CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "8B6787B6-54A8-475E-BA1C-AB99334B2535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "EABB6FBC-7486-44D5-A6AD-FFF1D3F677E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*",
"matchCriteriaId": "E10C03BC-EE6B-45B2-83AE-9E8DFB58D7DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*",
"matchCriteriaId": "8A6DA0BE-908C-4DA8-A191-A0113235E99A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*",
"matchCriteriaId": "39029C72-28B4-46A4-BFF5-EC822CFB2A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*",
"matchCriteriaId": "1A2E05A3-014F-4C4D-81E5-88E725FBD6AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*",
"matchCriteriaId": "166C533C-0833-41D5-99B6-17A4FAB3CAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*",
"matchCriteriaId": "D3768C60-21FA-4B92-B98C-C3A2602D1BC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*",
"matchCriteriaId": "DDD510FA-A2E4-4BAF-A0DE-F4E5777E9325",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "9F542E12-6BA8-4504-A494-DA83E7E19BD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*",
"matchCriteriaId": "C2409CC7-6A85-4A66-A457-0D62B9895DC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*",
"matchCriteriaId": "B392A7E5-4455-4B1C-8FAC-AE6DDC70689E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*",
"matchCriteriaId": "EF411DDA-2601-449A-9046-D250419A0E1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*",
"matchCriteriaId": "D7D8F2F4-AFE2-47EA-A3FD-79B54324DE02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*",
"matchCriteriaId": "1B4FBF97-DE16-4E5E-BE19-471E01818D40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*",
"matchCriteriaId": "3B266B1E-24B5-47EE-A421-E0E3CC0C7471",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*",
"matchCriteriaId": "29614C3A-6FB3-41C7-B56E-9CC3F45B04F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*",
"matchCriteriaId": "C6AB156C-8FF6-4727-AF75-590D0DCB3F9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "C0C5F004-F7D8-45DB-B173-351C50B0EC16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "D1902D2E-1896-4D3D-9E1C-3A675255072C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "49AAF4DF-F61D-47A8-8788-A21E317A145D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "454211D0-60A2-4661-AECA-4C0121413FEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "0686F977-889F-4960-8E0B-7784B73A7F2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "558703AE-DB5E-4DFF-B497-C36694DD7B24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "ED6273F2-1165-47A4-8DD7-9E9B2472941B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6:*:*:*:*:*:*:*",
"matchCriteriaId": "68E89E9D-88CA-4BCC-8871-EF4AF913D871",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4:*:*:*:*:*:*:*",
"matchCriteriaId": "E2E0AFF9-F664-4D46-AEF4-07C725CC5448",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_web_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8E2F2F98-DB90-43F6-8F28-3656207B6188",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*",
"matchCriteriaId": "9070C9D8-A14A-467F-8253-33B966C16886",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:fusion_middleware:12.2.1.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2177A5E9-B260-499E-8D60-920679518425",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1A3DC116-2844-47A1-BEC2-D0675DD97148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E0F1DF3E-0F2D-4EFC-9A3E-F72149C8AE94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:micros_relate_crm_software:11.4:*:*:*:*:*:*:*",
"matchCriteriaId": "EE3A1A04-5AAE-40D9-842A-8B46211C5D95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:secure_global_desktop:5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "8B4B4E96-1F12-4719-BDB7-4ED5D3DCF9ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:secure_global_desktop:5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B5265C91-FF5C-4451-A7C2-D388A65ACFA2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:jboss_middleware:1:*:*:*:*:*:*:*",
"matchCriteriaId": "1F4A0F87-524E-4935-9B07-93793D8143FD",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The URL pattern of \"\" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected."
},
{
"lang": "es",
"value": "El patr\u00f3n de URL \"\" (la cadena vac\u00eda) que mapea exactamente al root de contexto no se gestion\u00f3 correctamente en Apache Tomcat 9.0.0.M1 a 9.0.4, 8.5.0 a 8.5.27, 8.0.0.RC1 a 8.0.49 y 7.0.0 a 7.0.84 al emplearse como parte de una definici\u00f3n de limitaci\u00f3n de seguridad. Esto provoc\u00f3 que el l\u00edmite se ignorase. Por lo tanto, era posible que usuarios no autorizados obtuviesen acceso a recursos de la aplicaci\u00f3n web que tendr\u00edan que haber estado protegidos. Solo se han visto afectadas las limitaciones de seguridad con un patr\u00f3n URL de cadena vac\u00eda."
}
],
"id": "CVE-2018-1304",
"lastModified": "2024-11-21T03:59:35.043",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-02-28T20:29:00.227",
"references": [
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103170"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1040427"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0465"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0466"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1320"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1447"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1448"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1449"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1450"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1451"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2939"
},
{
"source": "security@apache.org",
"url": "https://access.redhat.com/errata/RHSA-2019:2205"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/b1d7e2425d6fd2cebed40d318f9365b44546077e10949b01b1f8a0fb%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00004.html"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00044.html"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20180706-0001/"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3665-1/"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2018/dsa-4281"
},
{
"source": "security@apache.org",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"source": "security@apache.org",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103170"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1040427"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0465"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0466"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1320"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1447"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1448"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1449"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1450"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1451"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2939"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2019:2205"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/b1d7e2425d6fd2cebed40d318f9365b44546077e10949b01b1f8a0fb%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00004.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00044.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20180706-0001/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3665-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2018/dsa-4281"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-01-14 21:55
Modified
2025-04-11 00:51
Severity ?
Summary
DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EB203AEC-2A94-48CA-A0E0-B5A8EBF028B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6E98B82A-22E5-4E6C-90AE-56F5780EA147",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "34672E90-C220-436B-9143-480941227933",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "92883AFA-A02F-41A5-9977-ABEAC8AD2970",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "989A78F8-EE92-465F-8A8D-ECF0B58AFE7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "1F5B6627-B4A4-4E2D-B96C-CA37CCC8C804",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "ACFB09F3-32D1-479C-8C39-D7329D9A6623",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "D56581E2-9ECD-426A-96D8-A9D958900AD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "717F6995-5AF0-484C-90C0-A82F25FD2E32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "5B0C01D5-773F-469C-9E69-170C2844AAA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.10:*:*:*:*:*:*:*",
"matchCriteriaId": "EB03FDFB-4DBF-4B70-BFA3-570D1DE67695",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.11:*:*:*:*:*:*:*",
"matchCriteriaId": "9F5CF79C-759B-4FF9-90EE-847264059E93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.12:*:*:*:*:*:*:*",
"matchCriteriaId": "357651FD-392E-4775-BF20-37A23B3ABAE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.13:*:*:*:*:*:*:*",
"matchCriteriaId": "585B9476-6B86-4809-9B9E-26112114CB59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.14:*:*:*:*:*:*:*",
"matchCriteriaId": "6145036D-4FCE-4EBE-A137-BDFA69BA54F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.15:*:*:*:*:*:*:*",
"matchCriteriaId": "E437055A-0A81-413F-AB08-0E9D0DC9EA30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.16:*:*:*:*:*:*:*",
"matchCriteriaId": "9276A093-9C98-4617-9941-2276995F5848",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.17:*:*:*:*:*:*:*",
"matchCriteriaId": "97C9C36C-EF7E-4D42-9749-E2FF6CE35A2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.18:*:*:*:*:*:*:*",
"matchCriteriaId": "C98575E2-E39A-4A8F-B5B5-BD280B8367BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.19:*:*:*:*:*:*:*",
"matchCriteriaId": "5BDA08E7-A417-44E8-9C89-EB22BEEC3B9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.20:*:*:*:*:*:*:*",
"matchCriteriaId": "DCD1B6BE-CF07-4DA8-A703-4A48506C8AD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.21:*:*:*:*:*:*:*",
"matchCriteriaId": "5878E08E-2741-4798-94E9-BA8E07386B12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.22:*:*:*:*:*:*:*",
"matchCriteriaId": "69F6BAB7-C099-4345-A632-7287AEA555B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.23:*:*:*:*:*:*:*",
"matchCriteriaId": "F3AAF031-D16B-4D51-9581-2D1376A5157B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.24:*:*:*:*:*:*:*",
"matchCriteriaId": "51120689-F5C0-4DF1-91AA-314C40A46C58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.25:*:*:*:*:*:*:*",
"matchCriteriaId": "F67477AB-85F6-421C-9C0B-C8EFB1B200CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.26:*:*:*:*:*:*:*",
"matchCriteriaId": "16D0C265-2ED9-42CF-A7D6-C7FAE4246A1B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.27:*:*:*:*:*:*:*",
"matchCriteriaId": "5D70CFD9-B55D-4A29-B94C-D33F3E881A8F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.28:*:*:*:*:*:*:*",
"matchCriteriaId": "C1195878-CCC9-49BC-9AC7-1F88F0DFAB82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.29:*:*:*:*:*:*:*",
"matchCriteriaId": "375C26A9-623E-483A-BC11-468D9DE278C1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.30:*:*:*:*:*:*:*",
"matchCriteriaId": "BCDDD480-3C9E-4BE9-848A-99A13145C2AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.31:*:*:*:*:*:*:*",
"matchCriteriaId": "42BB8770-0BB4-4F23-AE24-58745095060D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.32:*:*:*:*:*:*:*",
"matchCriteriaId": "7B980C39-A4D8-483A-B48C-36CA4F5CEAA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.33:*:*:*:*:*:*:*",
"matchCriteriaId": "DFF7178D-DC9B-45F7-BEA4-701B1EAEC2CC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D11D6FB7-CBDB-48C1-98CB-1B3CAA36C5D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49E3C039-A949-4F1B-892A-57147EECB249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F28C7801-41B9-4552-BA1E-577967BCBBEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "25B21085-7259-4685-9D1F-FF98E6489E10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "635EE321-2A1F-4FF8-95BE-0C26591969D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "9A81B035-8598-4D2C-B45F-C6C9D4B10C2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E1096947-82A6-4EA8-A4F2-00D91E3F7DAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0EBFA1D3-16A6-4041-BB30-51D2EE0F2AF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "B70B372F-EFFD-4AF7-99B5-7D1B23A0C54C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "9C95ADA4-66F5-45C4-A677-ACE22367A75A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "11951A10-39A2-4FF5-8C43-DF94730FB794",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "351E5BCF-A56B-4D91-BA3C-21A4B77D529A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2DC2BBB4-171E-4EFF-A575-A5B7FF031755",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "6B6B0504-27C1-4824-A928-A878CBBAB32D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "CE81AD36-ACD1-4C6C-8E7C-5326D1DA3045",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "D903956B-14F5-4177-AF12-0A5F1846D3C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "81F847DC-A2F5-456C-9038-16A0E85F4C3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3EBD00-1E1E-452D-AFFB-08A6BD111DDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "C6B93A3A-D487-4CA1-8257-26F8FE287B8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "BD8802B2-57E0-4AA6-BC8E-00DE60468569",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "8461DF95-18DC-4BF5-A703-7F19DA88DC30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "1F4C9BCF-9C73-4991-B02F-E08C5DA06EBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "2823789C-2CB6-4300-94DB-BDBE83ABA8E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "C5416C76-46ED-4CB1-A7F8-F24EA16DE7F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "A61429EE-4331-430C-9830-58DCCBCBCB58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "31B3593F-CEDF-423C-90F8-F88EED87DC3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "AE7862B2-E1FA-4E16-92CD-8918AB461D9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "A9E03BE3-60CC-4415-B993-D0BB00F87A30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.31:*:*:*:*:*:*:*",
"matchCriteriaId": "CE92E59A-FF0D-4D1A-8B12-CC41A7E1FD3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.32:*:*:*:*:*:*:*",
"matchCriteriaId": "BFD64FE7-ABAF-49F3-B8D0-91C37C822F4B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0F8C62EF-1B67-456A-9C66-755439CF8556",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "33E9607B-4D28-460D-896B-E4B7FA22441E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A819E245-D641-4F19-9139-6C940504F6E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8C381275-10C5-4939-BCE3-0D1F3B3CB2EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7205475A-6D04-4042-B24E-1DA5A57029B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "08022987-B36B-4F63-88A5-A8F59195DF4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "FF4B7557-EF35-451E-B55D-3296966695AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8980E61E-27BE-4858-82B3-C0E8128AF521",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "8756BF9B-3E24-4677-87AE-31CE776541F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "88CE057E-2092-4C98-8D0C-75CF439D0A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8F194580-EE6D-4E38-87F3-F0661262256B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A9731BAA-4C6C-4259-B786-F577D8A90FA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "1F74A421-D019-4248-84B8-C70D4D9A8A95",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184."
},
{
"lang": "es",
"value": "DigestAuthenticator.java en la implementaci\u00f3n HTTP Digest Access Authentication en Apache Tomcat v5.5.x anterior a v5.5.34, v6.x anterior a v6.0.33, y v7.x anterior a v7.0.12 usa Catalina como \"hard-coded server secret\"(tambi\u00e9n conocido como clave privada), haci\u00e9ndo m\u00e1s f\u00e1cil para atacantes remotos evitar mecanismos de protecci\u00f3n criptogr\u00e1fica mediante el conocimiento de esta cadena, una vulnerabilidad diferente a CVE-2011-1184."
}
],
"id": "CVE-2011-5064",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-01-14T21:55:00.897",
"references": [
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html"
},
{
"source": "cve@mitre.org",
"url": "http://marc.info/?l=bugtraq\u0026m=139344343412337\u0026w=2"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2012-0074.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2012-0075.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2012-0076.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2012-0077.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2012-0078.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2012-0325.html"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/57126"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?view=rev\u0026rev=1087655"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?view=rev\u0026rev=1158180"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?view=rev\u0026rev=1159309"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2012/dsa-2401"
},
{
"source": "cve@mitre.org",
"url": "http://www.redhat.com/support/errata/RHSA-2011-1845.html"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=139344343412337\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2012-0074.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2012-0075.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2012-0076.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2012-0077.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2012-0078.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2012-0325.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/57126"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?view=rev\u0026rev=1087655"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?view=rev\u0026rev=1158180"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?view=rev\u0026rev=1159309"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2012/dsa-2401"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2011-1845.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-310"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-02-12 01:00
Modified
2025-04-09 00:30
Severity ?
Summary
Apache Tomcat 5.5.11 through 5.5.25 and 6.0.0 through 6.0.15, when the native APR connector is used, does not properly handle an empty request to the SSL port, which allows remote attackers to trigger handling of "a duplicate copy of one of the recent requests," as demonstrated by using netcat to send the empty request.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | tomcat | 5.5.11 | |
| apache | tomcat | 5.5.12 | |
| apache | tomcat | 5.5.13 | |
| apache | tomcat | 5.5.14 | |
| apache | tomcat | 5.5.15 | |
| apache | tomcat | 5.5.16 | |
| apache | tomcat | 5.5.17 | |
| apache | tomcat | 5.5.18 | |
| apache | tomcat | 5.5.19 | |
| apache | tomcat | 5.5.20 | |
| apache | tomcat | 5.5.21 | |
| apache | tomcat | 5.5.22 | |
| apache | tomcat | 5.5.23 | |
| apache | tomcat | 5.5.24 | |
| apache | tomcat | 5.5.25 | |
| apache | tomcat | 6.0.0 | |
| apache | tomcat | 6.0.1 | |
| apache | tomcat | 6.0.2 | |
| apache | tomcat | 6.0.3 | |
| apache | tomcat | 6.0.4 | |
| apache | tomcat | 6.0.5 | |
| apache | tomcat | 6.0.6 | |
| apache | tomcat | 6.0.7 | |
| apache | tomcat | 6.0.8 | |
| apache | tomcat | 6.0.9 | |
| apache | tomcat | 6.0.10 | |
| apache | tomcat | 6.0.11 | |
| apache | tomcat | 6.0.12 | |
| apache | tomcat | 6.0.13 | |
| apache | tomcat | 6.0.14 | |
| apache | tomcat | 6.0.15 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.11:*:*:*:*:*:*:*",
"matchCriteriaId": "9F5CF79C-759B-4FF9-90EE-847264059E93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.12:*:*:*:*:*:*:*",
"matchCriteriaId": "357651FD-392E-4775-BF20-37A23B3ABAE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.13:*:*:*:*:*:*:*",
"matchCriteriaId": "585B9476-6B86-4809-9B9E-26112114CB59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.14:*:*:*:*:*:*:*",
"matchCriteriaId": "6145036D-4FCE-4EBE-A137-BDFA69BA54F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.15:*:*:*:*:*:*:*",
"matchCriteriaId": "E437055A-0A81-413F-AB08-0E9D0DC9EA30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.16:*:*:*:*:*:*:*",
"matchCriteriaId": "9276A093-9C98-4617-9941-2276995F5848",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.17:*:*:*:*:*:*:*",
"matchCriteriaId": "97C9C36C-EF7E-4D42-9749-E2FF6CE35A2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.18:*:*:*:*:*:*:*",
"matchCriteriaId": "C98575E2-E39A-4A8F-B5B5-BD280B8367BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.19:*:*:*:*:*:*:*",
"matchCriteriaId": "5BDA08E7-A417-44E8-9C89-EB22BEEC3B9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.20:*:*:*:*:*:*:*",
"matchCriteriaId": "DCD1B6BE-CF07-4DA8-A703-4A48506C8AD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.21:*:*:*:*:*:*:*",
"matchCriteriaId": "5878E08E-2741-4798-94E9-BA8E07386B12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.22:*:*:*:*:*:*:*",
"matchCriteriaId": "69F6BAB7-C099-4345-A632-7287AEA555B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.23:*:*:*:*:*:*:*",
"matchCriteriaId": "F3AAF031-D16B-4D51-9581-2D1376A5157B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.24:*:*:*:*:*:*:*",
"matchCriteriaId": "51120689-F5C0-4DF1-91AA-314C40A46C58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.25:*:*:*:*:*:*:*",
"matchCriteriaId": "F67477AB-85F6-421C-9C0B-C8EFB1B200CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49E3C039-A949-4F1B-892A-57147EECB249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F28C7801-41B9-4552-BA1E-577967BCBBEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "25B21085-7259-4685-9D1F-FF98E6489E10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "635EE321-2A1F-4FF8-95BE-0C26591969D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "9A81B035-8598-4D2C-B45F-C6C9D4B10C2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E1096947-82A6-4EA8-A4F2-00D91E3F7DAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0EBFA1D3-16A6-4041-BB30-51D2EE0F2AF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "B70B372F-EFFD-4AF7-99B5-7D1B23A0C54C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "9C95ADA4-66F5-45C4-A677-ACE22367A75A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "11951A10-39A2-4FF5-8C43-DF94730FB794",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "351E5BCF-A56B-4D91-BA3C-21A4B77D529A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2DC2BBB4-171E-4EFF-A575-A5B7FF031755",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "6B6B0504-27C1-4824-A928-A878CBBAB32D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "CE81AD36-ACD1-4C6C-8E7C-5326D1DA3045",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "D903956B-14F5-4177-AF12-0A5F1846D3C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "81F847DC-A2F5-456C-9038-16A0E85F4C3B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Tomcat 5.5.11 through 5.5.25 and 6.0.0 through 6.0.15, when the native APR connector is used, does not properly handle an empty request to the SSL port, which allows remote attackers to trigger handling of \"a duplicate copy of one of the recent requests,\" as demonstrated by using netcat to send the empty request."
},
{
"lang": "es",
"value": "Apache Tomcat de 5.5.11 a 5.5.25 y de 6.0.0 a 6.0.15, cuando se utiliza el conector ARP nativo no maneja correctamente una petici\u00f3n vac\u00eda al puerto SSL, lo que permite a atacantes remotos disparar el manejo de \"una copia duplicada de una de las peticiones recientes\", como se demostr\u00f3 utilizando netcat para enviar la petici\u00f3n vac\u00eda."
}
],
"id": "CVE-2007-6286",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-02-12T01:00:00.000",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=139344343412337\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/28878"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/28915"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/29711"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/30676"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/32222"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/37460"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/57126"
},
{
"source": "secalert@redhat.com",
"url": "http://security.gentoo.org/glsa/glsa-200804-10.xml"
},
{
"source": "secalert@redhat.com",
"url": "http://securityreason.com/securityalert/3637"
},
{
"source": "secalert@redhat.com",
"url": "http://support.apple.com/kb/HT3216"
},
{
"source": "secalert@redhat.com",
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "secalert@redhat.com",
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:136"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/487823/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/507985/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/31681"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vmware.com/security/advisories/VMSA-2008-0010.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2008/0488"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2008/1856/references"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2008/2780"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2009/3316"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00315.html"
},
{
"source": "secalert@redhat.com",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00460.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=139344343412337\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/28878"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/28915"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/29711"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/30676"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/32222"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/37460"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/57126"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://security.gentoo.org/glsa/glsa-200804-10.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/3637"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.apple.com/kb/HT3216"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:136"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/487823/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/507985/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/31681"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vmware.com/security/advisories/VMSA-2008-0010.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/0488"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/1856/references"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/2780"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2009/3316"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00315.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00460.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vendorComments": [
{
"comment": "Not Vulnerable. Red Hat does not ship a version of Apache Tomcat that enables the native APR connector.",
"lastModified": "2008-04-17T00:00:00",
"organization": "Red Hat"
}
],
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-14 15:15
Modified
2024-11-21 05:02
Severity ?
Summary
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B8C2BCC3-5E98-4785-BA30-91044CDAD4B4",
"versionEndIncluding": "7.0.104",
"versionStartIncluding": "7.0.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D546DFCF-C56F-4769-BBC5-C0B764EEB666",
"versionEndIncluding": "8.5.56",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6BECF310-3247-4CE3-87F2-0E88C0278341",
"versionEndIncluding": "9.0.36",
"versionStartIncluding": "9.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "9D0689FE-4BC0-4F53-8C79-34B21F9B86C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "89B129B2-FB6F-4EF9-BF12-E589A87996CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "8B6787B6-54A8-475E-BA1C-AB99334B2535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "EABB6FBC-7486-44D5-A6AD-FFF1D3F677E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*",
"matchCriteriaId": "E10C03BC-EE6B-45B2-83AE-9E8DFB58D7DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*",
"matchCriteriaId": "8A6DA0BE-908C-4DA8-A191-A0113235E99A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*",
"matchCriteriaId": "39029C72-28B4-46A4-BFF5-EC822CFB2A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*",
"matchCriteriaId": "1A2E05A3-014F-4C4D-81E5-88E725FBD6AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*",
"matchCriteriaId": "166C533C-0833-41D5-99B6-17A4FAB3CAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*",
"matchCriteriaId": "D3768C60-21FA-4B92-B98C-C3A2602D1BC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*",
"matchCriteriaId": "DDD510FA-A2E4-4BAF-A0DE-F4E5777E9325",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "9F542E12-6BA8-4504-A494-DA83E7E19BD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*",
"matchCriteriaId": "C2409CC7-6A85-4A66-A457-0D62B9895DC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*",
"matchCriteriaId": "B392A7E5-4455-4B1C-8FAC-AE6DDC70689E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*",
"matchCriteriaId": "EF411DDA-2601-449A-9046-D250419A0E1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*",
"matchCriteriaId": "D7D8F2F4-AFE2-47EA-A3FD-79B54324DE02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*",
"matchCriteriaId": "1B4FBF97-DE16-4E5E-BE19-471E01818D40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*",
"matchCriteriaId": "3B266B1E-24B5-47EE-A421-E0E3CC0C7471",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*",
"matchCriteriaId": "29614C3A-6FB3-41C7-B56E-9CC3F45B04F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*",
"matchCriteriaId": "C6AB156C-8FF6-4727-AF75-590D0DCB3F9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "C0C5F004-F7D8-45DB-B173-351C50B0EC16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "D1902D2E-1896-4D3D-9E1C-3A675255072C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "49AAF4DF-F61D-47A8-8788-A21E317A145D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "454211D0-60A2-4661-AECA-4C0121413FEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "0686F977-889F-4960-8E0B-7784B73A7F2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "558703AE-DB5E-4DFF-B497-C36694DD7B24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "ED6273F2-1165-47A4-8DD7-9E9B2472941B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "90CD7E85-4FF9-4158-AC78-4BFCBC882A65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "7EA56B52-1015-40CD-B10C-393768094269",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "501B0D4A-D636-4736-979B-D5023599CEFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "94E7764F-BF9E-463E-B446-A9A8DB92BB97",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "53A9F7EE-AF2A-43E5-B708-0198784AB45A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "AC872C5F-63AF-4BB8-8629-334FC9704AE8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "34B80C9D-62AA-42FA-AB46-F8A414FCBE5E",
"versionEndIncluding": "3.1.3",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*",
"matchCriteriaId": "7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEB90C24-D252-4099-A7A1-9F8754DFB4A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "106FDF5A-D377-4E5F-8BF9-09290019C98A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:-:*:*:*:*:*:*",
"matchCriteriaId": "0F30D3AF-4FA3-4B7A-BE04-C24E2EA19A95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_1:*:*:*:*:*:*",
"matchCriteriaId": "7B00DDE7-7002-45BE-8EDE-65D964922CB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_2:*:*:*:*:*:*",
"matchCriteriaId": "FF806B52-DAD5-4D12-8BB6-3CBF9DC6B8DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_3:*:*:*:*:*:*",
"matchCriteriaId": "7DE847E0-431D-497D-9C57-C4E59749F6A0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_4:*:*:*:*:*:*",
"matchCriteriaId": "46385384-5561-40AA-9FDE-A2DE4FDFAD3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_5:*:*:*:*:*:*",
"matchCriteriaId": "B7CA7CA6-7CF2-48F6-81B5-69BA0A37EF4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_6:*:*:*:*:*:*",
"matchCriteriaId": "9E4E5481-1070-4E1F-8679-1985DE4E785A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_7:*:*:*:*:*:*",
"matchCriteriaId": "D9EEA681-67FF-43B3-8610-0FA17FD279E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_8:*:*:*:*:*:*",
"matchCriteriaId": "C33BA8EA-793D-4E79-BE9C-235ACE717216",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "80C9DBB8-3D50-4D5D-859A-B022EB7C2E64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D14ABF04-E460-4911-9C6C-B7BCEFE68E9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "ED43772F-D280-42F6-A292-7198284D6FE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*",
"matchCriteriaId": "C650FEDB-E903-4C2D-AD40-282AB5F2E3C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D0DBC938-A782-433F-8BF1-CA250C332AA7",
"versionEndExcluding": "21.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "2A3622F5-5976-4BBC-A147-FC8A6431EA79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4479F76A-4B67-41CC-98C7-C76B81050F8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C4A94B36-479F-48F2-9B9E-ACEA2589EF48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:fmw_platform:12.2.1.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9C5E9A12-BFE9-4963-A360-A34168A6BF6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:fmw_platform:12.2.1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CA2E1357-E3A1-461C-B7A0-A9446E45496D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*",
"matchCriteriaId": "82EA4BA7-C38B-4AF3-8914-9E3D089EBDD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B9C9BC66-FA5F-4774-9BDA-7AB88E2839C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7F69B9A5-F21B-4904-9F27-95C0F7A628E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A2E3E923-E2AD-400D-A618-26ADF7F841A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9AB58D27-37F2-4A32-B786-3490024290A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "70C60E6C-1A61-422B-A132-FB024761F576",
"versionEndIncluding": "8.0.21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "30DB69BD-0F6E-4AB5-A861-7CB911C35660",
"versionEndIncluding": "20.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:workload_manager:12.2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "AD848FE1-CFD7-490C-B008-DF3B30F3256F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:workload_manager:18c:*:*:*:*:*:*:*",
"matchCriteriaId": "630C8E99-FE49-486E-9003-40B82809B7A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:workload_manager:19c:*:*:*:*:*:*:*",
"matchCriteriaId": "C842DE9E-5E12-4295-AFA5-DEB5FEDE490A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service."
},
{
"lang": "es",
"value": "La longitud de la carga \u00fatil en una trama de WebSocket no fue comprobada correctamente en Apache Tomcat versiones 10.0.0-M1 hasta 10.0.0-M6, versiones 9.0.0.M1 hasta 9.0.36, versiones 8.5.0 hasta 8.5.56 y versiones 7.0.27 hasta 7.0. 104. Las longitudes de carga \u00fatil no v\u00e1lidas podr\u00edan desencadenar un bucle infinito. M\u00faltiples peticiones con longitudes de carga no v\u00e1lidas podr\u00edan conllevar a una denegaci\u00f3n de servicio"
}
],
"id": "CVE-2020-13935",
"lastModified": "2024-11-21T05:02:10.907",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-14T15:15:11.070",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00084.html"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00088.html"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r4e5d3c09f4dd2923191e972408b40fb8b42dbff0bc7904d44b651e50%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Release Notes",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/rd48c72bd3255bda87564d4da3791517c074d94f8a701f93b85752651%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00017.html"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20200724-0003/"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4448-1/"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4596-1/"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4727"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"source": "security@apache.org",
"tags": [
"Not Applicable",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00084.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00088.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r4e5d3c09f4dd2923191e972408b40fb8b42dbff0bc7904d44b651e50%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Release Notes",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/rd48c72bd3255bda87564d4da3791517c074d94f8a701f93b85752651%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00017.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20200724-0003/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4448-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4596-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4727"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-835"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-12-17 13:15
Modified
2025-07-01 20:30
Severity ?
Summary
Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97.
Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | tomcat | * | |
| apache | tomcat | * | |
| apache | tomcat | * | |
| netapp | bootstrap_os | - | |
| netapp | hci_compute_node | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4A10E3B7-32E3-40A9-9633-CAA2F1E2EFA3",
"versionEndExcluding": "9.0.98",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "499AC261-223E-483B-81AF-AFD6BEA35502",
"versionEndExcluding": "10.1.34",
"versionStartIncluding": "10.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EC54C74D-E851-4A9A-9C49-B8C80D5502AE",
"versionEndExcluding": "11.0.2",
"versionStartIncluding": "11.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:netapp:bootstrap_os:-:*:*:*:*:*:*:*",
"matchCriteriaId": "95BA156C-C977-4F0C-8DFB-3FAE9CC8C02D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*",
"matchCriteriaId": "AD7447BC-F315-4298-A822-549942FC118B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97.\n\nUsers are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue."
},
{
"lang": "es",
"value": "La vulnerabilidad de consumo descontrolado de recursos en la aplicaci\u00f3n web de ejemplo proporcionada con Apache Tomcat provoca una denegaci\u00f3n de servicio. Este problema afecta a Apache Tomcat: desde 11.0.0-M1 hasta 11.0.1, desde 10.1.0-M1 hasta 10.1.33, desde 9.0.0.M1 hasta 9.9.97. Se recomienda a los usuarios que actualicen a la versi\u00f3n 11.0.2, 10.1.34 o 9.0.98, que soluciona el problema."
}
],
"id": "CVE-2024-54677",
"lastModified": "2025-07-01T20:30:21.807",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-12-17T13:15:18.957",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/tdtbbxpg5trdwc2wnopcth9ccvdftq2n"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/12/17/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/12/17/6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/12/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20250131-0006/"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-13 16:15
Modified
2025-05-19 13:02
Severity ?
Summary
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.
Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | tomcat | * | |
| apache | tomcat | * | |
| apache | tomcat | * | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| apache | tomcat | 11.0.0 | |
| debian | debian_linux | 10.0 | |
| fedoraproject | fedora | 39 | |
| fedoraproject | fedora | 40 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E75E39D1-9AAE-4F50-9FA8-C1936AAFA896",
"versionEndExcluding": "8.5.99",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B1B2F3FF-1EF4-43FB-896D-C975E058978D",
"versionEndExcluding": "9.0.86",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "03C34A60-381C-4EBD-A116-B700BB41F751",
"versionEndExcluding": "10.1.19",
"versionStartIncluding": "10.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "D1AA7FF6-E8E7-4BF6-983E-0A99B0183008",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "57088BDD-A136-45EF-A8A1-2EBF79CEC2CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "B32D1D7A-A04F-444E-8F45-BB9A9E4B0199",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "0092FB35-3B00-484F-A24D-7828396A4FF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone13:*:*:*:*:*:*",
"matchCriteriaId": "CB557E88-FA9D-4B69-AA6F-EAEE7F9B01AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone14:*:*:*:*:*:*",
"matchCriteriaId": "72D3C6F1-84FA-4F82-96C1-9A8DA1C1F30F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone15:*:*:*:*:*:*",
"matchCriteriaId": "3521C81B-37D9-48FC-9540-D0D333B9A4A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone16:*:*:*:*:*:*",
"matchCriteriaId": "02A84634-A8F2-4BA9-B9F3-BEF36AEC5480",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "2AAD52CE-94F5-4F98-A027-9A7E68818CB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "F1F981F5-035A-4EDD-8A9F-481EE8BC7FF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "03A171AF-2EC8-4422-912C-547CDB58CAAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "538E68C4-0BA4-495F-AEF8-4EF6EE7963CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "49350A6E-5E1D-45B2-A874-3B8601B3ADCC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "5F50942F-DF54-46C0-8371-9A476DD3EEA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "D12C2C95-B79F-4AA4-8CE3-99A3EE7991AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "98792138-DD56-42DF-9612-3BDC65EEC117",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*",
"matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*",
"matchCriteriaId": "CA277A6C-83EC-4536-9125-97B84C4FAF59",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\n\nUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue."
},
{
"lang": "es",
"value": "Denegaci\u00f3n de servicio debido a una vulnerabilidad de validaci\u00f3n de entrada incorrecta para solicitudes HTTP/2 en Apache Tomcat. Al procesar una solicitud HTTP/2, si la solicitud exced\u00eda cualquiera de los l\u00edmites configurados para los encabezados, la secuencia HTTP/2 asociada no se restablec\u00eda hasta que se hubieran procesado todos los encabezados. Este problema afecta a Apache Tomcat: desde 11.0.0- M1 hasta 11.0.0-M16, desde 10.1.0-M1 hasta 10.1.18, desde 9.0.0-M1 hasta 9.0.85, desde 8.5.0 hasta 8.5.98. Se recomienda a los usuarios actualizar a la versi\u00f3n 11.0.0-M17, 10.1.19, 9.0.86 u 8.5.99, que solucionan el problema."
}
],
"id": "CVE-2024-24549",
"lastModified": "2025-05-19T13:02:08.910",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-03-13T16:15:29.373",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/13/3"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20240402-0002/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/13/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20240402-0002/"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-12-23 17:15
Modified
2024-11-21 04:32
Severity ?
Summary
When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | tomcat | * | |
| apache | tomcat | * | |
| apache | tomcat | * | |
| debian | debian_linux | 8.0 | |
| debian | debian_linux | 9.0 | |
| debian | debian_linux | 10.0 | |
| opensuse | leap | 15.1 | |
| canonical | ubuntu_linux | 16.04 | |
| oracle | agile_engineering_data_management | 6.2.1.0 | |
| oracle | hyperion_infrastructure_technology | 11.1.2.4 | |
| oracle | instantis_enterprisetrack | * | |
| oracle | micros_relate_crm_software | 11.4 | |
| oracle | mysql_enterprise_monitor | * | |
| oracle | mysql_enterprise_monitor | * | |
| oracle | retail_order_broker | 15.0 | |
| oracle | transportation_management | 6.3.7 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7EB04743-D684-4412-B62F-F5C56786A3FD",
"versionEndIncluding": "7.0.98",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ACF840F7-DFE2-42F0-B009-757E8CB1AC44",
"versionEndIncluding": "8.5.49",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "12271362-FF91-4F1B-8BC1-6825201A737F",
"versionEndIncluding": "9.0.29",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "80C9DBB8-3D50-4D5D-859A-B022EB7C2E64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DED59B62-C9BF-4C0E-B351-3884E8441655",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A74FD5F-4FEA-4A74-8B92-72DFDE6BA464",
"versionEndIncluding": "17.3",
"versionStartIncluding": "17.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:micros_relate_crm_software:11.4:*:*:*:*:*:*:*",
"matchCriteriaId": "EE3A1A04-5AAE-40D9-842A-8B46211C5D95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4A1EE377-1C18-41AF-8997-1BCA02378819",
"versionEndIncluding": "4.0.11.5331",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D37715D2-C39A-4ACC-AEEF-6A03FCBECE68",
"versionEndIncluding": "8.0.18.1217",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EE8CF045-09BB-4069-BCEC-496D5AE3B780",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:transportation_management:6.3.7:*:*:*:*:*:*:*",
"matchCriteriaId": "A58642E0-CA59-4DE6-A83C-F551FC621C32",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability."
},
{
"lang": "es",
"value": "Cuando se usa la autenticaci\u00f3n FORM con Apache Tomcat 9.0.0.M1 hasta 9.0.29, 8.5.0 hasta 8.5.49 y 7.0.0 hasta 7.0.98, hab\u00eda una ventana estrecha donde un atacante pod\u00eda llevar a cabo un ataque de fijaci\u00f3n de sesi\u00f3n. La ventana fue considerada demasiado estrecha para que una explotaci\u00f3n sea pr\u00e1ctica, pero, por precauci\u00f3n, este problema ha sido tratado como una vulnerabilidad de seguridad."
}
],
"id": "CVE-2019-17563",
"lastModified": "2024-11-21T04:32:32.160",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 4.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-12-23T17:15:11.803",
"references": [
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/8b4c1db8300117b28a0f3f743c0b9e3f964687a690cdf9662a884bbd%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/reb9a66f176df29b9a832caa95ebd9ffa3284e8f4922ec4fa3ad8eb2e%40%3Cissues.cxf.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/bugtraq/2019/Dec/43"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202003-43"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20200107-0001/"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4251-1/"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2019/dsa-4596"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4680"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/8b4c1db8300117b28a0f3f743c0b9e3f964687a690cdf9662a884bbd%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/reb9a66f176df29b9a832caa95ebd9ffa3284e8f4922ec4fa3ad8eb2e%40%3Cissues.cxf.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/bugtraq/2019/Dec/43"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202003-43"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20200107-0001/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4251-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2019/dsa-4596"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4680"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-384"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-10 18:15
Modified
2025-06-16 17:15
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could
cause Tomcat to skip some parts of the recycling process leading to
information leaking from the current request/response to the next.
Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FE1F7111-22BD-489A-B2C9-E67E0D601824",
"versionEndExcluding": "8.5.94",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "37FCE624-DD65-4AC5-A602-BB66E0E54CFC",
"versionEndExcluding": "9.0.81",
"versionStartIncluding": "9.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0995DE67-7E3B-4CFE-AB96-E2243F994755",
"versionEndExcluding": "10.1.14",
"versionStartIncluding": "10.1.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "9D0689FE-4BC0-4F53-8C79-34B21F9B86C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "89B129B2-FB6F-4EF9-BF12-E589A87996CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "8B6787B6-54A8-475E-BA1C-AB99334B2535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "EABB6FBC-7486-44D5-A6AD-FFF1D3F677E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*",
"matchCriteriaId": "E10C03BC-EE6B-45B2-83AE-9E8DFB58D7DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*",
"matchCriteriaId": "8A6DA0BE-908C-4DA8-A191-A0113235E99A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*",
"matchCriteriaId": "39029C72-28B4-46A4-BFF5-EC822CFB2A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*",
"matchCriteriaId": "1A2E05A3-014F-4C4D-81E5-88E725FBD6AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*",
"matchCriteriaId": "166C533C-0833-41D5-99B6-17A4FAB3CAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*",
"matchCriteriaId": "D3768C60-21FA-4B92-B98C-C3A2602D1BC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*",
"matchCriteriaId": "DDD510FA-A2E4-4BAF-A0DE-F4E5777E9325",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "9F542E12-6BA8-4504-A494-DA83E7E19BD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*",
"matchCriteriaId": "C2409CC7-6A85-4A66-A457-0D62B9895DC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*",
"matchCriteriaId": "B392A7E5-4455-4B1C-8FAC-AE6DDC70689E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*",
"matchCriteriaId": "EF411DDA-2601-449A-9046-D250419A0E1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*",
"matchCriteriaId": "D7D8F2F4-AFE2-47EA-A3FD-79B54324DE02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*",
"matchCriteriaId": "1B4FBF97-DE16-4E5E-BE19-471E01818D40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*",
"matchCriteriaId": "3B266B1E-24B5-47EE-A421-E0E3CC0C7471",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*",
"matchCriteriaId": "29614C3A-6FB3-41C7-B56E-9CC3F45B04F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*",
"matchCriteriaId": "C6AB156C-8FF6-4727-AF75-590D0DCB3F9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "C0C5F004-F7D8-45DB-B173-351C50B0EC16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "D1902D2E-1896-4D3D-9E1C-3A675255072C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "49AAF4DF-F61D-47A8-8788-A21E317A145D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "454211D0-60A2-4661-AECA-4C0121413FEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "0686F977-889F-4960-8E0B-7784B73A7F2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "558703AE-DB5E-4DFF-B497-C36694DD7B24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "ED6273F2-1165-47A4-8DD7-9E9B2472941B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "6D402B5D-5901-43EB-8E6A-ECBD512CE367",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "33C71AE1-B38E-4783-BAC2-3CDA7B4D9EBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "F6BD4180-D3E8-42AB-96B1-3869ECF47F6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "64668CCF-DBC9-442D-9E0F-FD40E1D0DDB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone13:*:*:*:*:*:*",
"matchCriteriaId": "FC64BB57-4912-481E-AE8D-C8FCD36142BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone14:*:*:*:*:*:*",
"matchCriteriaId": "49B43BFD-6B6C-4E6D-A9D8-308709DDFB44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone15:*:*:*:*:*:*",
"matchCriteriaId": "919C16BD-79A7-4597-8D23-2CBDED2EF615",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone16:*:*:*:*:*:*",
"matchCriteriaId": "81B27C03-D626-42EC-AE4E-1E66624908E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone17:*:*:*:*:*:*",
"matchCriteriaId": "BD81405D-81A5-4683-A355-B39C912DAD2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone18:*:*:*:*:*:*",
"matchCriteriaId": "2DCE3576-86BC-4BB8-A5FB-1274744DFD7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone19:*:*:*:*:*:*",
"matchCriteriaId": "5571F54A-2EAC-41B6-BDA9-7D33CFE97F70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "9846609D-51FC-4CDD-97B3-8C6E07108F14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone20:*:*:*:*:*:*",
"matchCriteriaId": "ED30E850-C475-4133-BDE3-74CB3768D787",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "2E321FB4-0B0C-497A-BB75-909D888C93CB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "3B0CAE57-AF7A-40E6-9519-F5C9F422C1BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "7CB9D150-EED6-4AE9-BCBE-48932E50035E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "D334103F-F64E-4869-BCC8-670A5AFCC76C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "941FCF7B-FFB6-4967-95C7-BB3D32C73DAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "CE1A9030-B397-4BA6-8E13-DA1503872DDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "6284B74A-1051-40A7-9D74-380FEEEC3F88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "D1AA7FF6-E8E7-4BF6-983E-0A99B0183008",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "57088BDD-A136-45EF-A8A1-2EBF79CEC2CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "B32D1D7A-A04F-444E-8F45-BB9A9E4B0199",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "2AAD52CE-94F5-4F98-A027-9A7E68818CB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "F1F981F5-035A-4EDD-8A9F-481EE8BC7FF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "03A171AF-2EC8-4422-912C-547CDB58CAAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "538E68C4-0BA4-495F-AEF8-4EF6EE7963CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "49350A6E-5E1D-45B2-A874-3B8601B3ADCC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "5F50942F-DF54-46C0-8371-9A476DD3EEA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "D12C2C95-B79F-4AA4-8CE3-99A3EE7991AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "98792138-DD56-42DF-9612-3BDC65EEC117",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "46D69DCC-AE4D-4EA5-861C-D60951444C6C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could \ncause Tomcat to skip some parts of the recycling process leading to \ninformation leaking from the current request/response to the next.\n\nUsers are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue."
},
{
"lang": "es",
"value": "Vulnerabilidad de limpieza incompleta en Apache Tomcat. Al reciclar varios objetos internos en Apache Tomcat desde 11.0.0-M1 hasta 11.0.0-M11, desde 10.1.0-M1 hasta 10.1.13, desde 9.0.0-M1 hasta 9.0.80 y Desde 8.5.0 hasta 8.5.93, un error podr\u00eda hacer que Tomcat se salte algunas partes del proceso de reciclaje, lo que provocar\u00eda que se filtrara informaci\u00f3n de la solicitud/respuesta actual a la siguiente. Se recomienda a los usuarios actualizar a la versi\u00f3n 11.0.0-M12 en adelante, 10.1.14 en adelante, 9.0.81 en adelante o 8.5.94 en adelante, lo que soluciona el problema."
}
],
"id": "CVE-2023-42795",
"lastModified": "2025-06-16T17:15:26.473",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-10-10T18:15:18.933",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2023/10/10/9"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/065jfyo583490r9j2v73nhpyxdob56lw"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"
},
{
"source": "security@apache.org",
"url": "https://security.netapp.com/advisory/ntap-20231103-0007/"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5521"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5522"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2023/10/10/9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/065jfyo583490r9j2v73nhpyxdob56lw"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20231103-0007/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5521"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5522"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-459"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-10-14 20:15
Modified
2024-11-21 06:27
Severity ?
Summary
The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "890E6FBC-FCC5-44B0-8CE8-AD7E8F0A1BFA",
"versionEndExcluding": "8.5.72",
"versionStartIncluding": "8.5.60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "654BD045-868C-4DC0-B36C-824C0F4C41CD",
"versionEndExcluding": "9.0.54",
"versionStartIncluding": "9.0.40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1C639222-18E7-4BDC-A53A-684F63C42991",
"versionEndExcluding": "10.0.12",
"versionStartIncluding": "10.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "83B9FF07-1B93-4F8C-AC56-7CA74E61B724",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "6D402B5D-5901-43EB-8E6A-ECBD512CE367",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "9846609D-51FC-4CDD-97B3-8C6E07108F14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "2E321FB4-0B0C-497A-BB75-909D888C93CB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "3B0CAE57-AF7A-40E6-9519-F5C9F422C1BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "7CB9D150-EED6-4AE9-BCBE-48932E50035E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netapp:hci:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8A6E548F-62E9-40CB-85DA-FDAA0F0096C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:management_services_for_element_software:-:*:*:*:*:*:*:*",
"matchCriteriaId": "86B51137-28D9-41F2-AFA2-3CC22B4954D1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "80C9DBB8-3D50-4D5D-859A-B022EB7C2E64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:big_data_spatial_and_graph:*:*:*:*:*:*:*:*",
"matchCriteriaId": "384DEDD9-CB26-4306-99D8-83068A9B23ED",
"versionEndExcluding": "23.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*",
"matchCriteriaId": "590ADE5F-0D0F-4576-8BA6-828758823442",
"versionEndIncluding": "8.5.0.2",
"versionStartIncluding": "8.0.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:hospitality_cruise_shipboard_property_management_system:20.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "05F5B430-8BA1-4865-93B5-0DE89F424B53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A2E3E923-E2AD-400D-A618-26ADF7F841A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9AB58D27-37F2-4A32-B786-3490024290A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9AB179A8-DFB7-4DCF-8DE3-096F376989F1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:payment_interface:19.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5D01A0EC-3846-4A74-A174-3797078DC699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:payment_interface:20.3:*:*:*:*:*:*:*",
"matchCriteriaId": "03E5FCFB-093A-48E9-8A4E-34C993D2764E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:retail_customer_insights:15.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "3D1C35DF-D30D-42C8-B56D-C809609AB2A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:retail_customer_insights:16.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "834B4CE7-042E-489F-AE19-0EEA2C37E7A8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:retail_data_extractor_for_merchandising:15.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "82653579-FF7D-4492-9CA2-B3DF6A708831",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:retail_data_extractor_for_merchandising:16.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "32D2EB48-F9A2-4D23-81C5-4B30F2D785DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:retail_eftlink:21.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F4B95628-F108-424A-8C19-40A5F5B7D37B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:retail_financial_integration:16.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EE6D2296-FF70-462A-963D-C93429499E4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:retail_financial_integration:19.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4B7B0B33-2361-4CF5-8075-F609858A582E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:retail_store_inventory_management:14.0.4.13:*:*:*:*:*:*:*",
"matchCriteriaId": "88458537-6DE8-4D79-BC71-9D08883AD0C1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:retail_store_inventory_management:14.1.3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "2E310654-0793-41CC-B049-C754AC31D016",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:retail_store_inventory_management:14.1.3.14:*:*:*:*:*:*:*",
"matchCriteriaId": "4C5B22C6-97AF-4D1B-84C9-987C6F62C401",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:retail_store_inventory_management:15.0.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FFD9AAE5-9472-49C6-B054-DB76BEB86D35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:retail_store_inventory_management:15.0.3.8:*:*:*:*:*:*:*",
"matchCriteriaId": "A104FDBD-0B28-44EE-91A0-A0C8939865A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:retail_store_inventory_management:16.0.3.7:*:*:*:*:*:*:*",
"matchCriteriaId": "C2D60A4D-BB4F-4177-AFA8-A8DC8C111FB3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:sd-wan_edge:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "77E39D5C-5EFA-4FEB-909E-0A92004F2563",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:sd-wan_edge:9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "06816711-7C49-47B9-A9D7-FB18CC3F42F2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:taleo_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "10009CC2-04DD-4CD3-B256-2D5EFD9A1D1D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError."
},
{
"lang": "es",
"value": "La correcci\u00f3n del bug 63362 presente en Apache Tomcat versiones 10.1.0-M1 hasta 10.1.0-M5, versiones 10.0.0-M1 hasta 10.0.11, versiones 9.0.40 hasta 9.0.53 y versiones 8.5.60 hasta 8.5.71, introduc\u00eda una p\u00e9rdida de memoria. El objeto introducido para recopilar m\u00e9tricas para las conexiones de actualizaci\u00f3n HTTP no se liberaba para las conexiones WebSocket una vez que se cerraba la conexi\u00f3n. Esto creaba una p\u00e9rdida de memoria que, con el tiempo, pod\u00eda conllevar a una denegaci\u00f3n de servicio por medio de un OutOfMemoryError"
}
],
"id": "CVE-2021-42340",
"lastModified": "2024-11-21T06:27:38.363",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-14T20:15:09.060",
"references": [
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10379"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r8097a2d1550aa78e585fc77e602b9046e6d4099d8d132497c5387784%40%3Ccommits.myfaces.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57ced2e70e0885f905c%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202208-34"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20211104-0001/"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-5009"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10379"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r8097a2d1550aa78e585fc77e602b9046e6d4099d8d132497c5387784%40%3Ccommits.myfaces.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57ced2e70e0885f905c%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202208-34"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20211104-0001/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-5009"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-772"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-772"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-01-03 19:15
Modified
2024-11-21 07:28
Severity ?
Summary
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj | Mailing List, Vendor Advisory | |
| security@apache.org | https://security.gentoo.org/glsa/202305-37 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gentoo.org/glsa/202305-37 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20230216-0009/ |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | tomcat | * | |
| apache | tomcat | 8.5.83 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "24BAD725-BA56-4B40-9BFA-1B6B99348F7D",
"versionEndExcluding": "9.0.69",
"versionStartIncluding": "9.0.40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.83:*:*:*:*:*:*:*",
"matchCriteriaId": "7BA74802-4328-4AB7-AE53-7118C3EA5018",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "6D402B5D-5901-43EB-8E6A-ECBD512CE367",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "33C71AE1-B38E-4783-BAC2-3CDA7B4D9EBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "F6BD4180-D3E8-42AB-96B1-3869ECF47F6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "64668CCF-DBC9-442D-9E0F-FD40E1D0DDB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone13:*:*:*:*:*:*",
"matchCriteriaId": "FC64BB57-4912-481E-AE8D-C8FCD36142BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone14:*:*:*:*:*:*",
"matchCriteriaId": "49B43BFD-6B6C-4E6D-A9D8-308709DDFB44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone15:*:*:*:*:*:*",
"matchCriteriaId": "919C16BD-79A7-4597-8D23-2CBDED2EF615",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone16:*:*:*:*:*:*",
"matchCriteriaId": "81B27C03-D626-42EC-AE4E-1E66624908E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone17:*:*:*:*:*:*",
"matchCriteriaId": "BD81405D-81A5-4683-A355-B39C912DAD2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "9846609D-51FC-4CDD-97B3-8C6E07108F14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "2E321FB4-0B0C-497A-BB75-909D888C93CB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "3B0CAE57-AF7A-40E6-9519-F5C9F422C1BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "7CB9D150-EED6-4AE9-BCBE-48932E50035E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "D334103F-F64E-4869-BCC8-670A5AFCC76C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "941FCF7B-FFB6-4967-95C7-BB3D32C73DAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "CE1A9030-B397-4BA6-8E13-DA1503872DDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "6284B74A-1051-40A7-9D74-380FEEEC3F88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A8FEA1A6-0E39-4099-ABC4-73B921FE5C4F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output."
},
{
"lang": "es",
"value": "JsonErrorReportValve en Apache Tomcat 8.5.83, 9.0.40 a 9.0.68 y 10.1.0-M1 a 10.1.1 no escap\u00f3 de los valores de tipo, mensaje o descripci\u00f3n. En algunas circunstancias, estos se construyen a partir de datos proporcionados por el usuario y, por lo tanto, era posible que los usuarios proporcionaran valores que invalidaban o manipulaban la salida JSON."
}
],
"id": "CVE-2022-45143",
"lastModified": "2024-11-21T07:28:50.497",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-03T19:15:10.403",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202305-37"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202305-37"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20230216-0009/"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-116"
}
],
"source": "security@apache.org",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-116"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-05-12 08:15
Modified
2024-11-21 06:59
Severity ?
Summary
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | tomcat | * | |
| apache | tomcat | * | |
| apache | tomcat | * | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| debian | debian_linux | 10.0 | |
| debian | debian_linux | 11.0 | |
| oracle | hospitality_cruise_shipboard_property_management_system | 20.2.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF71095E-12F3-4461-BAE9-1EB65BA50916",
"versionEndIncluding": "8.5.78",
"versionStartIncluding": "8.5.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F31172AB-31C6-4F32-B9CC-2F363A9DEF94",
"versionEndIncluding": "9.0.62",
"versionStartIncluding": "9.0.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BFC41BAB-1EA0-444F-AD16-4A341BD642E9",
"versionEndIncluding": "10.0.20",
"versionStartIncluding": "10.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "6D402B5D-5901-43EB-8E6A-ECBD512CE367",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "33C71AE1-B38E-4783-BAC2-3CDA7B4D9EBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "F6BD4180-D3E8-42AB-96B1-3869ECF47F6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "64668CCF-DBC9-442D-9E0F-FD40E1D0DDB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone13:*:*:*:*:*:*",
"matchCriteriaId": "FC64BB57-4912-481E-AE8D-C8FCD36142BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone14:*:*:*:*:*:*",
"matchCriteriaId": "49B43BFD-6B6C-4E6D-A9D8-308709DDFB44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "9846609D-51FC-4CDD-97B3-8C6E07108F14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "2E321FB4-0B0C-497A-BB75-909D888C93CB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "3B0CAE57-AF7A-40E6-9519-F5C9F422C1BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "7CB9D150-EED6-4AE9-BCBE-48932E50035E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "D334103F-F64E-4869-BCC8-670A5AFCC76C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "941FCF7B-FFB6-4967-95C7-BB3D32C73DAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "CE1A9030-B397-4BA6-8E13-DA1503872DDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "6284B74A-1051-40A7-9D74-380FEEEC3F88",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:hospitality_cruise_shipboard_property_management_system:20.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C29D8C0E-6317-4512-BEEC-42A0FE0D5B73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks."
},
{
"lang": "es",
"value": "La documentaci\u00f3n de Apache Tomcat versiones 10.1.0-M1 a 10.1.0-M14, 10.0.0-M1 a 10.0.20, 9.0.13 a 9.0.62 y 8.5.38 a 8.5.78, para el EncryptInterceptor indicaba incorrectamente que permit\u00eda que el clustering de Tomcat fuera ejecutado sobre una red no confiable. Esto no es correcto. Mientras que el EncryptInterceptor proporciona confidencialidad y protecci\u00f3n de la integridad, no protege contra todos los riesgos asociados con la ejecuci\u00f3n de cualquier red no confiable, particularmente los riesgos de DoS"
}
],
"id": "CVE-2022-29885",
"lastModified": "2024-11-21T06:59:54.297",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-12T08:15:07.630",
"references": [
{
"source": "security@apache.org",
"url": "http://packetstormsecurity.com/files/171728/Apache-Tomcat-10.1-Denial-Of-Service.html"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Mitigation",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcv"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20220629-0002/"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5265"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/171728/Apache-Tomcat-10.1-Denial-Of-Service.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Mitigation",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcv"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20220629-0002/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5265"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security@apache.org",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-02-25 01:59
Modified
2025-04-12 10:46
Severity ?
Summary
Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49E3C039-A949-4F1B-892A-57147EECB249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.0:alpha:*:*:*:*:*:*",
"matchCriteriaId": "0A354C34-A3FE-4B8A-9985-8874A0634BC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F28C7801-41B9-4552-BA1E-577967BCBBEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.1:alpha:*:*:*:*:*:*",
"matchCriteriaId": "CFE300CC-FD4A-444E-8506-E5E269D0A0A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "25B21085-7259-4685-9D1F-FF98E6489E10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:alpha:*:*:*:*:*:*",
"matchCriteriaId": "F50A3EC9-516E-48A7-839B-A73F491B5B9F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:beta:*:*:*:*:*:*",
"matchCriteriaId": "8C28F09D-5CAA-4CA7-A2B5-3B2820F5F409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "9A81B035-8598-4D2C-B45F-C6C9D4B10C2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.4:alpha:*:*:*:*:*:*",
"matchCriteriaId": "FAC2FC75-97D2-4EA1-A1A0-F592A6D7C1F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "351E5BCF-A56B-4D91-BA3C-21A4B77D529A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2DC2BBB4-171E-4EFF-A575-A5B7FF031755",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "CE81AD36-ACD1-4C6C-8E7C-5326D1DA3045",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "D903956B-14F5-4177-AF12-0A5F1846D3C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3EBD00-1E1E-452D-AFFB-08A6BD111DDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "BD8802B2-57E0-4AA6-BC8E-00DE60468569",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "1F4C9BCF-9C73-4991-B02F-E08C5DA06EBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "2823789C-2CB6-4300-94DB-BDBE83ABA8E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "C5416C76-46ED-4CB1-A7F8-F24EA16DE7F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "31B3593F-CEDF-423C-90F8-F88EED87DC3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "AE7862B2-E1FA-4E16-92CD-8918AB461D9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "A9E03BE3-60CC-4415-B993-D0BB00F87A30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.32:*:*:*:*:*:*:*",
"matchCriteriaId": "BFD64FE7-ABAF-49F3-B8D0-91C37C822F4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.33:*:*:*:*:*:*:*",
"matchCriteriaId": "48E5E8C3-21AD-4230-B945-AB7DE66307B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.35:*:*:*:*:*:*:*",
"matchCriteriaId": "4945C8C1-C71B-448B-9075-07C6C92599CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.36:*:*:*:*:*:*:*",
"matchCriteriaId": "ED4730B0-2E09-408B-AFD4-FE00F73700FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.37:*:*:*:*:*:*:*",
"matchCriteriaId": "B8DE8A8A-7643-4292-BCC1-758AE0940207",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.39:*:*:*:*:*:*:*",
"matchCriteriaId": "E9B54FCD-CF7C-47E2-8513-40419E47AF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.41:*:*:*:*:*:*:*",
"matchCriteriaId": "D87EFB6D-B626-469F-907C-40C771A55833",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.43:*:*:*:*:*:*:*",
"matchCriteriaId": "6330B97B-8FC5-4D7E-A960-5D94EDD0C378",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.44:*:*:*:*:*:*:*",
"matchCriteriaId": "2A0B2FA4-772E-4B23-8B3F-CC86515E4226",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "33E9607B-4D28-460D-896B-E4B7FA22441E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*",
"matchCriteriaId": "81A31CA0-A209-4C49-AA06-C38E165E5B68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*",
"matchCriteriaId": "0AA563BF-A67A-477D-956A-167ABEF885C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.5:beta:*:*:*:*:*:*",
"matchCriteriaId": "6F1B937B-57E0-4E88-9E39-39012A924525",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8980E61E-27BE-4858-82B3-C0E8128AF521",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A9731BAA-4C6C-4259-B786-F577D8A90FA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "1F74A421-D019-4248-84B8-C70D4D9A8A95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "2BA27FF9-4C66-4E17-95C0-1CB2DAA6AFC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "305688F2-50A6-41FB-8614-BC589DB9A789",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "25966344-15D5-4101-9346-B06BFD2DFFF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0D4F710E-06EA-48F4-AC6A-6F143950F015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "2C4936C2-0B2D-4C44-98C3-443090965F5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*",
"matchCriteriaId": "48453405-2319-4327-9F4C-6F70B49452C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*",
"matchCriteriaId": "49DD9544-6424-41A6-AEC0-EC19B8A10E71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*",
"matchCriteriaId": "E4670E65-2E11-49A4-B661-57C2F60D411F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*",
"matchCriteriaId": "31002A23-4788-4BC7-AE11-A3C2AA31716D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "7144EDDF-8265-4642-8EEB-ED52527E0A26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "DF06B5C1-B9DD-4673-A101-56E1E593ACDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "7D731065-626B-4425-8E49-F708DD457824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "B3D850EA-E537-42C8-93B9-96E15CB26747",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "E037DA05-2BEF-4F64-B8BB-307247B6A05C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*",
"matchCriteriaId": "D395D95B-1F4A-420E-A0F6-609360AF7B69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*",
"matchCriteriaId": "9BD221BA-0AB6-4972-8AD9-5D37AC07762F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*",
"matchCriteriaId": "E55B6565-96CB-4F6A-9A80-C3FB82F30546",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*",
"matchCriteriaId": "D3300AFE-49A4-4904-B9A0-5679F09FA01E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*",
"matchCriteriaId": "7BD93669-1B30-4BF8-AD7D-F60DD8D63CC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*",
"matchCriteriaId": "B8C8C97F-6C9D-4647-AB8A-ADAA5536DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*",
"matchCriteriaId": "2C6109D1-BC36-40C5-A02A-7AEBC949BAC0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*",
"matchCriteriaId": "DA8A7333-B4C3-4876-AE01-62F2FD315504",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*",
"matchCriteriaId": "92993E23-D805-407B-8B87-11CEEE8B212F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*",
"matchCriteriaId": "6AA28D3A-3EE5-4F90-B8F5-4943F7607DA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*",
"matchCriteriaId": "C947E549-2459-4AFB-84A7-36BDA30B5F29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*",
"matchCriteriaId": "5D55DF79-F9BE-4907-A4D8-96C4B11189ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*",
"matchCriteriaId": "14AB5787-82D7-4F78-BE93-4556AB7A7D0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*",
"matchCriteriaId": "F8E9453E-BC9B-4F77-85FA-BA15AC55C245",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*",
"matchCriteriaId": "A7EF0518-73F9-47DB-8946-A8334936BEFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*",
"matchCriteriaId": "95AA8778-7833-4572-A71B-5FD89938CE94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*",
"matchCriteriaId": "242E47CE-EF69-4F8F-AB40-5AF2811674CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*",
"matchCriteriaId": "CDA1555C-E55A-4E14-B786-BFEE3F09220B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*",
"matchCriteriaId": "F8075E9A-DA7F-4A0B-8B4D-0CD951369111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*",
"matchCriteriaId": "335A5320-6086-4B45-9903-82F6F92A584F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*",
"matchCriteriaId": "46B33408-C2E2-4E7C-9334-6AB98F13468C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*",
"matchCriteriaId": "9F036676-9EFB-4A92-828E-A38905D594E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4752862B-7D26-4285-B8A0-CF082C758353",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*",
"matchCriteriaId": "58EA7199-3373-4F97-9907-3A479A02155E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "F963D737-2E95-4D7C-92C7-DACF3F36D1E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "2BBBC5EA-012C-4C5D-A61B-BAF134B300DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2A358FDF-C249-4D7A-9445-8B9E7D9D40AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "701424A2-BB06-44B5-B468-7164E4F95529",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "1BA6388C-5B6E-4651-8AE3-EBCCF61C27E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "8F9A5B7E-33A9-4651-9BE1-371A0064B661",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "F99252E8-A59C-48E1-B251-718D7FB3E399",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "4E0DDEF6-A8EE-46C4-A046-A1F26E7C4E87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "14B38892-9C00-4510-B7BA-F2A8F2CACCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "7409B064-D43E-489E-AEC6-0A767FB21737",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.21:*:*:*:*:*:*:*",
"matchCriteriaId": "F019268F-80C4-48FE-8164-E9DA0A3BAFF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.22:*:*:*:*:*:*:*",
"matchCriteriaId": "1EFBD214-FCFE-4F04-A903-66EFDA764B9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.23:*:*:*:*:*:*:*",
"matchCriteriaId": "425D86B3-6BB9-410D-8125-F7CF87290AD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "3EE3BB0D-1002-41E4-9BE8-875D97330057",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "6622472B-8644-4D45-A54B-A215C3D64B83",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "B6B7CAD7-9D4E-4FDB-88E3-1E583210A01F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*",
"matchCriteriaId": "E88A537F-F4D0-46B9-9E37-965233C2A355",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory."
},
{
"lang": "es",
"value": "Vulnerabilidad de salto de directorio en RequestUtil.java en Apache Tomcat 6.x en versiones anteriores a 6.0.45, 7.x en versiones anteriores a 7.0.65 y 8.x en versiones anteriores a 8.0.27 permite a usuarios remotos autenticados eludir las restricciones de SecurityManager destinadas y listar un directorio padre a trav\u00e9s de un /.. (barra punto punto) en un nombre de ruta utilizado por una aplicaci\u00f3n web en una llamada getResource, getResourceAsStream o getResourcePaths, seg\u00fan lo demostrado por el directorio $CATALINA_BASE/webapps."
}
],
"id": "CVE-2015-5174",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-02-25T01:59:00.120",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00082.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=145974991225029\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://packetstormsecurity.com/files/135883/Apache-Tomcat-Limited-Directory-Traversal.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1435.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2045.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2599.html"
},
{
"source": "secalert@redhat.com",
"url": "http://seclists.org/bugtraq/2016/Feb/149"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1696281"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1696284"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1700897"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1700898"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1700900"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-8.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2016/dsa-3530"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2016/dsa-3552"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2016/dsa-3609"
},
{
"source": "secalert@redhat.com",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/83329"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1035070"
},
{
"source": "secalert@redhat.com",
"url": "http://www.ubuntu.com/usn/USN-3024-1"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2016:1432"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2016:1433"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2016:1434"
},
{
"source": "secalert@redhat.com",
"url": "https://bto.bluecoat.com/security-advisory/sa118"
},
{
"source": "secalert@redhat.com",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964"
},
{
"source": "secalert@redhat.com",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442"
},
{
"source": "secalert@redhat.com",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r0b24f2c7507f702348e2c2d64e8a5de72bad6173658e8d8e45322ac2%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r15695e6203b026c9e9070ca9fa95fb17dd4cd88e5342a7dc5e1e7b85%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r1c62634b7426bee5f553307063457b99c84af73b078ede4f2592b34e%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r409efdf706c2077ae5c37018a87da725a3ca89570a9530342cdc53e4%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/rd4863c79bf729aabb95571fd845a9ea4ee3ae3fcee48f35aba007350%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://security.gentoo.org/glsa/201705-09"
},
{
"source": "secalert@redhat.com",
"url": "https://security.netapp.com/advisory/ntap-20180531-0001/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00082.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=145974991225029\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/135883/Apache-Tomcat-Limited-Directory-Traversal.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1435.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2045.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2599.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/bugtraq/2016/Feb/149"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1696281"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1696284"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1700897"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1700898"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1700900"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-8.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3530"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3552"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3609"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/83329"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1035070"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ubuntu.com/usn/USN-3024-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2016:1432"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2016:1433"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2016:1434"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://bto.bluecoat.com/security-advisory/sa118"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r0b24f2c7507f702348e2c2d64e8a5de72bad6173658e8d8e45322ac2%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r15695e6203b026c9e9070ca9fa95fb17dd4cd88e5342a7dc5e1e7b85%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r1c62634b7426bee5f553307063457b99c84af73b078ede4f2592b34e%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r409efdf706c2077ae5c37018a87da725a3ca89570a9530342cdc53e4%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rd4863c79bf729aabb95571fd845a9ea4ee3ae3fcee48f35aba007350%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.gentoo.org/glsa/201705-09"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20180531-0001/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2005-11-06 11:02
Modified
2025-04-03 01:03
Severity ?
Summary
Apache Tomcat 5.5.0 to 5.5.11 allows remote attackers to cause a denial of service (CPU consumption) via a large number of simultaneous requests to list a web directory that has a large number of files.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EB203AEC-2A94-48CA-A0E0-B5A8EBF028B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6E98B82A-22E5-4E6C-90AE-56F5780EA147",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "34672E90-C220-436B-9143-480941227933",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "92883AFA-A02F-41A5-9977-ABEAC8AD2970",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "989A78F8-EE92-465F-8A8D-ECF0B58AFE7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "1F5B6627-B4A4-4E2D-B96C-CA37CCC8C804",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "ACFB09F3-32D1-479C-8C39-D7329D9A6623",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "D56581E2-9ECD-426A-96D8-A9D958900AD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "717F6995-5AF0-484C-90C0-A82F25FD2E32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "5B0C01D5-773F-469C-9E69-170C2844AAA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.10:*:*:*:*:*:*:*",
"matchCriteriaId": "EB03FDFB-4DBF-4B70-BFA3-570D1DE67695",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.11:*:*:*:*:*:*:*",
"matchCriteriaId": "9F5CF79C-759B-4FF9-90EE-847264059E93",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Tomcat 5.5.0 to 5.5.11 allows remote attackers to cause a denial of service (CPU consumption) via a large number of simultaneous requests to list a web directory that has a large number of files."
}
],
"id": "CVE-2005-3510",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2005-11-06T11:02:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/17416"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/30899"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/30908"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/33668"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://securitytracker.com/id?1015147"
},
{
"source": "cve@mitre.org",
"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1"
},
{
"source": "cve@mitre.org",
"url": "http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540"
},
{
"source": "cve@mitre.org",
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "cve@mitre.org",
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/20439"
},
{
"source": "cve@mitre.org",
"url": "http://www.redhat.com/support/errata/RHSA-2006-0161.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/415782/30/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/500396/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/500412/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/15325"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2008/1979/references"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2009/0233"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/17416"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/30899"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/30908"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/33668"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://securitytracker.com/id?1015147"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/20439"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2006-0161.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/415782/30/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/500396/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/500412/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/15325"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/1979/references"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2009/0233"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-07-25 17:30
Modified
2025-04-09 00:30
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in SendMailServlet in the examples web application (examples/jsp/mail/sendmail.jsp) in Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.36 allows remote attackers to inject arbitrary web script or HTML via the From field and possibly other fields, related to generation of error messages.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | tomcat | 4.0.0 | |
| apache | tomcat | 4.0.1 | |
| apache | tomcat | 4.0.2 | |
| apache | tomcat | 4.0.3 | |
| apache | tomcat | 4.0.4 | |
| apache | tomcat | 4.0.5 | |
| apache | tomcat | 4.0.6 | |
| apache | tomcat | 4.1.0 | |
| apache | tomcat | 4.1.1 | |
| apache | tomcat | 4.1.2 | |
| apache | tomcat | 4.1.3 | |
| apache | tomcat | 4.1.10 | |
| apache | tomcat | 4.1.15 | |
| apache | tomcat | 4.1.24 | |
| apache | tomcat | 4.1.28 | |
| apache | tomcat | 4.1.31 | |
| apache | tomcat | 4.1.36 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "914E1404-01A2-4F94-AA40-D5EA20F55AD3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "81FB1106-B26D-45BE-A511-8E69131BBA52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "401A213A-FED3-49C0-B823-2E02EA528905",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0BFE5AD8-DB14-4632-9D2A-F2013579CA7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "7641278D-3B8B-4CD2-B284-2047B65514A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BB7B9911-E836-4A96-A0E8-D13C957EC0EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D2341C51-A239-4A4A-B0DC-30F18175442C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0E300013-0CE7-4313-A553-74A6A247B3E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E08D7414-8D0C-45D6-8E87-679DF0201D55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AB15C5DB-0DBE-4DAD-ACBD-FAE23F768D01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "60CFD9CA-1878-4C74-A9BD-5D581736E6B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C92F3744-C8F9-4E29-BF1A-25E03A32F2C0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.15:*:*:*:*:*:*:*",
"matchCriteriaId": "1C03E4C9-34E3-42F7-8B73-D3C595FD7EE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.24:*:*:*:*:*:*:*",
"matchCriteriaId": "B1D9BD7E-FCC2-404B-A057-1A10997DAFF9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.28:*:*:*:*:*:*:*",
"matchCriteriaId": "6A79DA2C-35F3-47DE-909B-8D8D1AE111C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.31:*:*:*:*:*:*:*",
"matchCriteriaId": "17522878-4266-432A-859D-C02096C8AC0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.36:*:*:*:*:*:*:*",
"matchCriteriaId": "5A28B11A-3BC7-41BC-8970-EE075B029F5C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in SendMailServlet in the examples web application (examples/jsp/mail/sendmail.jsp) in Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.36 allows remote attackers to inject arbitrary web script or HTML via the From field and possibly other fields, related to generation of error messages."
},
{
"lang": "es",
"value": "Vulnerabilidad de seuencia de comandos en sitios cruzados en SendMailServlet en los ejemplos de aplicaciones web (examples/jsp/mail/sendmail.jsp) en Apache Tomcat 4.0.0 hasta la 4.0.6 y 4.1.0 hasta la 4.1.36 permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s del campo From y posiblemente otros campos, relacionado con la generaci\u00f3n de mensajes de error."
}
],
"id": "CVE-2007-3383",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2007-07-25T17:30:00.000",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html"
},
{
"source": "secalert@redhat.com",
"url": "http://osvdb.org/39000"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://seclists.org/fulldisclosure/2007/Jul/0448.html"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/30802"
},
{
"source": "secalert@redhat.com",
"url": "http://securityreason.com/securityalert/2918"
},
{
"source": "secalert@redhat.com",
"url": "http://support.apple.com/kb/HT2163"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/862600"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/474413/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/24999"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2007/2618"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2008/1981/references"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35536"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/39000"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://seclists.org/fulldisclosure/2007/Jul/0448.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/30802"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/2918"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.apple.com/kb/HT2163"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/862600"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/474413/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/24999"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2007/2618"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/1981/references"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35536"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-01-23 02:00
Modified
2025-04-09 00:30
Severity ?
Summary
The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4CEF61B3-70E2-4B42-B02C-D819805E86A0",
"versionEndIncluding": "5.5.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie."
},
{
"lang": "es",
"value": "El valor SingleSignOn (org.apache.catalina.authenticator.SingleSignOn) en Apache Tomcat anterior a 5.5.21 no asigna la bandera segura para la cookie JSESSIONIDSSO en una sesi\u00f3n http, haci\u00e9ndolo m\u00e1s f\u00e1cil para atacantes remotos para capturar esta cookie."
}
],
"id": "CVE-2008-0128",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-01-23T02:00:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://issues.apache.org/bugzilla/show_bug.cgi?id=41217"
},
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2008-0630.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/28549"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/28552"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/29242"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/31493"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/33668"
},
{
"source": "cve@mitre.org",
"url": "http://security-tracker.debian.net/tracker/CVE-2008-0128"
},
{
"source": "cve@mitre.org",
"url": "http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2008/dsa-1468"
},
{
"source": "cve@mitre.org",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/500396/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/500412/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/27365"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2008/0192"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2009/0233"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39804"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://issues.apache.org/bugzilla/show_bug.cgi?id=41217"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2008-0630.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/28549"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/28552"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/29242"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/31493"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/33668"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://security-tracker.debian.net/tracker/CVE-2008-0128"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2008/dsa-1468"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/500396/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/500412/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/27365"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/0192"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2009/0233"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39804"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-16"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-11-17 19:55
Modified
2025-04-11 00:51
Severity ?
Summary
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches information about the authenticated user within the session state, which makes it easier for remote attackers to bypass authentication via vectors related to the session ID.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EB203AEC-2A94-48CA-A0E0-B5A8EBF028B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6E98B82A-22E5-4E6C-90AE-56F5780EA147",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "34672E90-C220-436B-9143-480941227933",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "92883AFA-A02F-41A5-9977-ABEAC8AD2970",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "989A78F8-EE92-465F-8A8D-ECF0B58AFE7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "1F5B6627-B4A4-4E2D-B96C-CA37CCC8C804",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "ACFB09F3-32D1-479C-8C39-D7329D9A6623",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "D56581E2-9ECD-426A-96D8-A9D958900AD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "717F6995-5AF0-484C-90C0-A82F25FD2E32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "5B0C01D5-773F-469C-9E69-170C2844AAA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.10:*:*:*:*:*:*:*",
"matchCriteriaId": "EB03FDFB-4DBF-4B70-BFA3-570D1DE67695",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.11:*:*:*:*:*:*:*",
"matchCriteriaId": "9F5CF79C-759B-4FF9-90EE-847264059E93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.12:*:*:*:*:*:*:*",
"matchCriteriaId": "357651FD-392E-4775-BF20-37A23B3ABAE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.13:*:*:*:*:*:*:*",
"matchCriteriaId": "585B9476-6B86-4809-9B9E-26112114CB59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.14:*:*:*:*:*:*:*",
"matchCriteriaId": "6145036D-4FCE-4EBE-A137-BDFA69BA54F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.15:*:*:*:*:*:*:*",
"matchCriteriaId": "E437055A-0A81-413F-AB08-0E9D0DC9EA30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.16:*:*:*:*:*:*:*",
"matchCriteriaId": "9276A093-9C98-4617-9941-2276995F5848",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.17:*:*:*:*:*:*:*",
"matchCriteriaId": "97C9C36C-EF7E-4D42-9749-E2FF6CE35A2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.18:*:*:*:*:*:*:*",
"matchCriteriaId": "C98575E2-E39A-4A8F-B5B5-BD280B8367BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.19:*:*:*:*:*:*:*",
"matchCriteriaId": "5BDA08E7-A417-44E8-9C89-EB22BEEC3B9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.20:*:*:*:*:*:*:*",
"matchCriteriaId": "DCD1B6BE-CF07-4DA8-A703-4A48506C8AD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.21:*:*:*:*:*:*:*",
"matchCriteriaId": "5878E08E-2741-4798-94E9-BA8E07386B12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.22:*:*:*:*:*:*:*",
"matchCriteriaId": "69F6BAB7-C099-4345-A632-7287AEA555B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.23:*:*:*:*:*:*:*",
"matchCriteriaId": "F3AAF031-D16B-4D51-9581-2D1376A5157B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.24:*:*:*:*:*:*:*",
"matchCriteriaId": "51120689-F5C0-4DF1-91AA-314C40A46C58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.25:*:*:*:*:*:*:*",
"matchCriteriaId": "F67477AB-85F6-421C-9C0B-C8EFB1B200CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.26:*:*:*:*:*:*:*",
"matchCriteriaId": "16D0C265-2ED9-42CF-A7D6-C7FAE4246A1B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.27:*:*:*:*:*:*:*",
"matchCriteriaId": "5D70CFD9-B55D-4A29-B94C-D33F3E881A8F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.28:*:*:*:*:*:*:*",
"matchCriteriaId": "C1195878-CCC9-49BC-9AC7-1F88F0DFAB82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.29:*:*:*:*:*:*:*",
"matchCriteriaId": "375C26A9-623E-483A-BC11-468D9DE278C1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.30:*:*:*:*:*:*:*",
"matchCriteriaId": "BCDDD480-3C9E-4BE9-848A-99A13145C2AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.31:*:*:*:*:*:*:*",
"matchCriteriaId": "42BB8770-0BB4-4F23-AE24-58745095060D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.32:*:*:*:*:*:*:*",
"matchCriteriaId": "7B980C39-A4D8-483A-B48C-36CA4F5CEAA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.33:*:*:*:*:*:*:*",
"matchCriteriaId": "DFF7178D-DC9B-45F7-BEA4-701B1EAEC2CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.34:*:*:*:*:*:*:*",
"matchCriteriaId": "82BC5508-AA3A-4723-93A3-DBBFB4095BB3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.35:*:*:*:*:*:*:*",
"matchCriteriaId": "A2757803-A75D-4B98-8473-8B5C53F4D2B9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D11D6FB7-CBDB-48C1-98CB-1B3CAA36C5D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49E3C039-A949-4F1B-892A-57147EECB249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.0:alpha:*:*:*:*:*:*",
"matchCriteriaId": "0A354C34-A3FE-4B8A-9985-8874A0634BC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F28C7801-41B9-4552-BA1E-577967BCBBEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.1:alpha:*:*:*:*:*:*",
"matchCriteriaId": "CFE300CC-FD4A-444E-8506-E5E269D0A0A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "25B21085-7259-4685-9D1F-FF98E6489E10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:alpha:*:*:*:*:*:*",
"matchCriteriaId": "F50A3EC9-516E-48A7-839B-A73F491B5B9F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:beta:*:*:*:*:*:*",
"matchCriteriaId": "8C28F09D-5CAA-4CA7-A2B5-3B2820F5F409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "635EE321-2A1F-4FF8-95BE-0C26591969D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "9A81B035-8598-4D2C-B45F-C6C9D4B10C2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.4:alpha:*:*:*:*:*:*",
"matchCriteriaId": "FAC2FC75-97D2-4EA1-A1A0-F592A6D7C1F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E1096947-82A6-4EA8-A4F2-00D91E3F7DAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0EBFA1D3-16A6-4041-BB30-51D2EE0F2AF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.6:alpha:*:*:*:*:*:*",
"matchCriteriaId": "C4871FD1-7F8C-4677-A80B-4A0BBC71DD7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "B70B372F-EFFD-4AF7-99B5-7D1B23A0C54C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:alpha:*:*:*:*:*:*",
"matchCriteriaId": "31AB969A-9ACE-44EF-B2E5-CEC008F47C46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:beta:*:*:*:*:*:*",
"matchCriteriaId": "06217215-72E4-4478-BACB-628A0836A645",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "9C95ADA4-66F5-45C4-A677-ACE22367A75A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.8:alpha:*:*:*:*:*:*",
"matchCriteriaId": "EA810F3F-ADD3-4D3F-9DFC-DBDD87B3079C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "11951A10-39A2-4FF5-8C43-DF94730FB794",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.9:beta:*:*:*:*:*:*",
"matchCriteriaId": "8B79F2EA-C893-4359-80EC-24AE38D982E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "351E5BCF-A56B-4D91-BA3C-21A4B77D529A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2DC2BBB4-171E-4EFF-A575-A5B7FF031755",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "6B6B0504-27C1-4824-A928-A878CBBAB32D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "CE81AD36-ACD1-4C6C-8E7C-5326D1DA3045",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "D903956B-14F5-4177-AF12-0A5F1846D3C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "81F847DC-A2F5-456C-9038-16A0E85F4C3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3EBD00-1E1E-452D-AFFB-08A6BD111DDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "C6B93A3A-D487-4CA1-8257-26F8FE287B8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "BD8802B2-57E0-4AA6-BC8E-00DE60468569",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "8461DF95-18DC-4BF5-A703-7F19DA88DC30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "1F4C9BCF-9C73-4991-B02F-E08C5DA06EBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "2823789C-2CB6-4300-94DB-BDBE83ABA8E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "C5416C76-46ED-4CB1-A7F8-F24EA16DE7F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "A61429EE-4331-430C-9830-58DCCBCBCB58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "31B3593F-CEDF-423C-90F8-F88EED87DC3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "AE7862B2-E1FA-4E16-92CD-8918AB461D9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "A9E03BE3-60CC-4415-B993-D0BB00F87A30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.31:*:*:*:*:*:*:*",
"matchCriteriaId": "CE92E59A-FF0D-4D1A-8B12-CC41A7E1FD3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.32:*:*:*:*:*:*:*",
"matchCriteriaId": "BFD64FE7-ABAF-49F3-B8D0-91C37C822F4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.33:*:*:*:*:*:*:*",
"matchCriteriaId": "48E5E8C3-21AD-4230-B945-AB7DE66307B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.35:*:*:*:*:*:*:*",
"matchCriteriaId": "4945C8C1-C71B-448B-9075-07C6C92599CF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0F8C62EF-1B67-456A-9C66-755439CF8556",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "33E9607B-4D28-460D-896B-E4B7FA22441E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A819E245-D641-4F19-9139-6C940504F6E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8C381275-10C5-4939-BCE3-0D1F3B3CB2EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*",
"matchCriteriaId": "81A31CA0-A209-4C49-AA06-C38E165E5B68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7205475A-6D04-4042-B24E-1DA5A57029B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "08022987-B36B-4F63-88A5-A8F59195DF4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*",
"matchCriteriaId": "0AA563BF-A67A-477D-956A-167ABEF885C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "FF4B7557-EF35-451E-B55D-3296966695AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8980E61E-27BE-4858-82B3-C0E8128AF521",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "8756BF9B-3E24-4677-87AE-31CE776541F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "88CE057E-2092-4C98-8D0C-75CF439D0A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8F194580-EE6D-4E38-87F3-F0661262256B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A9731BAA-4C6C-4259-B786-F577D8A90FA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "1F74A421-D019-4248-84B8-C70D4D9A8A95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "2BA27FF9-4C66-4E17-95C0-1CB2DAA6AFC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "05346F5A-FB52-4376-AAC7-9A5308216545",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "305688F2-50A6-41FB-8614-BC589DB9A789",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "D24AA431-C436-4AA5-85DF-B9AAFF2548FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "25966344-15D5-4101-9346-B06BFD2DFFF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "11F4CBAC-27B1-4EFF-955A-A63B457D0578",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "FD55B338-9DBE-4643-ABED-A08964D3AF7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0D4F710E-06EA-48F4-AC6A-6F143950F015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "2C4936C2-0B2D-4C44-98C3-443090965F5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*",
"matchCriteriaId": "48453405-2319-4327-9F4C-6F70B49452C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*",
"matchCriteriaId": "49DD9544-6424-41A6-AEC0-EC19B8A10E71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*",
"matchCriteriaId": "E4670E65-2E11-49A4-B661-57C2F60D411F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*",
"matchCriteriaId": "31002A23-4788-4BC7-AE11-A3C2AA31716D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "7D731065-626B-4425-8E49-F708DD457824",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches information about the authenticated user within the session state, which makes it easier for remote attackers to bypass authentication via vectors related to the session ID."
},
{
"lang": "es",
"value": "La implementaci\u00f3n de HTTP Digest Access Authentication en Apache Tomcat v5.5.x antes de v5.5.36, 6.x antes 6.0.36, v7.x antes de v7.0.30 cach\u00e9s informaci\u00f3n sobre el usuario autenticado en el estado de la sesi\u00f3n, lo que hace que sea m\u00e1s f\u00e1cil para los atacantes remotos evitar la autenticaci\u00f3n a trav\u00e9s de vectores relacionados a la ID de sesi\u00f3n."
}
],
"id": "CVE-2012-5886",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-11-17T19:55:02.767",
"references": [
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00090.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-updates/2013-01/msg00037.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0623.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0629.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0631.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0632.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0633.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0640.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0647.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0648.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0726.html"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/51371"
},
{
"source": "cve@mitre.org",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1377807"
},
{
"source": "cve@mitre.org",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1380829"
},
{
"source": "cve@mitre.org",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1392248"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "cve@mitre.org",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21626891"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/56403"
},
{
"source": "cve@mitre.org",
"url": "http://www.ubuntu.com/usn/USN-1637-1"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/80407"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00090.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2013-01/msg00037.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0623.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0629.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0631.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0632.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0633.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0640.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0647.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0648.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0726.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/51371"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1377807"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1380829"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1392248"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21626891"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/56403"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ubuntu.com/usn/USN-1637-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/80407"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-06-06 14:29
Modified
2025-04-20 01:37
Severity ?
Summary
The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0F8C62EF-1B67-456A-9C66-755439CF8556",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "33E9607B-4D28-460D-896B-E4B7FA22441E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A819E245-D641-4F19-9139-6C940504F6E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8C381275-10C5-4939-BCE3-0D1F3B3CB2EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*",
"matchCriteriaId": "81A31CA0-A209-4C49-AA06-C38E165E5B68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7205475A-6D04-4042-B24E-1DA5A57029B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "08022987-B36B-4F63-88A5-A8F59195DF4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*",
"matchCriteriaId": "0AA563BF-A67A-477D-956A-167ABEF885C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "FF4B7557-EF35-451E-B55D-3296966695AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.5:beta:*:*:*:*:*:*",
"matchCriteriaId": "6F1B937B-57E0-4E88-9E39-39012A924525",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8980E61E-27BE-4858-82B3-C0E8128AF521",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "8756BF9B-3E24-4677-87AE-31CE776541F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "88CE057E-2092-4C98-8D0C-75CF439D0A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8F194580-EE6D-4E38-87F3-F0661262256B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A9731BAA-4C6C-4259-B786-F577D8A90FA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "1F74A421-D019-4248-84B8-C70D4D9A8A95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "2BA27FF9-4C66-4E17-95C0-1CB2DAA6AFC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "05346F5A-FB52-4376-AAC7-9A5308216545",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "305688F2-50A6-41FB-8614-BC589DB9A789",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "D24AA431-C436-4AA5-85DF-B9AAFF2548FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "25966344-15D5-4101-9346-B06BFD2DFFF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "11F4CBAC-27B1-4EFF-955A-A63B457D0578",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "FD55B338-9DBE-4643-ABED-A08964D3AF7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0D4F710E-06EA-48F4-AC6A-6F143950F015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "2C4936C2-0B2D-4C44-98C3-443090965F5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*",
"matchCriteriaId": "48453405-2319-4327-9F4C-6F70B49452C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*",
"matchCriteriaId": "49DD9544-6424-41A6-AEC0-EC19B8A10E71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*",
"matchCriteriaId": "E4670E65-2E11-49A4-B661-57C2F60D411F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "5E8FF71D-4710-4FBB-9925-A6A26C450F7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*",
"matchCriteriaId": "31002A23-4788-4BC7-AE11-A3C2AA31716D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "7144EDDF-8265-4642-8EEB-ED52527E0A26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "DF06B5C1-B9DD-4673-A101-56E1E593ACDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "7D731065-626B-4425-8E49-F708DD457824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "B3D850EA-E537-42C8-93B9-96E15CB26747",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "E037DA05-2BEF-4F64-B8BB-307247B6A05C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.31:*:*:*:*:*:*:*",
"matchCriteriaId": "BCAF1EB5-FB34-40FC-96ED-9D073890D8BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*",
"matchCriteriaId": "D395D95B-1F4A-420E-A0F6-609360AF7B69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*",
"matchCriteriaId": "9BD221BA-0AB6-4972-8AD9-5D37AC07762F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*",
"matchCriteriaId": "E55B6565-96CB-4F6A-9A80-C3FB82F30546",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*",
"matchCriteriaId": "D3300AFE-49A4-4904-B9A0-5679F09FA01E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.36:*:*:*:*:*:*:*",
"matchCriteriaId": "ED5125CC-05F9-4678-90DB-A5C7CD24AE6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*",
"matchCriteriaId": "7BD93669-1B30-4BF8-AD7D-F60DD8D63CC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.38:*:*:*:*:*:*:*",
"matchCriteriaId": "1B904C74-B92E-4EAE-AE6C-78E2B844C3DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*",
"matchCriteriaId": "B8C8C97F-6C9D-4647-AB8A-ADAA5536DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*",
"matchCriteriaId": "2C6109D1-BC36-40C5-A02A-7AEBC949BAC0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*",
"matchCriteriaId": "DA8A7333-B4C3-4876-AE01-62F2FD315504",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*",
"matchCriteriaId": "92993E23-D805-407B-8B87-11CEEE8B212F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*",
"matchCriteriaId": "7A11BD74-305C-41E2-95B1-5008EEF5FA5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*",
"matchCriteriaId": "595442D0-9DB7-475A-AE30-8535B70E122E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*",
"matchCriteriaId": "4B0BA92A-0BD3-4CE4-9465-95E949104BAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*",
"matchCriteriaId": "6F944B72-B9EB-4EB8-AEA3-E0D7ADBE1305",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*",
"matchCriteriaId": "6AA28D3A-3EE5-4F90-B8F5-4943F7607DA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*",
"matchCriteriaId": "BFD3EB84-2ED2-49D4-8BC9-6398C2E46F0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*",
"matchCriteriaId": "DEDF6E1A-0DD6-42AB-9510-F6F4B6002C91",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*",
"matchCriteriaId": "C947E549-2459-4AFB-84A7-36BDA30B5F29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.51:*:*:*:*:*:*:*",
"matchCriteriaId": "67A0EA46-5AEA-4D0A-B89E-6560FA10EC08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*",
"matchCriteriaId": "F8E9453E-BC9B-4F77-85FA-BA15AC55C245",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*",
"matchCriteriaId": "A7EF0518-73F9-47DB-8946-A8334936BEFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*",
"matchCriteriaId": "95AA8778-7833-4572-A71B-5FD89938CE94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*",
"matchCriteriaId": "242E47CE-EF69-4F8F-AB40-5AF2811674CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.58:*:*:*:*:*:*:*",
"matchCriteriaId": "A225D4F7-174E-47C3-8390-C6FA28DB5A9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*",
"matchCriteriaId": "CDA1555C-E55A-4E14-B786-BFEE3F09220B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.60:*:*:*:*:*:*:*",
"matchCriteriaId": "6BAC42AE-B82A-4ABF-9519-B2D97D925707",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*",
"matchCriteriaId": "F8075E9A-DA7F-4A0B-8B4D-0CD951369111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*",
"matchCriteriaId": "335A5320-6086-4B45-9903-82F6F92A584F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*",
"matchCriteriaId": "46B33408-C2E2-4E7C-9334-6AB98F13468C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*",
"matchCriteriaId": "9F036676-9EFB-4A92-828E-A38905D594E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*",
"matchCriteriaId": "E9728EE8-6029-4DF3-942E-E4ACC09111A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.66:*:*:*:*:*:*:*",
"matchCriteriaId": "62DBB843-288C-4060-8777-6CDCF1860D29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:*",
"matchCriteriaId": "34E7DAC8-8419-45D1-A28F-14CF2FE1B6EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.68:*:*:*:*:*:*:*",
"matchCriteriaId": "89B87EB5-4902-4C2A-878A-45185F7D0FA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.69:*:*:*:*:*:*:*",
"matchCriteriaId": "C0596E6C-9ACE-4106-A2FF-BED7967C323F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.70:*:*:*:*:*:*:*",
"matchCriteriaId": "8F7158DC-966B-4508-8600-40E3E9D3D0DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.71:*:*:*:*:*:*:*",
"matchCriteriaId": "A190FE0D-86C1-49EE-BDAE-5879C32BDC92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.72:*:*:*:*:*:*:*",
"matchCriteriaId": "CA20F45F-01A2-43DD-9731-DFF54E31719F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.73:*:*:*:*:*:*:*",
"matchCriteriaId": "3C7A728B-59DB-4EDE-8929-C91F4C410902",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.74:*:*:*:*:*:*:*",
"matchCriteriaId": "26889291-3280-4524-8F4A-9B22FF4600C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.75:*:*:*:*:*:*:*",
"matchCriteriaId": "6E4CAEBD-0F38-4892-9D0B-9D7392E0BCC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.76:*:*:*:*:*:*:*",
"matchCriteriaId": "61C4DA00-E47C-47BE-856C-7E0D4B0F9DAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.77:*:*:*:*:*:*:*",
"matchCriteriaId": "41FF234B-A9AD-4C51-8E9E-939DC8ECB64A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4752862B-7D26-4285-B8A0-CF082C758353",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*",
"matchCriteriaId": "58EA7199-3373-4F97-9907-3A479A02155E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "F963D737-2E95-4D7C-92C7-DACF3F36D1E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "2BBBC5EA-012C-4C5D-A61B-BAF134B300DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2A358FDF-C249-4D7A-9445-8B9E7D9D40AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8C4DB619-F6B0-4896-9AE2-7E7D92105577",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "AFF96F96-34DB-4EB3-BF59-11220673FA26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "44883383-6360-4BE6-9B48-1308F85E5797",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "EDF3E379-47D2-4C86-8C6D-8B3C25A0E1C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "E82391BD-10FF-4E7F-91DC-35AA11325530",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "92C22F12-C072-4A12-A4A9-CBF589A36FF1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "6A776B25-6AF1-421B-8E47-2A7499F6B4D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "7A332FDE-42AE-4F48-9553-5AE953CD6D3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "701424A2-BB06-44B5-B468-7164E4F95529",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "1BA6388C-5B6E-4651-8AE3-EBCCF61C27E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "A63FA521-9D20-49B9-A9A4-0DF891B4E4E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "8F9A5B7E-33A9-4651-9BE1-371A0064B661",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "F99252E8-A59C-48E1-B251-718D7FB3E399",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "9D05293B-B9D8-42F1-9367-9D2E058EFAD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "4E0DDEF6-A8EE-46C4-A046-A1F26E7C4E87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "14B38892-9C00-4510-B7BA-F2A8F2CACCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "8C913AA6-2260-4249-BE1D-7139F45735D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "7409B064-D43E-489E-AEC6-0A767FB21737",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.21:*:*:*:*:*:*:*",
"matchCriteriaId": "F019268F-80C4-48FE-8164-E9DA0A3BAFF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.22:*:*:*:*:*:*:*",
"matchCriteriaId": "1EFBD214-FCFE-4F04-A903-66EFDA764B9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.23:*:*:*:*:*:*:*",
"matchCriteriaId": "425D86B3-6BB9-410D-8125-F7CF87290AD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "3EE3BB0D-1002-41E4-9BE8-875D97330057",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.25:*:*:*:*:*:*:*",
"matchCriteriaId": "25D0E80B-EDDA-4876-912D-44BFE6211EB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "6622472B-8644-4D45-A54B-A215C3D64B83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "B338F95B-2924-435B-827F-E64420A93244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "209D1349-7740-4DBE-80A5-E6343C62BAB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "09E77C24-C265-403D-A193-B3739713F6B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "28616FA3-9A98-4AAE-9F94-3E77A14156EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.31:*:*:*:*:*:*:*",
"matchCriteriaId": "335925DA-11C0-4222-B6B7-82602B361751",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.32:*:*:*:*:*:*:*",
"matchCriteriaId": "603A14BF-72BB-4A3D-8CBC-932DC45CEC06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.33:*:*:*:*:*:*:*",
"matchCriteriaId": "4C2E1C55-3C89-4F26-A981-1195BCC9BB5C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.34:*:*:*:*:*:*:*",
"matchCriteriaId": "FC242407-A447-4ABD-8E19-EB6DB1F35121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.35:*:*:*:*:*:*:*",
"matchCriteriaId": "31BB906B-812F-462C-9AEE-147C1418D865",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.36:*:*:*:*:*:*:*",
"matchCriteriaId": "0B701E17-D231-44ED-A46E-C67749A725B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.37:*:*:*:*:*:*:*",
"matchCriteriaId": "B8CAF2F7-D227-4F06-B0E6-533C5EDB105B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.38:*:*:*:*:*:*:*",
"matchCriteriaId": "305B73CE-0224-4E73-8EB2-FC41A62FBA08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.39:*:*:*:*:*:*:*",
"matchCriteriaId": "D0DBF476-D7BB-4FC8-89FE-FF0CD135E9BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.40:*:*:*:*:*:*:*",
"matchCriteriaId": "BC866C53-0C6B-4D0B-A168-D3985B1CF0F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.41:*:*:*:*:*:*:*",
"matchCriteriaId": "290B0787-49F1-41FB-9AFD-36646FB16CA9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.42:*:*:*:*:*:*:*",
"matchCriteriaId": "1B741F4F-E52B-43CD-A9CC-6AC46B2DE111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.43:*:*:*:*:*:*:*",
"matchCriteriaId": "BB7A8369-183D-4C00-B2B2-0F81DA153C4E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "69A7FC28-A0EC-4516-9776-700343D2F4DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "18814653-6D44-47D9-A2F5-89C5AFB255F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D4D811A9-4988-4C11-AA27-F5BE2B93D8D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FAEF824D-7E95-4BC1-8DBB-787DCE595E21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "97F4A2B3-DB1D-4D0B-B5FF-7EE2A0D291BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B461D5A-1208-498F-B551-46C6D514AC2B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "598E5D91-0165-4D55-9EDD-EBB5AAAD1172",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4B6B61B7-09A3-41C8-8333-0417C14CC87E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "95A139BA-CD3C-42F5-88BA-BE7BE58246D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "876EADA5-60AD-4849-BE10-61C75AA75053",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1814F8DE-2060-411F-9FCC-6EC42AF5663D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.11:*:*:*:*:*:*:*",
"matchCriteriaId": "1AF6DBF7-BB0A-4AE6-84DA-51428ACF47CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.12:*:*:*:*:*:*:*",
"matchCriteriaId": "A34F72ED-04FE-4EDE-BB18-BE8B1E99EEF1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.13:*:*:*:*:*:*:*",
"matchCriteriaId": "3245C35C-02E7-46B9-A720-37D3C17AFDD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.14:*:*:*:*:*:*:*",
"matchCriteriaId": "F4239A72-EFA1-49E3-8755-5961060F2198",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "9D0689FE-4BC0-4F53-8C79-34B21F9B86C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "89B129B2-FB6F-4EF9-BF12-E589A87996CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "8B6787B6-54A8-475E-BA1C-AB99334B2535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "EABB6FBC-7486-44D5-A6AD-FFF1D3F677E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*",
"matchCriteriaId": "E10C03BC-EE6B-45B2-83AE-9E8DFB58D7DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*",
"matchCriteriaId": "8A6DA0BE-908C-4DA8-A191-A0113235E99A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*",
"matchCriteriaId": "39029C72-28B4-46A4-BFF5-EC822CFB2A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*",
"matchCriteriaId": "1A2E05A3-014F-4C4D-81E5-88E725FBD6AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*",
"matchCriteriaId": "166C533C-0833-41D5-99B6-17A4FAB3CAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*",
"matchCriteriaId": "D3768C60-21FA-4B92-B98C-C3A2602D1BC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*",
"matchCriteriaId": "DDD510FA-A2E4-4BAF-A0DE-F4E5777E9325",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "9F542E12-6BA8-4504-A494-DA83E7E19BD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*",
"matchCriteriaId": "C2409CC7-6A85-4A66-A457-0D62B9895DC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "C0C5F004-F7D8-45DB-B173-351C50B0EC16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "D1902D2E-1896-4D3D-9E1C-3A675255072C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "49AAF4DF-F61D-47A8-8788-A21E317A145D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "454211D0-60A2-4661-AECA-4C0121413FEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "0686F977-889F-4960-8E0B-7784B73A7F2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "558703AE-DB5E-4DFF-B497-C36694DD7B24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "ED6273F2-1165-47A4-8DD7-9E9B2472941B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method."
},
{
"lang": "es",
"value": "El mecanismo de p\u00e1gina de error en Java Servlet Specification requiere que, cuando ocurre un error y se configura una p\u00e1gina de error para ese fallo que ha ocurrido, la petici\u00f3n original y la respuesta se env\u00edan a la p\u00e1gina de error. Esto significa que la petici\u00f3n se presenta en la p\u00e1gina de error con el m\u00e9todo HTTP original. Si la p\u00e1gina de error es un archivo est\u00e1tico, el comportamiento esperado es que sirva contenido del archivo como si estuviese procesando una petici\u00f3n GET, independientemente del m\u00e9todo HTTP que se emplee realmente. El Servlet por defecto en Apache Tomcat 9.0.0.M1 a 9.0.0.M20, 8.5.0 a 8.5.14, 8.0.0.RC1 a 8.0.43 y 7.0.0 a 7.0.77 no hizo esto. Dependiendo de la petici\u00f3n original, esto podr\u00eda conducir a resultados inesperados y no deseados para p\u00e1ginas est\u00e1ticas de error incluyendo, si DefaultServlet se configura para permitir escrituras, el remplazo o eliminaci\u00f3n de la p\u00e1gina de error personalizada. Notas para otras p\u00e1ginas de error proporcionadas por el usuario: (1) A no se que se programe de otra forma, los JSPs ignoran el m\u00e9todo HTTP. Los JSP empleados como p\u00e1ginas de error deben asegurarse de que gestionan cualquier env\u00edo de errores como petici\u00f3n GET, independientemente del m\u00e9todo que se emplee realmente. (2) Por defecto, la respuesta que genera un Servlet depende del m\u00e9todo HTTP. Los Servlets personalizados empleados como p\u00e1ginas de error deben asegurarse de que gestionan cualquier env\u00edo de errores como petici\u00f3n GET, independientemente del m\u00e9todo que se emplee realmente."
}
],
"id": "CVE-2017-5664",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-06-06T14:29:00.937",
"references": [
{
"source": "security@apache.org",
"url": "http://www.debian.org/security/2017/dsa-3891"
},
{
"source": "security@apache.org",
"url": "http://www.debian.org/security/2017/dsa-3892"
},
{
"source": "security@apache.org",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"source": "security@apache.org",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"source": "security@apache.org",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"source": "security@apache.org",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/98888"
},
{
"source": "security@apache.org",
"url": "http://www.securitytracker.com/id/1038641"
},
{
"source": "security@apache.org",
"url": "https://access.redhat.com/errata/RHSA-2017:1801"
},
{
"source": "security@apache.org",
"url": "https://access.redhat.com/errata/RHSA-2017:1802"
},
{
"source": "security@apache.org",
"url": "https://access.redhat.com/errata/RHSA-2017:1809"
},
{
"source": "security@apache.org",
"url": "https://access.redhat.com/errata/RHSA-2017:2493"
},
{
"source": "security@apache.org",
"url": "https://access.redhat.com/errata/RHSA-2017:2494"
},
{
"source": "security@apache.org",
"url": "https://access.redhat.com/errata/RHSA-2017:2633"
},
{
"source": "security@apache.org",
"url": "https://access.redhat.com/errata/RHSA-2017:2635"
},
{
"source": "security@apache.org",
"url": "https://access.redhat.com/errata/RHSA-2017:2636"
},
{
"source": "security@apache.org",
"url": "https://access.redhat.com/errata/RHSA-2017:2637"
},
{
"source": "security@apache.org",
"url": "https://access.redhat.com/errata/RHSA-2017:2638"
},
{
"source": "security@apache.org",
"url": "https://access.redhat.com/errata/RHSA-2017:3080"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/a42c48e37398d76334e17089e43ccab945238b8b7896538478d76066%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://security.netapp.com/advisory/ntap-20171019-0002/"
},
{
"source": "security@apache.org",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03828en_us"
},
{
"source": "security@apache.org",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"source": "security@apache.org",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2017/dsa-3891"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2017/dsa-3892"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/98888"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1038641"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2017:1801"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2017:1802"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2017:1809"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2017:2493"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2017:2494"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2017:2633"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2017:2635"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2017:2636"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2017:2637"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2017:2638"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2017:3080"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/a42c48e37398d76334e17089e43ccab945238b8b7896538478d76066%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20171019-0002/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03828en_us"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-755"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-03-23 16:59
Modified
2025-04-20 01:37
Severity ?
Summary
The postrm script in the tomcat6 package before 6.0.45+dfsg-1~deb7u3 on Debian wheezy, before 6.0.45+dfsg-1~deb8u1 on Debian jessie, before 6.0.35-1ubuntu3.9 on Ubuntu 12.04 LTS and on Ubuntu 14.04 LTS; the tomcat7 package before 7.0.28-4+deb7u7 on Debian wheezy, before 7.0.56-3+deb8u6 on Debian jessie, before 7.0.52-1ubuntu0.8 on Ubuntu 14.04 LTS, and on Ubuntu 12.04 LTS, 16.04 LTS, and 16.10; and the tomcat8 package before 8.0.14-1+deb8u5 on Debian jessie, before 8.0.32-1ubuntu1.3 on Ubuntu 16.04 LTS, before 8.0.37-1ubuntu0.1 on Ubuntu 16.10, and before 8.0.38-2ubuntu1 on Ubuntu 17.04 might allow local users with access to the tomcat account to gain root privileges via a setgid program in the Catalina directory, as demonstrated by /etc/tomcat8/Catalina/attack.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| debian | debian_linux | 7.0 | |
| debian | debian_linux | 8.0 | |
| canonical | ubuntu_linux | 12.04 | |
| canonical | ubuntu_linux | 14.04 | |
| canonical | ubuntu_linux | 16.04 | |
| canonical | ubuntu_linux | 16.10 | |
| apache | tomcat | 6.0 | |
| apache | tomcat | 7.0 | |
| apache | tomcat | 8.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "B6B7CAD7-9D4E-4FDB-88E3-1E583210A01F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1AFB20FA-CB00-4729-AB3A-816454C6D096",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D11D6FB7-CBDB-48C1-98CB-1B3CAA36C5D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8B0EA906-ABCC-438A-8D52-4F07C0307EC9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E6CE354B-36BE-4280-9D86-E3AC552E6D6D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The postrm script in the tomcat6 package before 6.0.45+dfsg-1~deb7u3 on Debian wheezy, before 6.0.45+dfsg-1~deb8u1 on Debian jessie, before 6.0.35-1ubuntu3.9 on Ubuntu 12.04 LTS and on Ubuntu 14.04 LTS; the tomcat7 package before 7.0.28-4+deb7u7 on Debian wheezy, before 7.0.56-3+deb8u6 on Debian jessie, before 7.0.52-1ubuntu0.8 on Ubuntu 14.04 LTS, and on Ubuntu 12.04 LTS, 16.04 LTS, and 16.10; and the tomcat8 package before 8.0.14-1+deb8u5 on Debian jessie, before 8.0.32-1ubuntu1.3 on Ubuntu 16.04 LTS, before 8.0.37-1ubuntu0.1 on Ubuntu 16.10, and before 8.0.38-2ubuntu1 on Ubuntu 17.04 might allow local users with access to the tomcat account to gain root privileges via a setgid program in the Catalina directory, as demonstrated by /etc/tomcat8/Catalina/attack."
},
{
"lang": "es",
"value": "El script postrm en el paquete tomcat6 en versiones anteriores a 6.0.45+dfsg-1~deb7u3 en Debian wheezy, en versiones anteriores a 6.0.45+dfsg-1~deb8u1 en Debian jessie, en versiones anteriores a 6.0.35-1ubuntu3.9 rn Ubuntu 12.04 LTS y en Ubuntu 14.04 LTS; el paquete tomcat7 en versiones anteriores a 7.0.28-4+deb7u7 en Debian wheezy, en versiones anteriores a 7.0.56-3+deb8u6 en Debian jessie, en versiones anteriores a 7.0.52-1ubuntu0.8 en Ubuntu 14.04 LTS, y en Ubuntu 12.04 LTS, 16.04 LTS y 16.10; y el paquete tomcat8 en versiones anteriores a 8.0.14-1+deb8u5 en Debian jessie, en versiones anteriores a 8.0.32-1ubuntu1.3 en Ubuntu 16.04 LTS, en versiones anteriores a 8.0.37-1ubuntu0.1 en Ubuntu 16.10 y en versiones anteriores a 8.0.38-2ubuntu1 en Ubuntu 17.04 podr\u00edan permitir a usuarios locales con acceso a la cuenta tomcat obtener privilegios root a trav\u00e9s de un programa setgid en el directorio Catalina, como se demuestra por /etc/tomcat8/Catalina/attack"
}
],
"id": "CVE-2016-9775",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-03-23T16:59:00.357",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2016/dsa-3738"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2016/dsa-3739"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/12/02/10"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/12/02/5"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94643"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.ubuntu.com/usn/USN-3177-1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.ubuntu.com/usn/USN-3177-2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845385"
},
{
"source": "secalert@redhat.com",
"url": "https://security.netapp.com/advisory/ntap-20180731-0002/"
},
{
"source": "secalert@redhat.com",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2016/dsa-3738"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2016/dsa-3739"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/12/02/10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/12/02/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94643"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.ubuntu.com/usn/USN-3177-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.ubuntu.com/usn/USN-3177-2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845385"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20180731-0002/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-26 17:15
Modified
2024-11-21 04:59
Severity ?
Summary
A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "94DDAA68-7C3F-43FA-9DE0-70EDFED5BC15",
"versionEndIncluding": "8.5.55",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "962BF205-A4B6-49F2-AEA5-A33A95F682E1",
"versionEndIncluding": "9.0.35",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "9D0689FE-4BC0-4F53-8C79-34B21F9B86C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "89B129B2-FB6F-4EF9-BF12-E589A87996CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "8B6787B6-54A8-475E-BA1C-AB99334B2535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "EABB6FBC-7486-44D5-A6AD-FFF1D3F677E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*",
"matchCriteriaId": "E10C03BC-EE6B-45B2-83AE-9E8DFB58D7DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*",
"matchCriteriaId": "8A6DA0BE-908C-4DA8-A191-A0113235E99A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*",
"matchCriteriaId": "39029C72-28B4-46A4-BFF5-EC822CFB2A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*",
"matchCriteriaId": "1A2E05A3-014F-4C4D-81E5-88E725FBD6AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*",
"matchCriteriaId": "166C533C-0833-41D5-99B6-17A4FAB3CAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*",
"matchCriteriaId": "D3768C60-21FA-4B92-B98C-C3A2602D1BC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*",
"matchCriteriaId": "DDD510FA-A2E4-4BAF-A0DE-F4E5777E9325",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "9F542E12-6BA8-4504-A494-DA83E7E19BD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*",
"matchCriteriaId": "C2409CC7-6A85-4A66-A457-0D62B9895DC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*",
"matchCriteriaId": "B392A7E5-4455-4B1C-8FAC-AE6DDC70689E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*",
"matchCriteriaId": "EF411DDA-2601-449A-9046-D250419A0E1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*",
"matchCriteriaId": "D7D8F2F4-AFE2-47EA-A3FD-79B54324DE02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*",
"matchCriteriaId": "1B4FBF97-DE16-4E5E-BE19-471E01818D40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*",
"matchCriteriaId": "3B266B1E-24B5-47EE-A421-E0E3CC0C7471",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*",
"matchCriteriaId": "29614C3A-6FB3-41C7-B56E-9CC3F45B04F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*",
"matchCriteriaId": "C6AB156C-8FF6-4727-AF75-590D0DCB3F9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "C0C5F004-F7D8-45DB-B173-351C50B0EC16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "D1902D2E-1896-4D3D-9E1C-3A675255072C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "49AAF4DF-F61D-47A8-8788-A21E317A145D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "454211D0-60A2-4661-AECA-4C0121413FEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "0686F977-889F-4960-8E0B-7784B73A7F2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "558703AE-DB5E-4DFF-B497-C36694DD7B24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "ED6273F2-1165-47A4-8DD7-9E9B2472941B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "90CD7E85-4FF9-4158-AC78-4BFCBC882A65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "7EA56B52-1015-40CD-B10C-393768094269",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "501B0D4A-D636-4736-979B-D5023599CEFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "94E7764F-BF9E-463E-B446-A9A8DB92BB97",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "53A9F7EE-AF2A-43E5-B708-0198784AB45A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "70C60E6C-1A61-422B-A132-FB024761F576",
"versionEndIncluding": "8.0.21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "30DB69BD-0F6E-4AB5-A861-7CB911C35660",
"versionEndIncluding": "20.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:workload_manager:12.2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "AD848FE1-CFD7-490C-B008-DF3B30F3256F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:workload_manager:18c:*:*:*:*:*:*:*",
"matchCriteriaId": "630C8E99-FE49-486E-9003-40B82809B7A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:workload_manager:19c:*:*:*:*:*:*:*",
"matchCriteriaId": "C842DE9E-5E12-4295-AFA5-DEB5FEDE490A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netapp:oncommand_system_manager:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E3177D3B-A060-4A0C-BF20-C777EAD9D68B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:oncommand_system_manager:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "CA4018FF-395E-4278-9F4C-995ECA9CB652",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive."
},
{
"lang": "es",
"value": "Una secuencia especialmente dise\u00f1ada de peticiones HTTP/2 enviadas a Apache Tomcat versiones 10.0.0-M1 hasta 10.0.0-M5, versiones 9.0.0.M1 hasta 9.0.35 y versiones 8.5.0 hasta 8.5.55, podr\u00eda desencadenar un uso elevado de la CPU por varios segundos. Si se hacen una cantidad suficiente de tales peticiones en conexiones HTTP/2 concurrentes, el servidor podr\u00eda dejar de responder"
}
],
"id": "CVE-2020-11996",
"lastModified": "2024-11-21T04:59:04.687",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-26T17:15:10.153",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00064.html"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00072.html"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r2529016c311ce9485e6f173446d469600fdfbb94dccadfcd9dfdac79%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r3ea96d8f36dd404acce83df8aeb22a9e807d6c13ca9c5dec72f872cd%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r5541ef6b6b68b49f76fc4c45695940116da2bcbe0312ef204a00a2e0%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r5a4f80a6acc6607d61dae424b643b594c6188dd4e1eff04705c10db2%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r6c29801370a36c1a5159679269777ad0c73276d3015b8bbefea66e5c%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r74f5a8204efe574cbfcd95b2a16236fe95beb45c4d9fee3dc789dca9%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r8f3d416c193bc9384a8a7dd368623d441f5fcaff1057115008100561%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r8f7484589454638af527182ae55ef5b628ba00c05c5b11887c922fb1%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r93ca628ef3a4530dfe5ac49fddc795f0920a4b2a408b57a30926a42b%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r9ad911fe49450ed9405827af0e7a74104041081ff91864b1f2546bbd%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/ra7092f7492569b39b04ec0decf52628ba86c51f15efb38f5853e2760%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rb4ee49ecc4c59620ffd5e66e84a17e526c2c3cfa95d0cd682d90d338%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rb820f1a2a02bf07414be12c653c2ab5321fd87b9bf6c5e635c53ff4b%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rc80b96b4b96618b2b7461cb90664a428cfd6605eea9f74e51b792542%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rea65d6ef2e45dd1c45faae83922042732866c7b88fa109b76c83db52%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/ref0339792ac6dac1dba83c071a727ad72380899bde60f6aaad4031b9%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00010.html"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20200709-0002/"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4596-1/"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4727"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00064.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00072.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r2529016c311ce9485e6f173446d469600fdfbb94dccadfcd9dfdac79%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r3ea96d8f36dd404acce83df8aeb22a9e807d6c13ca9c5dec72f872cd%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r5541ef6b6b68b49f76fc4c45695940116da2bcbe0312ef204a00a2e0%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r5a4f80a6acc6607d61dae424b643b594c6188dd4e1eff04705c10db2%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r6c29801370a36c1a5159679269777ad0c73276d3015b8bbefea66e5c%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r74f5a8204efe574cbfcd95b2a16236fe95beb45c4d9fee3dc789dca9%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r8f3d416c193bc9384a8a7dd368623d441f5fcaff1057115008100561%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r8f7484589454638af527182ae55ef5b628ba00c05c5b11887c922fb1%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r93ca628ef3a4530dfe5ac49fddc795f0920a4b2a408b57a30926a42b%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r9ad911fe49450ed9405827af0e7a74104041081ff91864b1f2546bbd%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/ra7092f7492569b39b04ec0decf52628ba86c51f15efb38f5853e2760%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb4ee49ecc4c59620ffd5e66e84a17e526c2c3cfa95d0cd682d90d338%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb820f1a2a02bf07414be12c653c2ab5321fd87b9bf6c5e635c53ff4b%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rc80b96b4b96618b2b7461cb90664a428cfd6605eea9f74e51b792542%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rea65d6ef2e45dd1c45faae83922042732866c7b88fa109b76c83db52%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/ref0339792ac6dac1dba83c071a727ad72380899bde60f6aaad4031b9%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00010.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20200709-0002/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4596-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4727"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2002-12-31 05:00
Modified
2025-04-03 01:03
Severity ?
Summary
Apache Tomcat 4.0.3 for Windows allows remote attackers to obtain the web root path via an HTTP request for a resource that does not exist, such as lpt9, which leaks the information in an error message.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0BFE5AD8-DB14-4632-9D2A-F2013579CA7D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Tomcat 4.0.3 for Windows allows remote attackers to obtain the web root path via an HTTP request for a resource that does not exist, such as lpt9, which leaks the information in an error message."
}
],
"id": "CVE-2002-2008",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2002-12-31T05:00:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2002-06/0225.html"
},
{
"source": "cve@mitre.org",
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.iss.net/security_center/static/9394.php"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/5054"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2002-06/0225.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.iss.net/security_center/static/9394.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/5054"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-01-31 14:29
Modified
2024-11-21 03:15
Severity ?
Summary
As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. The update was not correct. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that the behaviour of the CGI servlet has remained unchanged in this regard. It is only the documentation of the behaviour that was wrong and has been corrected.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "96F2AD27-8BC3-44DB-B732-6AF1ACAA9C62",
"versionEndIncluding": "7.0.82",
"versionStartIncluding": "7.0.79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2D675B52-2C19-4DD8-9BDD-1CDE23DF5520",
"versionEndIncluding": "8.0.47",
"versionStartIncluding": "8.0.45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "48422EF4-3664-491E-8024-D522FD2E1144",
"versionEndIncluding": "8.5.23",
"versionStartIncluding": "8.5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*",
"matchCriteriaId": "EF411DDA-2601-449A-9046-D250419A0E1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*",
"matchCriteriaId": "3B266B1E-24B5-47EE-A421-E0E3CC0C7471",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*",
"matchCriteriaId": "29614C3A-6FB3-41C7-B56E-9CC3F45B04F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*",
"matchCriteriaId": "C6AB156C-8FF6-4727-AF75-590D0DCB3F9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "C0C5F004-F7D8-45DB-B173-351C50B0EC16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "D1902D2E-1896-4D3D-9E1C-3A675255072C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "454211D0-60A2-4661-AECA-4C0121413FEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "558703AE-DB5E-4DFF-B497-C36694DD7B24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "ED6273F2-1165-47A4-8DD7-9E9B2472941B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A4355F36-B223-4819-8272-751EBB68782F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. The update was not correct. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that the behaviour of the CGI servlet has remained unchanged in this regard. It is only the documentation of the behaviour that was wrong and has been corrected."
},
{
"lang": "es",
"value": "Como parte de la soluci\u00f3n para el bug 61201, la documentaci\u00f3n para Apache Tomcat en versiones 9.0.0.M22 a la 9.0.1; versiones 8.5.16 a 8.5.23; 8.0.45 a 8.0.47 y 7.0.79 to 7.0.82 inclu\u00eda una descripci\u00f3n actualizada del algoritmo de b\u00fasqueda empleado por el Servlet CGI para identificar qu\u00e9 script ejecutar. La actualizaci\u00f3n no fue correcta. Como resultado, algunos scripts no se han ejecutado como se esperaba y otros se han ejecutado inesperadamente. Se debe tener en cuenta que el comportamiento del servlet CGI se ha mantenido sin cambios en este sentido. Lo \u00fanico err\u00f3neo era la documentaci\u00f3n del comportamiento, que ya ha sido corregida."
}
],
"id": "CVE-2017-15706",
"lastModified": "2024-11-21T03:15:02.480",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-01-31T14:29:00.500",
"references": [
{
"source": "security@apache.org",
"url": "http://www.securityfocus.com/bid/103069"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/e1ef853fc0079cdb55befbd2dac042934e49288b476d5f6a649e5da2%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://usn.ubuntu.com/3665-1/"
},
{
"source": "security@apache.org",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/103069"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/e1ef853fc0079cdb55befbd2dac042934e49288b476d5f6a649e5da2%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://usn.ubuntu.com/3665-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-358"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-09-12 14:29
Modified
2025-04-20 01:37
Severity ?
Summary
Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| jenkins | jenkins | * | |
| apache | tomcat | 7.0.41 | |
| apache | tomcat | 7.0.42 | |
| apache | tomcat | 7.0.43 | |
| apache | tomcat | 7.0.44 | |
| apache | tomcat | 7.0.45 | |
| apache | tomcat | 7.0.46 | |
| apache | tomcat | 7.0.47 | |
| apache | tomcat | 7.0.48 | |
| apache | tomcat | 7.0.49 | |
| apache | tomcat | 7.0.50 | |
| apache | tomcat | 7.0.51 | |
| apache | tomcat | 7.0.54 | |
| apache | tomcat | 7.0.55 | |
| apache | tomcat | 7.0.56 | |
| apache | tomcat | 7.0.57 | |
| apache | tomcat | 7.0.58 | |
| apache | tomcat | 7.0.59 | |
| apache | tomcat | 7.0.60 | |
| apache | tomcat | 7.0.61 | |
| apache | tomcat | 7.0.62 | |
| apache | tomcat | 7.0.63 | |
| apache | tomcat | 7.0.64 | |
| apache | tomcat | 7.0.65 | |
| apache | tomcat | 7.0.66 | |
| apache | tomcat | 7.0.67 | |
| apache | tomcat | 7.0.68 | |
| apache | tomcat | 7.0.69 | |
| apache | tomcat | 7.0.70 | |
| apache | tomcat | 7.0.71 | |
| apache | tomcat | 7.0.72 | |
| apache | tomcat | 7.0.73 | |
| apache | tomcat | 7.0.74 | |
| apache | tomcat | 7.0.75 | |
| apache | tomcat | 7.0.76 | |
| apache | tomcat | 7.0.77 | |
| apache | tomcat | 7.0.78 | |
| apache | tomcat | 7.0.79 | |
| apache | tomcat | 7.0.80 | |
| apache | tomcat | 7.0.81 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C1F11E15-FD3D-48AC-9BEA-4E2730551F48",
"versionEndIncluding": "1.585",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*",
"matchCriteriaId": "DA8A7333-B4C3-4876-AE01-62F2FD315504",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*",
"matchCriteriaId": "92993E23-D805-407B-8B87-11CEEE8B212F",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*",
"matchCriteriaId": "7A11BD74-305C-41E2-95B1-5008EEF5FA5F",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*",
"matchCriteriaId": "595442D0-9DB7-475A-AE30-8535B70E122E",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*",
"matchCriteriaId": "4B0BA92A-0BD3-4CE4-9465-95E949104BAC",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*",
"matchCriteriaId": "6F944B72-B9EB-4EB8-AEA3-E0D7ADBE1305",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*",
"matchCriteriaId": "6AA28D3A-3EE5-4F90-B8F5-4943F7607DA6",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*",
"matchCriteriaId": "BFD3EB84-2ED2-49D4-8BC9-6398C2E46F0A",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*",
"matchCriteriaId": "DEDF6E1A-0DD6-42AB-9510-F6F4B6002C91",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*",
"matchCriteriaId": "C947E549-2459-4AFB-84A7-36BDA30B5F29",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.51:*:*:*:*:*:*:*",
"matchCriteriaId": "67A0EA46-5AEA-4D0A-B89E-6560FA10EC08",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*",
"matchCriteriaId": "F8E9453E-BC9B-4F77-85FA-BA15AC55C245",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*",
"matchCriteriaId": "A7EF0518-73F9-47DB-8946-A8334936BEFF",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*",
"matchCriteriaId": "95AA8778-7833-4572-A71B-5FD89938CE94",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*",
"matchCriteriaId": "242E47CE-EF69-4F8F-AB40-5AF2811674CE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.58:*:*:*:*:*:*:*",
"matchCriteriaId": "A225D4F7-174E-47C3-8390-C6FA28DB5A9A",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*",
"matchCriteriaId": "CDA1555C-E55A-4E14-B786-BFEE3F09220B",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.60:*:*:*:*:*:*:*",
"matchCriteriaId": "6BAC42AE-B82A-4ABF-9519-B2D97D925707",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*",
"matchCriteriaId": "F8075E9A-DA7F-4A0B-8B4D-0CD951369111",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*",
"matchCriteriaId": "335A5320-6086-4B45-9903-82F6F92A584F",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*",
"matchCriteriaId": "46B33408-C2E2-4E7C-9334-6AB98F13468C",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*",
"matchCriteriaId": "9F036676-9EFB-4A92-828E-A38905D594E2",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*",
"matchCriteriaId": "E9728EE8-6029-4DF3-942E-E4ACC09111A3",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.66:*:*:*:*:*:*:*",
"matchCriteriaId": "62DBB843-288C-4060-8777-6CDCF1860D29",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:*",
"matchCriteriaId": "34E7DAC8-8419-45D1-A28F-14CF2FE1B6EE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.68:*:*:*:*:*:*:*",
"matchCriteriaId": "89B87EB5-4902-4C2A-878A-45185F7D0FA1",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.69:*:*:*:*:*:*:*",
"matchCriteriaId": "C0596E6C-9ACE-4106-A2FF-BED7967C323F",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.70:*:*:*:*:*:*:*",
"matchCriteriaId": "8F7158DC-966B-4508-8600-40E3E9D3D0DF",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.71:*:*:*:*:*:*:*",
"matchCriteriaId": "A190FE0D-86C1-49EE-BDAE-5879C32BDC92",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.72:*:*:*:*:*:*:*",
"matchCriteriaId": "CA20F45F-01A2-43DD-9731-DFF54E31719F",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.73:*:*:*:*:*:*:*",
"matchCriteriaId": "3C7A728B-59DB-4EDE-8929-C91F4C410902",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.74:*:*:*:*:*:*:*",
"matchCriteriaId": "26889291-3280-4524-8F4A-9B22FF4600C8",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.75:*:*:*:*:*:*:*",
"matchCriteriaId": "6E4CAEBD-0F38-4892-9D0B-9D7392E0BCC3",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.76:*:*:*:*:*:*:*",
"matchCriteriaId": "61C4DA00-E47C-47BE-856C-7E0D4B0F9DAA",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.77:*:*:*:*:*:*:*",
"matchCriteriaId": "41FF234B-A9AD-4C51-8E9E-939DC8ECB64A",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.78:*:*:*:*:*:*:*",
"matchCriteriaId": "4FA0E2FD-84FB-4691-B4B5-12A381CB091E",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.79:*:*:*:*:*:*:*",
"matchCriteriaId": "69CC7A75-8EA2-4F62-AF84-CE60C76F9F7C",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.80:*:*:*:*:*:*:*",
"matchCriteriaId": "4CA59311-0095-49D7-BDF2-E72F847F3F09",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.81:*:*:*:*:*:*:*",
"matchCriteriaId": "A1E06587-2543-47A9-9E02-4BE7B0190065",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies."
},
{
"lang": "es",
"value": "Jenkins en versiones anteriores a la 1.586 no establece el indicador \"HttpOnly\" en un encabezado Set-Cookie para cookies de sesi\u00f3n cuando se ejecuta en Tomcat 7.0.41 o siguientes, lo que facilita que los atacantes remotos obtengan informaci\u00f3n potencialmente sensible mediante el acceso del script a las cookies."
}
],
"id": "CVE-2014-9635",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-09-12T14:29:00.300",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2015/01/22/3"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/72054"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1185151"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.jenkins-ci.org/browse/JENKINS-25019"
},
{
"source": "secalert@redhat.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://jenkins.io/changelog-old/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2015/01/22/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/72054"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1185151"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.jenkins-ci.org/browse/JENKINS-25019"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://jenkins.io/changelog-old/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-254"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-03-10 17:15
Modified
2025-04-03 20:59
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.
If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads
- attacker knowledge of the names of security sensitive files being uploaded
- the security sensitive files also being uploaded via partial PUT
If all of the following were true, a malicious user was able to perform remote code execution:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- application was using Tomcat's file based session persistence with the default storage location
- application included a library that may be leveraged in a deserialization attack
Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.
References
Impacted products
{
"cisaActionDue": "2025-04-22",
"cisaExploitAdd": "2025-04-01",
"cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
"cisaVulnerabilityName": "Apache Tomcat Path Equivalence Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DAA3CD29-4D05-4F58-BE63-0A100C010AF0",
"versionEndExcluding": "9.0.99",
"versionStartIncluding": "9.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "108D9F43-5A29-475E-9EE2-66CE8899B318",
"versionEndExcluding": "10.1.35",
"versionStartIncluding": "10.1.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B7E3D41F-F7C8-4BAB-A80B-287FACB0F7E4",
"versionEndExcluding": "11.0.3",
"versionStartIncluding": "11.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "9D0689FE-4BC0-4F53-8C79-34B21F9B86C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "89B129B2-FB6F-4EF9-BF12-E589A87996CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "8B6787B6-54A8-475E-BA1C-AB99334B2535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "EABB6FBC-7486-44D5-A6AD-FFF1D3F677E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*",
"matchCriteriaId": "E10C03BC-EE6B-45B2-83AE-9E8DFB58D7DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*",
"matchCriteriaId": "8A6DA0BE-908C-4DA8-A191-A0113235E99A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*",
"matchCriteriaId": "39029C72-28B4-46A4-BFF5-EC822CFB2A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*",
"matchCriteriaId": "1A2E05A3-014F-4C4D-81E5-88E725FBD6AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*",
"matchCriteriaId": "166C533C-0833-41D5-99B6-17A4FAB3CAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*",
"matchCriteriaId": "D3768C60-21FA-4B92-B98C-C3A2602D1BC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*",
"matchCriteriaId": "DDD510FA-A2E4-4BAF-A0DE-F4E5777E9325",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "9F542E12-6BA8-4504-A494-DA83E7E19BD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*",
"matchCriteriaId": "C2409CC7-6A85-4A66-A457-0D62B9895DC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*",
"matchCriteriaId": "B392A7E5-4455-4B1C-8FAC-AE6DDC70689E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*",
"matchCriteriaId": "EF411DDA-2601-449A-9046-D250419A0E1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*",
"matchCriteriaId": "D7D8F2F4-AFE2-47EA-A3FD-79B54324DE02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*",
"matchCriteriaId": "1B4FBF97-DE16-4E5E-BE19-471E01818D40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*",
"matchCriteriaId": "3B266B1E-24B5-47EE-A421-E0E3CC0C7471",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*",
"matchCriteriaId": "29614C3A-6FB3-41C7-B56E-9CC3F45B04F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*",
"matchCriteriaId": "C6AB156C-8FF6-4727-AF75-590D0DCB3F9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "C0C5F004-F7D8-45DB-B173-351C50B0EC16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "D1902D2E-1896-4D3D-9E1C-3A675255072C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "49AAF4DF-F61D-47A8-8788-A21E317A145D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "454211D0-60A2-4661-AECA-4C0121413FEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "0686F977-889F-4960-8E0B-7784B73A7F2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "558703AE-DB5E-4DFF-B497-C36694DD7B24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "ED6273F2-1165-47A4-8DD7-9E9B2472941B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "6D402B5D-5901-43EB-8E6A-ECBD512CE367",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "33C71AE1-B38E-4783-BAC2-3CDA7B4D9EBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "F6BD4180-D3E8-42AB-96B1-3869ECF47F6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "64668CCF-DBC9-442D-9E0F-FD40E1D0DDB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone13:*:*:*:*:*:*",
"matchCriteriaId": "FC64BB57-4912-481E-AE8D-C8FCD36142BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone14:*:*:*:*:*:*",
"matchCriteriaId": "49B43BFD-6B6C-4E6D-A9D8-308709DDFB44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone15:*:*:*:*:*:*",
"matchCriteriaId": "919C16BD-79A7-4597-8D23-2CBDED2EF615",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone16:*:*:*:*:*:*",
"matchCriteriaId": "81B27C03-D626-42EC-AE4E-1E66624908E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone17:*:*:*:*:*:*",
"matchCriteriaId": "BD81405D-81A5-4683-A355-B39C912DAD2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone18:*:*:*:*:*:*",
"matchCriteriaId": "2DCE3576-86BC-4BB8-A5FB-1274744DFD7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone19:*:*:*:*:*:*",
"matchCriteriaId": "5571F54A-2EAC-41B6-BDA9-7D33CFE97F70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "9846609D-51FC-4CDD-97B3-8C6E07108F14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone20:*:*:*:*:*:*",
"matchCriteriaId": "ED30E850-C475-4133-BDE3-74CB3768D787",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "2E321FB4-0B0C-497A-BB75-909D888C93CB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "3B0CAE57-AF7A-40E6-9519-F5C9F422C1BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "7CB9D150-EED6-4AE9-BCBE-48932E50035E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "D334103F-F64E-4869-BCC8-670A5AFCC76C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "941FCF7B-FFB6-4967-95C7-BB3D32C73DAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "CE1A9030-B397-4BA6-8E13-DA1503872DDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "6284B74A-1051-40A7-9D74-380FEEEC3F88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "D1AA7FF6-E8E7-4BF6-983E-0A99B0183008",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "57088BDD-A136-45EF-A8A1-2EBF79CEC2CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "B32D1D7A-A04F-444E-8F45-BB9A9E4B0199",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "0092FB35-3B00-484F-A24D-7828396A4FF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone13:*:*:*:*:*:*",
"matchCriteriaId": "CB557E88-FA9D-4B69-AA6F-EAEE7F9B01AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone14:*:*:*:*:*:*",
"matchCriteriaId": "72D3C6F1-84FA-4F82-96C1-9A8DA1C1F30F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone15:*:*:*:*:*:*",
"matchCriteriaId": "3521C81B-37D9-48FC-9540-D0D333B9A4A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone16:*:*:*:*:*:*",
"matchCriteriaId": "02A84634-A8F2-4BA9-B9F3-BEF36AEC5480",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone17:*:*:*:*:*:*",
"matchCriteriaId": "ECBBC1F1-C86B-40AF-B740-A99F6B27682A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone18:*:*:*:*:*:*",
"matchCriteriaId": "9D2206B2-F3FF-43F2-B3E2-3CAAC64C691D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone19:*:*:*:*:*:*",
"matchCriteriaId": "0495A538-4102-40D0-A35C-0179CFD52A9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "2AAD52CE-94F5-4F98-A027-9A7E68818CB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone20:*:*:*:*:*:*",
"matchCriteriaId": "77BA6600-0890-4BA1-B447-EC1746BAB4FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone21:*:*:*:*:*:*",
"matchCriteriaId": "7914D26B-CBD6-4846-9BD3-403708D69319",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone22:*:*:*:*:*:*",
"matchCriteriaId": "123C6285-03BE-49FC-B821-8BDB25D02863",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone23:*:*:*:*:*:*",
"matchCriteriaId": "8A28C2E2-B7BC-46CE-94E4-AE3EF172AA47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone24:*:*:*:*:*:*",
"matchCriteriaId": "069B0D8E-8223-4C4E-A834-C6235D6C3450",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone25:*:*:*:*:*:*",
"matchCriteriaId": "E6282085-5716-4874-B0B0-180ECDEE128F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "F1F981F5-035A-4EDD-8A9F-481EE8BC7FF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "03A171AF-2EC8-4422-912C-547CDB58CAAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "538E68C4-0BA4-495F-AEF8-4EF6EE7963CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "49350A6E-5E1D-45B2-A874-3B8601B3ADCC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "5F50942F-DF54-46C0-8371-9A476DD3EEA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "D12C2C95-B79F-4AA4-8CE3-99A3EE7991AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "98792138-DD56-42DF-9612-3BDC65EEC117",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Path Equivalence: \u0027file.Name\u0027 (Internal Dot) leading to\u00a0Remote Code Execution and/or Information disclosure\u00a0and/or malicious content added to uploaded files via write enabled\u00a0Default Servlet\u00a0in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.\n\nIf all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:\n-\u00a0writes enabled for the default servlet (disabled by default)\n- support for partial PUT (enabled by default)\n- a target URL for security sensitive uploads that was a sub-directory of\u00a0a target URL for public uploads\n-\u00a0attacker knowledge of the names of security sensitive files being\u00a0uploaded\n-\u00a0the security sensitive files also being uploaded via partial PUT\n\nIf all of the following were true, a malicious user was able to perform remote code execution:\n- writes enabled for the default servlet (disabled by default)\n-\u00a0support for partial PUT (enabled by default)\n-\u00a0application was using Tomcat\u0027s file based session persistence with the\u00a0default storage location\n-\u00a0application included a library that may be leveraged in a\u00a0deserialization attack\n\nUsers are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue."
},
{
"lang": "es",
"value": "Equivalencia de ruta: \u0027file.Name\u0027 (punto interno) que conduce a la ejecuci\u00f3n remota de c\u00f3digo y/o divulgaci\u00f3n de informaci\u00f3n y/o contenido malicioso agregado a los archivos cargados a trav\u00e9s del servlet predeterminado habilitado para escritura en Apache Tomcat. Este problema afecta a Apache Tomcat: desde 11.0.0-M1 hasta 11.0.2, desde 10.1.0-M1 hasta 10.1.34, desde 9.0.0.M1 hasta 9.0.98. Si todo lo siguiente fuera cierto, un usuario malintencionado podr\u00eda ver archivos sensibles de seguridad y/o inyectar contenido en esos archivos: - escrituras habilitadas para el servlet predeterminado (deshabilitado por defecto) - soporte para PUT parcial (habilitado por defecto) - una URL de destino para cargas sensibles de seguridad que era un subdirectorio de una URL de destino para cargas p\u00fablicas - conocimiento del atacante de los nombres de los archivos sensibles de seguridad que se estaban cargando - los archivos sensibles de seguridad tambi\u00e9n se estaban cargando a trav\u00e9s de PUT parcial Si todo lo siguiente fuera cierto, un usuario malintencionado podr\u00eda realizar una ejecuci\u00f3n remota de c\u00f3digo: - escrituras habilitadas para el servlet predeterminado (deshabilitado por defecto) - soporte para PUT parcial (habilitado por defecto) - la aplicaci\u00f3n estaba usando la persistencia de sesi\u00f3n basada en archivos de Tomcat con la ubicaci\u00f3n de almacenamiento predeterminada - la aplicaci\u00f3n inclu\u00eda una biblioteca que se puede aprovechar en un ataque de deserializaci\u00f3n Se recomienda a los usuarios actualizar a la versi\u00f3n 11.0.3, 10.1.35 o 9.0.98, que corrige el problema."
}
],
"id": "CVE-2025-24813",
"lastModified": "2025-04-03T20:59:51.680",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-03-10T17:15:35.067",
"references": [
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2025/03/10/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00003.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20250321-0001/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-24813-detect-apache-tomcat-rce"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-24813-mitigate-apache-tomcat-rce"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit"
],
"url": "https://github.com/absholi7ly/POC-CVE-2025-24813/blob/main/README.md"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-44"
},
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-502"
},
{
"lang": "en",
"value": "CWE-706"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-09-19 13:29
Modified
2025-04-20 01:37
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
References
Impacted products
{
"cisaActionDue": "2022-04-15",
"cisaExploitAdd": "2022-03-25",
"cisaRequiredAction": "Apply updates per vendor instructions.",
"cisaVulnerabilityName": "Apache Tomcat on Windows Remote Code Execution Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0A3F5425-BA5F-411C-BA1D-FFC3D2EBF93D",
"versionEndIncluding": "7.0.79",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netapp:7-mode_transition_tool:-:*:*:*:*:*:*:*",
"matchCriteriaId": "7EF6650C-558D-45C8-AE7D-136EE70CB6D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:oncommand_balance:-:*:*:*:*:*:*:*",
"matchCriteriaId": "7DCBCC5D-C396-47A8-ADF4-D3A2C4377FB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:oncommand_shift:-:*:*:*:*:*:*:*",
"matchCriteriaId": "3BD81527-A341-42C3-9AB9-880D3DB04B08",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.4:*:*:*:*:*:*:*",
"matchCriteriaId": "E3A36AEE-5842-4876-9C2F-E703C981C992",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.6:*:*:*:*:*:*:*",
"matchCriteriaId": "CB70A2F8-EAB3-4898-9353-F679FF721C82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.7:*:*:*:*:*:*:*",
"matchCriteriaId": "EB3AC848-C2D0-4878-8619-F5815173555D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_web_server:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "681173DF-537E-4A64-8FC7-75F439CCAD0D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_web_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8E2F2F98-DB90-43F6-8F28-3656207B6188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_web_server_text-only_advisories:-:*:*:*:*:*:*:*",
"matchCriteriaId": "08E5BFFC-F3E0-43E6-BA40-81B2A8B7CC01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EE249E1B-A1FD-4E08-AA71-A0E1F10FFE97",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "33C068A4-3780-4EAB-A937-6082DF847564",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:7.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F96E3779-F56A-45FF-BB3D-4980527D721E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:7.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0CF73560-2F5B-4723-A8A1-9AADBB3ADA00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:7.6:*:*:*:*:*:*:*",
"matchCriteriaId": "5BF3C7A5-9117-42C7-BEA1-4AA378A582EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:7.7:*:*:*:*:*:*:*",
"matchCriteriaId": "83737173-E12E-4641-BC49-0BD84A6B29D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.4:*:*:*:*:*:*:*",
"matchCriteriaId": "46DD0CA2-3786-4E97-A60C-5043FDDBCB86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.5:*:*:*:*:*:*:*",
"matchCriteriaId": "55E4609A-C986-4041-A528-1B4B37E1F6F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.6:*:*:*:*:*:*:*",
"matchCriteriaId": "92BDD126-A468-47D9-A468-6E229D75939D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6DAA8C42-870A-42B4-AE9F-7C67F4122ED3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:7.0_s390x:*:*:*:*:*:*:*",
"matchCriteriaId": "2148300C-ECBD-4ED5-A164-79629859DD43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.4_s390x:*:*:*:*:*:*:*",
"matchCriteriaId": "B908AEF5-67CE-42D4-961D-C0E7ADB78ADD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.5_s390x:*:*:*:*:*:*:*",
"matchCriteriaId": "0F8EB695-5EA3-46D2-941E-D7F01AB99A48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.6_s390x:*:*:*:*:*:*:*",
"matchCriteriaId": "1E1DB003-76B8-4D7B-A6ED-5064C3AE1C11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.7_s390x:*:*:*:*:*:*:*",
"matchCriteriaId": "FFC68D88-3CD3-4A3D-A01B-E9DBACD9B9CB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:7.0_ppc64:*:*:*:*:*:*:*",
"matchCriteriaId": "8BCF87FD-9358-42A5-9917-25DF0180A5A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.4_ppc64:*:*:*:*:*:*:*",
"matchCriteriaId": "9B8B2E32-B838-4E51-BAA2-764089D2A684",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.5_ppc64:*:*:*:*:*:*:*",
"matchCriteriaId": "4319B943-7B19-468D-A160-5895F7F997A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.6_ppc64:*:*:*:*:*:*:*",
"matchCriteriaId": "39C1ABF5-4070-4AA7-BAB8-4F63E1BD91FF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.7_ppc64:*:*:*:*:*:*:*",
"matchCriteriaId": "8036E2AE-4E44-4FA5-AFFB-A3724BFDD654",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:7.0_ppc64le:*:*:*:*:*:*:*",
"matchCriteriaId": "7A584AAA-A14F-4C64-8FED-675DC36F69A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.4_ppc64le:*:*:*:*:*:*:*",
"matchCriteriaId": "E9A24D0C-604D-4421-AFA6-5D541DA2E94D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.5_ppc64le:*:*:*:*:*:*:*",
"matchCriteriaId": "3A2E3637-B6A6-4DA9-8B0A-E91F22130A45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.6_ppc64le:*:*:*:*:*:*:*",
"matchCriteriaId": "F81F859C-DA89-4D1E-91D3-A000AD646203",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.7_ppc64le:*:*:*:*:*:*:*",
"matchCriteriaId": "418488A5-2912-406C-9337-B8E85D0C2B57",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_scientific_computing:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "37CE1DC7-72C5-483C-8921-0B462C8284D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9BBCD86A-E6C7-4444-9D74-F861084090F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "51EF4996-72F4-4FA4-814F-F5991E7A8318",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D99A687E-EAE6-417E-A88E-D0082BC194CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*",
"matchCriteriaId": "B353CE99-D57C-465B-AAB0-73EF581127D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*",
"matchCriteriaId": "7431ABC1-9252-419E-8CC1-311B41360078",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:7.4_ppc64le:*:*:*:*:*:*:*",
"matchCriteriaId": "A70DB420-5485-4820-9F1C-3F78A6219984",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:7.6_ppc64le:*:*:*:*:*:*:*",
"matchCriteriaId": "D9942F96-A8C1-4281-82C5-BB9D9C50A6CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:7.7_ppc64le:*:*:*:*:*:*:*",
"matchCriteriaId": "5325286E-F11D-4713-B666-5D7A4F65B326",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:9.2_ppc64le:*:*:*:*:*:*:*",
"matchCriteriaId": "CC6A25CB-907A-4D05-8460-A2488938A8BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D5F7E11E-FB34-4467-8919-2B6BEAABF665",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*",
"matchCriteriaId": "B76AA310-FEC7-497F-AF04-C3EC1E76C4CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:*",
"matchCriteriaId": "17F256A9-D3B9-4C72-B013-4EFD878BFEA8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E5ED5807-55B7-47C5-97A6-03233F4FBC3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "825ECE2D-E232-46E0-A047-074B34DB1E97",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server."
},
{
"lang": "es",
"value": "Cuando se ejecuta Apache Tomcat en sus versiones 7.0.0 a 7.0.79 en Windows con HTTP PUT habilitado (por ejemplo, estableciendo el par\u00e1metro de inicializaci\u00f3n de solo lectura del Default en \"false\") fue posible subir un archivo JSP al servidor mediante una petici\u00f3n especialmente manipulada. Este archivo JSP podr\u00eda ser solicitado y cualquier c\u00f3digo que contenga podr\u00eda ser ejecutado por el servidor."
}
],
"id": "CVE-2017-12615",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2017-09-19T13:29:00.190",
"references": [
{
"source": "security@apache.org",
"tags": [
"Exploit"
],
"url": "http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html"
},
{
"source": "security@apache.org",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/100901"
},
{
"source": "security@apache.org",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1039392"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2017:3080"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2017:3081"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2017:3113"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2017:3114"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0465"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0466"
},
{
"source": "security@apache.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/breaktoprotect/CVE-2017-12615"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Issue Tracking",
"Mailing List"
],
"url": "https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20171018-0001/"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/42953/"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.synology.com/support/security/Synology_SA_17_54_Tomcat"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/100901"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1039392"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2017:3080"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2017:3081"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2017:3113"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2017:3114"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0465"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0466"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/breaktoprotect/CVE-2017-12615"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Mailing List"
],
"url": "https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20171018-0001/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/42953/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.synology.com/support/security/Synology_SA_17_54_Tomcat"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2002-10-04 04:00
Modified
2025-04-03 01:03
Severity ?
Summary
Apache Tomcat 4.0.3, and possibly other versions before 4.1.3 beta, allows remote attackers to cause a denial of service (resource exhaustion) via a large number of requests to the server with null characters, which causes the working threads to hang.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0BFE5AD8-DB14-4632-9D2A-F2013579CA7D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Tomcat 4.0.3, and possibly other versions before 4.1.3 beta, allows remote attackers to cause a denial of service (resource exhaustion) via a large number of requests to the server with null characters, which causes the working threads to hang."
}
],
"id": "CVE-2002-0935",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2002-10-04T04:00:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0120.html"
},
{
"source": "cve@mitre.org",
"url": "http://online.securityfocus.com/archive/1/277940"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.iss.net/security_center/static/9396.php"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/5051"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.securityfocus.com/bid/5067"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0120.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://online.securityfocus.com/archive/1/277940"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.iss.net/security_center/static/9396.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/5051"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.securityfocus.com/bid/5067"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-10-13 20:00
Modified
2025-04-09 00:30
Severity ?
Summary
Apache Tomcat 5.5.0 and 4.1.0 through 4.1.31 allows remote attackers to bypass an IP address restriction and obtain sensitive information via a request that is processed concurrently with another request but in a different thread, leading to an instance-variable overwrite associated with a "synchronization problem" and lack of thread safety, and related to RemoteFilterValve, RemoteAddrValve, and RemoteHostValve.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | tomcat | 4.1.0 | |
| apache | tomcat | 4.1.1 | |
| apache | tomcat | 4.1.2 | |
| apache | tomcat | 4.1.3 | |
| apache | tomcat | 4.1.3 | |
| apache | tomcat | 4.1.4 | |
| apache | tomcat | 4.1.5 | |
| apache | tomcat | 4.1.6 | |
| apache | tomcat | 4.1.7 | |
| apache | tomcat | 4.1.8 | |
| apache | tomcat | 4.1.9 | |
| apache | tomcat | 4.1.10 | |
| apache | tomcat | 4.1.11 | |
| apache | tomcat | 4.1.12 | |
| apache | tomcat | 4.1.13 | |
| apache | tomcat | 4.1.14 | |
| apache | tomcat | 4.1.15 | |
| apache | tomcat | 4.1.16 | |
| apache | tomcat | 4.1.17 | |
| apache | tomcat | 4.1.18 | |
| apache | tomcat | 4.1.19 | |
| apache | tomcat | 4.1.20 | |
| apache | tomcat | 4.1.21 | |
| apache | tomcat | 4.1.22 | |
| apache | tomcat | 4.1.23 | |
| apache | tomcat | 4.1.24 | |
| apache | tomcat | 4.1.25 | |
| apache | tomcat | 4.1.26 | |
| apache | tomcat | 4.1.27 | |
| apache | tomcat | 4.1.28 | |
| apache | tomcat | 4.1.29 | |
| apache | tomcat | 4.1.30 | |
| apache | tomcat | 4.1.31 | |
| apache | tomcat | 5.5.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0E300013-0CE7-4313-A553-74A6A247B3E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E08D7414-8D0C-45D6-8E87-679DF0201D55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AB15C5DB-0DBE-4DAD-ACBD-FAE23F768D01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "60CFD9CA-1878-4C74-A9BD-5D581736E6B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.3:beta:*:*:*:*:*:*",
"matchCriteriaId": "B7E52BE7-5281-4430-8846-E41CF34FC214",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "02860646-1D72-4D9A-AE2A-5868C8EDB3AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "5BE4B9B5-9C2E-47E1-9483-88A17264594F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "5BE92A9B-4B8C-468E-9162-A56ED5313E17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "AE21D455-5B38-4B07-8E25-4EE782501EB3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "B9AE125C-EB8E-4D33-BB64-1E2AEE18BF81",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "47588ABB-FCE6-478D-BEAD-FC9A0C7D66DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C92F3744-C8F9-4E29-BF1A-25E03A32F2C0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.11:*:*:*:*:*:*:*",
"matchCriteriaId": "084B3227-FE22-43E3-AE06-7BB257018690",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.12:*:*:*:*:*:*:*",
"matchCriteriaId": "F7DDA1D1-1DB2-4FD6-90A6-7DDE2FDD73F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.13:*:*:*:*:*:*:*",
"matchCriteriaId": "D2BFF1D5-2E34-4A01-83A7-6AA3A112A1B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.14:*:*:*:*:*:*:*",
"matchCriteriaId": "6D536FF4-7582-4351-ABE3-876E20F8E7FE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.15:*:*:*:*:*:*:*",
"matchCriteriaId": "1C03E4C9-34E3-42F7-8B73-D3C595FD7EE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.16:*:*:*:*:*:*:*",
"matchCriteriaId": "FB43F47F-5BF9-43A0-BF0E-451B4A8F7137",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.17:*:*:*:*:*:*:*",
"matchCriteriaId": "DFFFE700-AAFE-4F5B-B0E2-C3DA76DE492D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.18:*:*:*:*:*:*:*",
"matchCriteriaId": "11DDD82E-5D83-4581-B2F3-F12655BBF817",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.19:*:*:*:*:*:*:*",
"matchCriteriaId": "8A0F0C91-171E-421D-BE86-11567DEFC7BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.20:*:*:*:*:*:*:*",
"matchCriteriaId": "F22D2621-D305-43CE-B00D-9A7563B061F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.21:*:*:*:*:*:*:*",
"matchCriteriaId": "9A5D55E8-D3A3-4784-8AC6-CCB07E470AB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.22:*:*:*:*:*:*:*",
"matchCriteriaId": "7F4245BA-B05C-49DE-B2E0-1E588209ED3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.23:*:*:*:*:*:*:*",
"matchCriteriaId": "8633532B-9785-4259-8840-B08529E20DCC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.24:*:*:*:*:*:*:*",
"matchCriteriaId": "B1D9BD7E-FCC2-404B-A057-1A10997DAFF9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.25:*:*:*:*:*:*:*",
"matchCriteriaId": "F935ED72-58F4-49C1-BD9F-5473E0B9D8CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.26:*:*:*:*:*:*:*",
"matchCriteriaId": "FADB75DC-8713-4F0C-9F06-30DA6F6EF6B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.27:*:*:*:*:*:*:*",
"matchCriteriaId": "2EA52901-2D16-4F7E-BF5E-780B42A55D6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.28:*:*:*:*:*:*:*",
"matchCriteriaId": "6A79DA2C-35F3-47DE-909B-8D8D1AE111C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.29:*:*:*:*:*:*:*",
"matchCriteriaId": "8BF6952D-6308-4029-8B63-0BD9C648C60F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.30:*:*:*:*:*:*:*",
"matchCriteriaId": "94941F86-0BBF-4F30-8F13-FB895A11ED69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.31:*:*:*:*:*:*:*",
"matchCriteriaId": "17522878-4266-432A-859D-C02096C8AC0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EB203AEC-2A94-48CA-A0E0-B5A8EBF028B5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Tomcat 5.5.0 and 4.1.0 through 4.1.31 allows remote attackers to bypass an IP address restriction and obtain sensitive information via a request that is processed concurrently with another request but in a different thread, leading to an instance-variable overwrite associated with a \"synchronization problem\" and lack of thread safety, and related to RemoteFilterValve, RemoteAddrValve, and RemoteHostValve."
},
{
"lang": "es",
"value": "Apache Tomcat 5.5.0 y 4.1.0 hasta la 4.1.31 permite a atacantes remotos eludir una restricci\u00f3n de direcci\u00f3n IP y obtener informaci\u00f3n sensible a trav\u00e9s de una solicitud \r\nque se tramita simult\u00e1neamente con otra petici\u00f3n, pero en otro hilo, lo que lleva a una sobreescritura de una variable de instancia asociada con un \"problema de sincronizaci\u00f3n\" y con un fallo de seguridad en la implementaci\u00f3n de los hilos, relacionada con RemoteFilterValve, RemoteAddrValve, y RemoteHostValve."
}
],
"id": "CVE-2008-3271",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-10-13T20:00:02.057",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://jvn.jp/en/jp/JVN30732239/index.html"
},
{
"source": "secalert@redhat.com",
"url": "http://jvndb.jvn.jp/en/contents/2008/JVNDB-2008-000069.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00012.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/32213"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/32234"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/32398"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/35684"
},
{
"source": "secalert@redhat.com",
"url": "http://securityreason.com/securityalert/4396"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "secalert@redhat.com",
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.fujitsu.com/global/support/software/security/products-f/interstage-200806e.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.nec.co.jp/security-info/secinfo/nv09-006.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/497220/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/31698"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id?1021039"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2008/2793"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2008/2800"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2009/1818"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45791"
},
{
"source": "secalert@redhat.com",
"url": "https://issues.apache.org/bugzilla/show_bug.cgi?id=25835"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://jvn.jp/en/jp/JVN30732239/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://jvndb.jvn.jp/en/contents/2008/JVNDB-2008-000069.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00012.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/32213"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/32234"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/32398"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/35684"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/4396"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.fujitsu.com/global/support/software/security/products-f/interstage-200806e.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.nec.co.jp/security-info/secinfo/nv09-006.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/497220/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/31698"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id?1021039"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/2793"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/2800"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2009/1818"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45791"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://issues.apache.org/bugzilla/show_bug.cgi?id=25835"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-04-28 20:15
Modified
2025-05-06 21:16
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible
for a specially crafted request to bypass some rewrite rules. If those
rewrite rules effectively enforced security constraints, those
constraints could be bypassed.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102.
Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/list.html?announce@tomcat.apache.org | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/04/28/3 | Mailing List, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BB09D245-9455-444D-8265-743642DD53C9",
"versionEndExcluding": "9.0.104",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E5BD6C26-75CE-4DDC-BF4D-5A5187BD4CAF",
"versionEndExcluding": "10.1.40",
"versionStartIncluding": "10.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9331B3B3-C3C4-4D12-BE11-043F6614B2D3",
"versionEndExcluding": "11.0.6",
"versionStartIncluding": "11.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat.\u00a0For a subset of unlikely rewrite rule configurations, it was possible \nfor a specially crafted request to bypass some rewrite rules. If those \nrewrite rules effectively enforced security constraints, those \nconstraints could be bypassed.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102.\n\nUsers are recommended to upgrade to version [FIXED_VERSION], which fixes the issue."
},
{
"lang": "es",
"value": "Vulnerabilidad de neutralizaci\u00f3n incorrecta de secuencias de escape, metadatos o de control en Apache Tomcat. En un subconjunto de configuraciones improbables de reglas de reescritura, una solicitud especialmente manipulada pod\u00eda eludir algunas reglas de reescritura. Si dichas reglas aplicaban restricciones de seguridad de forma eficaz, estas pod\u00edan eludirse. Este problema afecta a Apache Tomcat: de la 11.0.0-M1 a la 11.0.5, de la 10.1.0-M1 a la 10.1.39 y de la 9.0.0.M1 a la 9.0.102. Se recomienda a los usuarios actualizar a la versi\u00f3n [FIXED_VERSION], que soluciona el problema."
}
],
"id": "CVE-2025-31651",
"lastModified": "2025-05-06T21:16:18.480",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-04-28T20:15:20.783",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/list.html?announce@tomcat.apache.org"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2025/04/28/3"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-116"
}
],
"source": "security@apache.org",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-116"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-03-20 18:59
Modified
2025-04-20 01:37
Severity ?
Summary
The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49E3C039-A949-4F1B-892A-57147EECB249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F28C7801-41B9-4552-BA1E-577967BCBBEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "25B21085-7259-4685-9D1F-FF98E6489E10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "635EE321-2A1F-4FF8-95BE-0C26591969D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "9A81B035-8598-4D2C-B45F-C6C9D4B10C2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E1096947-82A6-4EA8-A4F2-00D91E3F7DAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0EBFA1D3-16A6-4041-BB30-51D2EE0F2AF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "B70B372F-EFFD-4AF7-99B5-7D1B23A0C54C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "9C95ADA4-66F5-45C4-A677-ACE22367A75A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "11951A10-39A2-4FF5-8C43-DF94730FB794",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "351E5BCF-A56B-4D91-BA3C-21A4B77D529A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2DC2BBB4-171E-4EFF-A575-A5B7FF031755",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "6B6B0504-27C1-4824-A928-A878CBBAB32D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "CE81AD36-ACD1-4C6C-8E7C-5326D1DA3045",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "D903956B-14F5-4177-AF12-0A5F1846D3C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "81F847DC-A2F5-456C-9038-16A0E85F4C3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3EBD00-1E1E-452D-AFFB-08A6BD111DDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "C6B93A3A-D487-4CA1-8257-26F8FE287B8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "BD8802B2-57E0-4AA6-BC8E-00DE60468569",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "8461DF95-18DC-4BF5-A703-7F19DA88DC30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "1F4C9BCF-9C73-4991-B02F-E08C5DA06EBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.21:*:*:*:*:*:*:*",
"matchCriteriaId": "0682A754-5E5E-48D4-836A-16841FD59445",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.22:*:*:*:*:*:*:*",
"matchCriteriaId": "3A8F2DFC-6A74-43AB-A813-957A1F7097A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.23:*:*:*:*:*:*:*",
"matchCriteriaId": "277332E0-60D9-4318-A068-901F3B037FA9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "2823789C-2CB6-4300-94DB-BDBE83ABA8E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.25:*:*:*:*:*:*:*",
"matchCriteriaId": "759588B8-DD36-474E-978B-75638962E743",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "C5416C76-46ED-4CB1-A7F8-F24EA16DE7F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "A61429EE-4331-430C-9830-58DCCBCBCB58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "31B3593F-CEDF-423C-90F8-F88EED87DC3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "AE7862B2-E1FA-4E16-92CD-8918AB461D9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "A9E03BE3-60CC-4415-B993-D0BB00F87A30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.31:*:*:*:*:*:*:*",
"matchCriteriaId": "CE92E59A-FF0D-4D1A-8B12-CC41A7E1FD3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.32:*:*:*:*:*:*:*",
"matchCriteriaId": "BFD64FE7-ABAF-49F3-B8D0-91C37C822F4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.33:*:*:*:*:*:*:*",
"matchCriteriaId": "48E5E8C3-21AD-4230-B945-AB7DE66307B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.34:*:*:*:*:*:*:*",
"matchCriteriaId": "2949EC36-0056-43F0-93EC-681EAC22B112",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.35:*:*:*:*:*:*:*",
"matchCriteriaId": "4945C8C1-C71B-448B-9075-07C6C92599CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.36:*:*:*:*:*:*:*",
"matchCriteriaId": "ED4730B0-2E09-408B-AFD4-FE00F73700FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.37:*:*:*:*:*:*:*",
"matchCriteriaId": "B8DE8A8A-7643-4292-BCC1-758AE0940207",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.38:*:*:*:*:*:*:*",
"matchCriteriaId": "3CB6826E-FEBF-4DD7-BED5-1942DFA73BE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.39:*:*:*:*:*:*:*",
"matchCriteriaId": "E9B54FCD-CF7C-47E2-8513-40419E47AF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.40:*:*:*:*:*:*:*",
"matchCriteriaId": "8B9AC2B8-D1AC-48E2-B88E-C7837D4F8A7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.41:*:*:*:*:*:*:*",
"matchCriteriaId": "D87EFB6D-B626-469F-907C-40C771A55833",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.42:*:*:*:*:*:*:*",
"matchCriteriaId": "38DA4B34-1759-4FC5-82E9-B2223905B9B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.43:*:*:*:*:*:*:*",
"matchCriteriaId": "6330B97B-8FC5-4D7E-A960-5D94EDD0C378",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.44:*:*:*:*:*:*:*",
"matchCriteriaId": "2A0B2FA4-772E-4B23-8B3F-CC86515E4226",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.45:*:*:*:*:*:*:*",
"matchCriteriaId": "0AE27868-CBD2-4EB9-8732-DD4C0E10D6D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.46:*:*:*:*:*:*:*",
"matchCriteriaId": "7B1F7611-C424-4B5E-94B3-3B69EABF342E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.47:*:*:*:*:*:*:*",
"matchCriteriaId": "4C132EED-8FCA-4FDA-9FF6-C5FA44E8DA2E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0F8C62EF-1B67-456A-9C66-755439CF8556",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A819E245-D641-4F19-9139-6C940504F6E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8C381275-10C5-4939-BCE3-0D1F3B3CB2EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7205475A-6D04-4042-B24E-1DA5A57029B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "08022987-B36B-4F63-88A5-A8F59195DF4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "FF4B7557-EF35-451E-B55D-3296966695AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8980E61E-27BE-4858-82B3-C0E8128AF521",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "8756BF9B-3E24-4677-87AE-31CE776541F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "88CE057E-2092-4C98-8D0C-75CF439D0A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8F194580-EE6D-4E38-87F3-F0661262256B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A9731BAA-4C6C-4259-B786-F577D8A90FA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "1F74A421-D019-4248-84B8-C70D4D9A8A95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "2BA27FF9-4C66-4E17-95C0-1CB2DAA6AFC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "05346F5A-FB52-4376-AAC7-9A5308216545",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "305688F2-50A6-41FB-8614-BC589DB9A789",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "D24AA431-C436-4AA5-85DF-B9AAFF2548FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "25966344-15D5-4101-9346-B06BFD2DFFF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "11F4CBAC-27B1-4EFF-955A-A63B457D0578",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "FD55B338-9DBE-4643-ABED-A08964D3AF7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0D4F710E-06EA-48F4-AC6A-6F143950F015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "2C4936C2-0B2D-4C44-98C3-443090965F5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*",
"matchCriteriaId": "48453405-2319-4327-9F4C-6F70B49452C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*",
"matchCriteriaId": "49DD9544-6424-41A6-AEC0-EC19B8A10E71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*",
"matchCriteriaId": "E4670E65-2E11-49A4-B661-57C2F60D411F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "5E8FF71D-4710-4FBB-9925-A6A26C450F7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*",
"matchCriteriaId": "31002A23-4788-4BC7-AE11-A3C2AA31716D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "7144EDDF-8265-4642-8EEB-ED52527E0A26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "DF06B5C1-B9DD-4673-A101-56E1E593ACDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "7D731065-626B-4425-8E49-F708DD457824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "B3D850EA-E537-42C8-93B9-96E15CB26747",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "E037DA05-2BEF-4F64-B8BB-307247B6A05C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.31:*:*:*:*:*:*:*",
"matchCriteriaId": "BCAF1EB5-FB34-40FC-96ED-9D073890D8BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*",
"matchCriteriaId": "D395D95B-1F4A-420E-A0F6-609360AF7B69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*",
"matchCriteriaId": "9BD221BA-0AB6-4972-8AD9-5D37AC07762F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*",
"matchCriteriaId": "E55B6565-96CB-4F6A-9A80-C3FB82F30546",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*",
"matchCriteriaId": "D3300AFE-49A4-4904-B9A0-5679F09FA01E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.36:*:*:*:*:*:*:*",
"matchCriteriaId": "ED5125CC-05F9-4678-90DB-A5C7CD24AE6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*",
"matchCriteriaId": "7BD93669-1B30-4BF8-AD7D-F60DD8D63CC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.38:*:*:*:*:*:*:*",
"matchCriteriaId": "1B904C74-B92E-4EAE-AE6C-78E2B844C3DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*",
"matchCriteriaId": "B8C8C97F-6C9D-4647-AB8A-ADAA5536DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*",
"matchCriteriaId": "2C6109D1-BC36-40C5-A02A-7AEBC949BAC0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*",
"matchCriteriaId": "DA8A7333-B4C3-4876-AE01-62F2FD315504",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*",
"matchCriteriaId": "92993E23-D805-407B-8B87-11CEEE8B212F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*",
"matchCriteriaId": "7A11BD74-305C-41E2-95B1-5008EEF5FA5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*",
"matchCriteriaId": "595442D0-9DB7-475A-AE30-8535B70E122E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*",
"matchCriteriaId": "4B0BA92A-0BD3-4CE4-9465-95E949104BAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*",
"matchCriteriaId": "6F944B72-B9EB-4EB8-AEA3-E0D7ADBE1305",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*",
"matchCriteriaId": "6AA28D3A-3EE5-4F90-B8F5-4943F7607DA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*",
"matchCriteriaId": "BFD3EB84-2ED2-49D4-8BC9-6398C2E46F0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*",
"matchCriteriaId": "DEDF6E1A-0DD6-42AB-9510-F6F4B6002C91",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*",
"matchCriteriaId": "C947E549-2459-4AFB-84A7-36BDA30B5F29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.51:*:*:*:*:*:*:*",
"matchCriteriaId": "67A0EA46-5AEA-4D0A-B89E-6560FA10EC08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*",
"matchCriteriaId": "5D55DF79-F9BE-4907-A4D8-96C4B11189ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*",
"matchCriteriaId": "14AB5787-82D7-4F78-BE93-4556AB7A7D0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*",
"matchCriteriaId": "F8E9453E-BC9B-4F77-85FA-BA15AC55C245",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*",
"matchCriteriaId": "A7EF0518-73F9-47DB-8946-A8334936BEFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*",
"matchCriteriaId": "95AA8778-7833-4572-A71B-5FD89938CE94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*",
"matchCriteriaId": "242E47CE-EF69-4F8F-AB40-5AF2811674CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.58:*:*:*:*:*:*:*",
"matchCriteriaId": "A225D4F7-174E-47C3-8390-C6FA28DB5A9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*",
"matchCriteriaId": "CDA1555C-E55A-4E14-B786-BFEE3F09220B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.60:*:*:*:*:*:*:*",
"matchCriteriaId": "6BAC42AE-B82A-4ABF-9519-B2D97D925707",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*",
"matchCriteriaId": "F8075E9A-DA7F-4A0B-8B4D-0CD951369111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*",
"matchCriteriaId": "335A5320-6086-4B45-9903-82F6F92A584F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*",
"matchCriteriaId": "46B33408-C2E2-4E7C-9334-6AB98F13468C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*",
"matchCriteriaId": "9F036676-9EFB-4A92-828E-A38905D594E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*",
"matchCriteriaId": "E9728EE8-6029-4DF3-942E-E4ACC09111A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.66:*:*:*:*:*:*:*",
"matchCriteriaId": "62DBB843-288C-4060-8777-6CDCF1860D29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:*",
"matchCriteriaId": "34E7DAC8-8419-45D1-A28F-14CF2FE1B6EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.68:*:*:*:*:*:*:*",
"matchCriteriaId": "89B87EB5-4902-4C2A-878A-45185F7D0FA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.69:*:*:*:*:*:*:*",
"matchCriteriaId": "C0596E6C-9ACE-4106-A2FF-BED7967C323F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.70:*:*:*:*:*:*:*",
"matchCriteriaId": "8F7158DC-966B-4508-8600-40E3E9D3D0DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.71:*:*:*:*:*:*:*",
"matchCriteriaId": "A190FE0D-86C1-49EE-BDAE-5879C32BDC92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.72:*:*:*:*:*:*:*",
"matchCriteriaId": "CA20F45F-01A2-43DD-9731-DFF54E31719F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "67E42327-8AEA-4B92-BA5F-AF94430B3BBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2A358FDF-C249-4D7A-9445-8B9E7D9D40AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8C4DB619-F6B0-4896-9AE2-7E7D92105577",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "AFF96F96-34DB-4EB3-BF59-11220673FA26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "44883383-6360-4BE6-9B48-1308F85E5797",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "EDF3E379-47D2-4C86-8C6D-8B3C25A0E1C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "E82391BD-10FF-4E7F-91DC-35AA11325530",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "92C22F12-C072-4A12-A4A9-CBF589A36FF1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "61E008F8-2F01-4DD8-853A-337B4B4163C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "6A776B25-6AF1-421B-8E47-2A7499F6B4D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "7A332FDE-42AE-4F48-9553-5AE953CD6D3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "701424A2-BB06-44B5-B468-7164E4F95529",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "1BA6388C-5B6E-4651-8AE3-EBCCF61C27E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "A63FA521-9D20-49B9-A9A4-0DF891B4E4E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "8F9A5B7E-33A9-4651-9BE1-371A0064B661",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "F99252E8-A59C-48E1-B251-718D7FB3E399",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "9D05293B-B9D8-42F1-9367-9D2E058EFAD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "4E0DDEF6-A8EE-46C4-A046-A1F26E7C4E87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "14B38892-9C00-4510-B7BA-F2A8F2CACCAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "8C913AA6-2260-4249-BE1D-7139F45735D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "7409B064-D43E-489E-AEC6-0A767FB21737",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.21:*:*:*:*:*:*:*",
"matchCriteriaId": "F019268F-80C4-48FE-8164-E9DA0A3BAFF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.22:*:*:*:*:*:*:*",
"matchCriteriaId": "1EFBD214-FCFE-4F04-A903-66EFDA764B9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.23:*:*:*:*:*:*:*",
"matchCriteriaId": "425D86B3-6BB9-410D-8125-F7CF87290AD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "3EE3BB0D-1002-41E4-9BE8-875D97330057",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.25:*:*:*:*:*:*:*",
"matchCriteriaId": "25D0E80B-EDDA-4876-912D-44BFE6211EB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "6622472B-8644-4D45-A54B-A215C3D64B83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "B338F95B-2924-435B-827F-E64420A93244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "209D1349-7740-4DBE-80A5-E6343C62BAB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "09E77C24-C265-403D-A193-B3739713F6B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "28616FA3-9A98-4AAE-9F94-3E77A14156EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.31:*:*:*:*:*:*:*",
"matchCriteriaId": "335925DA-11C0-4222-B6B7-82602B361751",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.32:*:*:*:*:*:*:*",
"matchCriteriaId": "603A14BF-72BB-4A3D-8CBC-932DC45CEC06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.33:*:*:*:*:*:*:*",
"matchCriteriaId": "4C2E1C55-3C89-4F26-A981-1195BCC9BB5C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.34:*:*:*:*:*:*:*",
"matchCriteriaId": "FC242407-A447-4ABD-8E19-EB6DB1F35121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.35:*:*:*:*:*:*:*",
"matchCriteriaId": "31BB906B-812F-462C-9AEE-147C1418D865",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.36:*:*:*:*:*:*:*",
"matchCriteriaId": "0B701E17-D231-44ED-A46E-C67749A725B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.37:*:*:*:*:*:*:*",
"matchCriteriaId": "B8CAF2F7-D227-4F06-B0E6-533C5EDB105B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.38:*:*:*:*:*:*:*",
"matchCriteriaId": "305B73CE-0224-4E73-8EB2-FC41A62FBA08",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "69A7FC28-A0EC-4516-9776-700343D2F4DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "18814653-6D44-47D9-A2F5-89C5AFB255F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D4D811A9-4988-4C11-AA27-F5BE2B93D8D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FAEF824D-7E95-4BC1-8DBB-787DCE595E21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "97F4A2B3-DB1D-4D0B-B5FF-7EE2A0D291BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B461D5A-1208-498F-B551-46C6D514AC2B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "598E5D91-0165-4D55-9EDD-EBB5AAAD1172",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "9D0689FE-4BC0-4F53-8C79-34B21F9B86C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "89B129B2-FB6F-4EF9-BF12-E589A87996CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "8B6787B6-54A8-475E-BA1C-AB99334B2535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "9F542E12-6BA8-4504-A494-DA83E7E19BD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "C0C5F004-F7D8-45DB-B173-351C50B0EC16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "D1902D2E-1896-4D3D-9E1C-3A675255072C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "49AAF4DF-F61D-47A8-8788-A21E317A145D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "454211D0-60A2-4661-AECA-4C0121413FEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "0686F977-889F-4960-8E0B-7784B73A7F2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "558703AE-DB5E-4DFF-B497-C36694DD7B24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "ED6273F2-1165-47A4-8DD7-9E9B2472941B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own."
},
{
"lang": "es",
"value": "El c\u00f3digo en Apache Tomcat 9.0.0.M1 a 9.0.0.M11, 8.5.0 a 8.5.6, 8.0.0.RC1 a 8.0.38, 7.0.0 a 7.0.72 y 6.0.0 a 6.0.47 que analiz\u00f3 la l\u00ednea de solicitud HTTP permiti\u00f3 caracteres no v\u00e1lidos. Esto podr\u00eda ser explotado, junto con un proxy que tambi\u00e9n permiti\u00f3 los caracteres no v\u00e1lidos, pero con una interpretaci\u00f3n diferente, para inyectar datos en la respuesta HTTP. Mediante la manipulaci\u00f3n de la respuesta HTTP, el atacante podr\u00eda envenenar una cach\u00e9 web, realizar un ataque XSS y/u obtener informaci\u00f3n sensible de otras solicitudes que no sean las suyas."
}
],
"id": "CVE-2016-6816",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-03-20T18:59:00.173",
"references": [
{
"source": "security@apache.org",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0244.html"
},
{
"source": "security@apache.org",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0245.html"
},
{
"source": "security@apache.org",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0246.html"
},
{
"source": "security@apache.org",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0247.html"
},
{
"source": "security@apache.org",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0250.html"
},
{
"source": "security@apache.org",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0457.html"
},
{
"source": "security@apache.org",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0527.html"
},
{
"source": "security@apache.org",
"url": "http://www.debian.org/security/2016/dsa-3738"
},
{
"source": "security@apache.org",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94461"
},
{
"source": "security@apache.org",
"url": "http://www.securitytracker.com/id/1037332"
},
{
"source": "security@apache.org",
"url": "https://access.redhat.com/errata/RHSA-2017:0455"
},
{
"source": "security@apache.org",
"url": "https://access.redhat.com/errata/RHSA-2017:0456"
},
{
"source": "security@apache.org",
"url": "https://access.redhat.com/errata/RHSA-2017:0935"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://security.netapp.com/advisory/ntap-20180607-0001/"
},
{
"source": "security@apache.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48"
},
{
"source": "security@apache.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73"
},
{
"source": "security@apache.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39"
},
{
"source": "security@apache.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8"
},
{
"source": "security@apache.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.0.M13"
},
{
"source": "security@apache.org",
"url": "https://usn.ubuntu.com/4557-1/"
},
{
"source": "security@apache.org",
"url": "https://www.exploit-db.com/exploits/41783/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0244.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0245.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0246.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0247.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0250.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0457.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0527.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3738"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94461"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1037332"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2017:0455"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2017:0456"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2017:0935"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20180607-0001/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.0.M13"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://usn.ubuntu.com/4557-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/41783/"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-06-16 15:15
Modified
2025-06-24 19:49
Severity ?
Summary
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105.
Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/nzkqsok8t42qofgqfmck536mtyzygp18 | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/06/16/1 | Mailing List, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D212C189-EFC0-43CC-89C0-DAD766413A98",
"versionEndExcluding": "9.0.106",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "573ACC55-1E48-4489-A269-12C1A4501DDA",
"versionEndExcluding": "10.1.42",
"versionStartIncluding": "10.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EE393E87-D325-4ABB-B49C-5863ECD3DD83",
"versionEndExcluding": "11.0.8",
"versionStartIncluding": "11.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105.\n\nUsers are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue."
},
{
"lang": "es",
"value": "Vulnerabilidad de asignaci\u00f3n de recursos sin l\u00edmites o limitaci\u00f3n en Apache Tomcat. Este problema afecta a Apache Tomcat: de 11.0.0-M1 a 11.0.7, de 10.1.0-M1 a 10.1.41, y de 9.0.0.M1 a 9.0.105. Se recomienda actualizar a las versiones 11.0.8, 10.1.42 o 9.0.106, que solucionan el problema."
}
],
"id": "CVE-2025-48988",
"lastModified": "2025-06-24T19:49:04.033",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-06-16T15:15:24.563",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/nzkqsok8t42qofgqfmck536mtyzygp18"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2025/06/16/1"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-14 15:15
Modified
2024-11-21 05:02
Severity ?
Summary
An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DC12DC95-E469-4172-B8EE-5465CCB0D834",
"versionEndIncluding": "8.5.56",
"versionStartIncluding": "8.5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6BECF310-3247-4CE3-87F2-0E88C0278341",
"versionEndIncluding": "9.0.36",
"versionStartIncluding": "9.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "89B129B2-FB6F-4EF9-BF12-E589A87996CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "8B6787B6-54A8-475E-BA1C-AB99334B2535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "EABB6FBC-7486-44D5-A6AD-FFF1D3F677E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*",
"matchCriteriaId": "E10C03BC-EE6B-45B2-83AE-9E8DFB58D7DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*",
"matchCriteriaId": "8A6DA0BE-908C-4DA8-A191-A0113235E99A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*",
"matchCriteriaId": "39029C72-28B4-46A4-BFF5-EC822CFB2A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*",
"matchCriteriaId": "1A2E05A3-014F-4C4D-81E5-88E725FBD6AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*",
"matchCriteriaId": "166C533C-0833-41D5-99B6-17A4FAB3CAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*",
"matchCriteriaId": "D3768C60-21FA-4B92-B98C-C3A2602D1BC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*",
"matchCriteriaId": "DDD510FA-A2E4-4BAF-A0DE-F4E5777E9325",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*",
"matchCriteriaId": "C2409CC7-6A85-4A66-A457-0D62B9895DC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*",
"matchCriteriaId": "B392A7E5-4455-4B1C-8FAC-AE6DDC70689E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*",
"matchCriteriaId": "EF411DDA-2601-449A-9046-D250419A0E1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*",
"matchCriteriaId": "D7D8F2F4-AFE2-47EA-A3FD-79B54324DE02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*",
"matchCriteriaId": "1B4FBF97-DE16-4E5E-BE19-471E01818D40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*",
"matchCriteriaId": "3B266B1E-24B5-47EE-A421-E0E3CC0C7471",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*",
"matchCriteriaId": "29614C3A-6FB3-41C7-B56E-9CC3F45B04F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*",
"matchCriteriaId": "C6AB156C-8FF6-4727-AF75-590D0DCB3F9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "49AAF4DF-F61D-47A8-8788-A21E317A145D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "454211D0-60A2-4661-AECA-4C0121413FEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "0686F977-889F-4960-8E0B-7784B73A7F2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "558703AE-DB5E-4DFF-B497-C36694DD7B24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "ED6273F2-1165-47A4-8DD7-9E9B2472941B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "90CD7E85-4FF9-4158-AC78-4BFCBC882A65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "7EA56B52-1015-40CD-B10C-393768094269",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "501B0D4A-D636-4736-979B-D5023599CEFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "94E7764F-BF9E-463E-B446-A9A8DB92BB97",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "53A9F7EE-AF2A-43E5-B708-0198784AB45A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "AC872C5F-63AF-4BB8-8629-334FC9704AE8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "34B80C9D-62AA-42FA-AB46-F8A414FCBE5E",
"versionEndIncluding": "3.1.3",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "80C9DBB8-3D50-4D5D-859A-B022EB7C2E64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D14ABF04-E460-4911-9C6C-B7BCEFE68E9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "ED43772F-D280-42F6-A292-7198284D6FE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*",
"matchCriteriaId": "C650FEDB-E903-4C2D-AD40-282AB5F2E3C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C4A94B36-479F-48F2-9B9E-ACEA2589EF48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:fmw_platform:12.2.1.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9C5E9A12-BFE9-4963-A360-A34168A6BF6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:fmw_platform:12.2.1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CA2E1357-E3A1-461C-B7A0-A9446E45496D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*",
"matchCriteriaId": "82EA4BA7-C38B-4AF3-8914-9E3D089EBDD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B9C9BC66-FA5F-4774-9BDA-7AB88E2839C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7F69B9A5-F21B-4904-9F27-95C0F7A628E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A2E3E923-E2AD-400D-A618-26ADF7F841A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9AB58D27-37F2-4A32-B786-3490024290A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "70C60E6C-1A61-422B-A132-FB024761F576",
"versionEndIncluding": "8.0.21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "30DB69BD-0F6E-4AB5-A861-7CB911C35660",
"versionEndIncluding": "20.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:workload_manager:12.2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "AD848FE1-CFD7-490C-B008-DF3B30F3256F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:workload_manager:18c:*:*:*:*:*:*:*",
"matchCriteriaId": "630C8E99-FE49-486E-9003-40B82809B7A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:workload_manager:19c:*:*:*:*:*:*:*",
"matchCriteriaId": "C842DE9E-5E12-4295-AFA5-DEB5FEDE490A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service."
},
{
"lang": "es",
"value": "Una conexi\u00f3n directa h2c a Apache Tomcat versiones 10.0.0-M1 hasta 10.0.0-M6, versiones 9.0.0.M5 hasta 9.0.36 y versiones 8.5.1 hasta 8.5.56, no public\u00f3 el procesador HTTP/1.1 despu\u00e9s de la actualizaci\u00f3n a HTTP/2. Si un n\u00famero suficiente de tales peticiones fueron hechas, podr\u00eda ocurrir una OutOfMemoryException conllevando a una denegaci\u00f3n de servicio"
}
],
"id": "CVE-2020-13934",
"lastModified": "2024-11-21T05:02:10.717",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-14T15:15:11.007",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00084.html"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00088.html"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Release Notes",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r61f411cf82488d6ec213063fc15feeeb88e31b0ca9c29652ee4f962e%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/ra072b1f786e7d139e86f1d1145572e0ff71cef38a96d9c6f5362aac8%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00017.html"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20200724-0003/"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4596-1/"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4727"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00084.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00088.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Release Notes",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r61f411cf82488d6ec213063fc15feeeb88e31b0ca9c29652ee4f962e%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/ra072b1f786e7d139e86f1d1145572e0ff71cef38a96d9c6f5362aac8%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00017.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20200724-0003/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4596-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4727"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-401"
},
{
"lang": "en",
"value": "CWE-476"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-01-27 13:15
Modified
2024-11-21 06:48
Severity ?
Summary
The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | tomcat | * | |
| apache | tomcat | * | |
| apache | tomcat | * | |
| apache | tomcat | 10.0.0 | |
| apache | tomcat | 10.0.0 | |
| apache | tomcat | 10.0.0 | |
| apache | tomcat | 10.0.0 | |
| apache | tomcat | 10.0.0 | |
| apache | tomcat | 10.0.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| oracle | agile_engineering_data_management | 6.2.1.0 | |
| oracle | communications_cloud_native_core_policy | 1.15.0 | |
| oracle | financial_services_crime_and_compliance_management_studio | 8.0.8.2.0 | |
| oracle | financial_services_crime_and_compliance_management_studio | 8.0.8.3.0 | |
| oracle | managed_file_transfer | 12.2.1.3.0 | |
| oracle | managed_file_transfer | 12.2.1.4.0 | |
| oracle | mysql_enterprise_monitor | * | |
| debian | debian_linux | 10.0 | |
| debian | debian_linux | 11.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2B1B1948-279A-496F-B6BE-09B6450B92B9",
"versionEndIncluding": "8.5.73",
"versionStartIncluding": "8.5.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "64612E68-03F6-4BB8-BF27-0EBA1FF4E8DD",
"versionEndIncluding": "9.0.56",
"versionStartIncluding": "9.0.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "107AE685-1C09-4DFD-BD52-1E5C1AC51769",
"versionEndIncluding": "10.0.14",
"versionStartIncluding": "10.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "83B9FF07-1B93-4F8C-AC56-7CA74E61B724",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "53A9F7EE-AF2A-43E5-B708-0198784AB45A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "AC872C5F-63AF-4BB8-8629-334FC9704AE8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "94B95C95-DF3E-49C1-9CA0-4474DD7EF7B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "310B0163-01DE-40DA-A2EA-FFA4A6100037",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "75420449-A951-4133-A5F1-4C01F2DF843B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "6D402B5D-5901-43EB-8E6A-ECBD512CE367",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "9846609D-51FC-4CDD-97B3-8C6E07108F14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "2E321FB4-0B0C-497A-BB75-909D888C93CB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "3B0CAE57-AF7A-40E6-9519-F5C9F422C1BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "7CB9D150-EED6-4AE9-BCBE-48932E50035E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "D334103F-F64E-4869-BCC8-670A5AFCC76C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "941FCF7B-FFB6-4967-95C7-BB3D32C73DAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "CE1A9030-B397-4BA6-8E13-DA1503872DDB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "80C9DBB8-3D50-4D5D-859A-B022EB7C2E64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B4367D9B-BF81-47AD-A840-AC46317C774D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "55F091C7-0869-4FD6-AC73-DA697D990304",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4D134C60-F9E2-46C2-8466-DB90AD98439E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A2E3E923-E2AD-400D-A618-26ADF7F841A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9AB58D27-37F2-4A32-B786-3490024290A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B0EBAC6D-D0CE-42A1-AEA0-2D50C8035747",
"versionEndIncluding": "8.0.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore."
},
{
"lang": "es",
"value": "Una correcci\u00f3n del bug CVE-2020-9484 introdujo una vulnerabilidad de tiempo de comprobaci\u00f3n, tiempo de uso en Apache Tomcat versiones 10.1.0-M1 a 10.1.0-M8, versiones 10.0.0-M5 a 10.0.14, versiones 9.0.35 a 9.0.56 y versiones 8.5.55 a 8.5.73, que permit\u00eda a un atacante local llevar a cabo acciones con los privilegios del usuario que est\u00e1 usando el proceso Tomcat. Este problema s\u00f3lo es explotable cuando Tomcat est\u00e1 configurado para persistir sesiones usando el FileStore"
}
],
"id": "CVE-2022-23181",
"lastModified": "2024-11-21T06:48:08.640",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 3.7,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 1.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-27T13:15:08.060",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Mitigation",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/l8x62p3k19yfcb208jo4zrb83k5mfwg9"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20220217-0010/"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5265"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Mitigation",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/l8x62p3k19yfcb208jo4zrb83k5mfwg9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20220217-0010/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5265"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-367"
}
],
"source": "security@apache.org",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-367"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-06-05 16:00
Modified
2025-04-09 00:30
Severity ?
Summary
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FABEAD3F-1066-4802-BDFD-5F42406D2963",
"versionEndIncluding": "4.1.39",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "88DD2300-F68E-4BD9-A511-7E9F1A6DD43B",
"versionEndIncluding": "5.5.27",
"versionStartIncluding": "5.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7888A749-8246-491C-AF4E-10762170ECE4",
"versionEndIncluding": "6.0.18",
"versionStartIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application."
},
{
"lang": "es",
"value": "Apache Tomcat v4.1.0 hasta la v4.1.39, v5.5.0 hasta la v5.5.27 y v6.0.0 hasta la v6.0.18 permite a las aplicaciones web reemplazar un \"parser\" (extractor de informaci\u00f3n) XML utilizado por otras aplicaciones web, lo que permite a los usuarios locales leer o modificar los ficheros (1) web.xml, (2) context.xml o (3) ficheros tld de aplicaciones web de su elecci\u00f3n a trav\u00e9s de una aplicacion manipulada que es cargada antes de la aplicaci\u00f3n web objetivo del ataque."
}
],
"id": "CVE-2009-0783",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"exploitabilityScore": 0.8,
"impactScore": 3.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2009-06-05T16:00:00.267",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List"
],
"url": "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=127420533226623\u0026w=2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=127420533226623\u0026w=2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=129070310906557\u0026w=2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=129070310906557\u0026w=2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=136485229118404\u0026w=2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=136485229118404\u0026w=2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/35685"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/35788"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/37460"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/42368"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://support.apple.com/kb/HT4077"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?rev=652592\u0026view=rev"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?rev=681156\u0026view=rev"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?rev=739522\u0026view=rev"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?rev=781542\u0026view=rev"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?rev=781708\u0026view=rev"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2011/dsa-2207"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:136"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:138"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:176"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/504090/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/507985/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/35416"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id?1022336"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/1856"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/3316"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2010/3056"
},
{
"source": "secalert@redhat.com",
"tags": [
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/51195"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://issues.apache.org/bugzilla/show_bug.cgi?id=29936"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking"
],
"url": "https://issues.apache.org/bugzilla/show_bug.cgi?id=45933"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"tags": [
"Tool Signature"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10716"
},
{
"source": "secalert@redhat.com",
"tags": [
"Tool Signature"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18913"
},
{
"source": "secalert@redhat.com",
"tags": [
"Tool Signature"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6450"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=127420533226623\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=127420533226623\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=129070310906557\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=129070310906557\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=136485229118404\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=136485229118404\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/35685"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/35788"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/37460"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/42368"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://support.apple.com/kb/HT4077"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?rev=652592\u0026view=rev"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?rev=681156\u0026view=rev"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?rev=739522\u0026view=rev"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?rev=781542\u0026view=rev"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?rev=781708\u0026view=rev"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2011/dsa-2207"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:136"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:138"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:176"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/504090/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/507985/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/35416"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id?1022336"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/1856"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/3316"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2010/3056"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/51195"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://issues.apache.org/bugzilla/show_bug.cgi?id=29936"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://issues.apache.org/bugzilla/show_bug.cgi?id=45933"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Tool Signature"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10716"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Tool Signature"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18913"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Tool Signature"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6450"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-02-23 23:29
Modified
2024-11-21 03:59
Severity ?
Summary
Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0204E778-1E01-4781-8B75-B9246B2AFCCF",
"versionEndIncluding": "7.0.84",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FF49B49E-FE51-4731-81F4-75489CEB5270",
"versionEndIncluding": "8.0.49",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4752862B-7D26-4285-B8A0-CF082C758353",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*",
"matchCriteriaId": "58EA7199-3373-4F97-9907-3A479A02155E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "F963D737-2E95-4D7C-92C7-DACF3F36D1E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "2BBBC5EA-012C-4C5D-A61B-BAF134B300DA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7C6119C4-1200-4EBE-89AB-6AB755C6DE3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "9D0689FE-4BC0-4F53-8C79-34B21F9B86C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "89B129B2-FB6F-4EF9-BF12-E589A87996CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "8B6787B6-54A8-475E-BA1C-AB99334B2535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "EABB6FBC-7486-44D5-A6AD-FFF1D3F677E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*",
"matchCriteriaId": "E10C03BC-EE6B-45B2-83AE-9E8DFB58D7DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*",
"matchCriteriaId": "8A6DA0BE-908C-4DA8-A191-A0113235E99A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*",
"matchCriteriaId": "39029C72-28B4-46A4-BFF5-EC822CFB2A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*",
"matchCriteriaId": "1A2E05A3-014F-4C4D-81E5-88E725FBD6AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*",
"matchCriteriaId": "166C533C-0833-41D5-99B6-17A4FAB3CAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*",
"matchCriteriaId": "D3768C60-21FA-4B92-B98C-C3A2602D1BC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*",
"matchCriteriaId": "DDD510FA-A2E4-4BAF-A0DE-F4E5777E9325",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "9F542E12-6BA8-4504-A494-DA83E7E19BD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*",
"matchCriteriaId": "C2409CC7-6A85-4A66-A457-0D62B9895DC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*",
"matchCriteriaId": "B392A7E5-4455-4B1C-8FAC-AE6DDC70689E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*",
"matchCriteriaId": "EF411DDA-2601-449A-9046-D250419A0E1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*",
"matchCriteriaId": "D7D8F2F4-AFE2-47EA-A3FD-79B54324DE02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*",
"matchCriteriaId": "1B4FBF97-DE16-4E5E-BE19-471E01818D40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*",
"matchCriteriaId": "3B266B1E-24B5-47EE-A421-E0E3CC0C7471",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*",
"matchCriteriaId": "29614C3A-6FB3-41C7-B56E-9CC3F45B04F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*",
"matchCriteriaId": "C6AB156C-8FF6-4727-AF75-590D0DCB3F9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "C0C5F004-F7D8-45DB-B173-351C50B0EC16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "D1902D2E-1896-4D3D-9E1C-3A675255072C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "49AAF4DF-F61D-47A8-8788-A21E317A145D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "454211D0-60A2-4661-AECA-4C0121413FEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "0686F977-889F-4960-8E0B-7784B73A7F2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "558703AE-DB5E-4DFF-B497-C36694DD7B24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "ED6273F2-1165-47A4-8DD7-9E9B2472941B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A4355F36-B223-4819-8272-751EBB68782F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E5962DD4-006E-42F3-A0B0-A1787C0E9384",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "6B0D2EE9-1220-4A81-93E6-97FFD3960CFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "2F4ABA66-A344-43F1-98A0-4CD5D8728F0F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "760F85D9-4F6A-479B-987A-A096F0EF888A",
"versionEndIncluding": "8.5.27",
"versionStartIncluding": "8.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*",
"matchCriteriaId": "9070C9D8-A14A-467F-8253-33B966C16886",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:fusion_middleware:12.2.1.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2177A5E9-B260-499E-8D60-920679518425",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:managed_file_transfer:12.1.3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AEB446C9-1AC2-4D7D-83DE-08934DDFC8B4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A2E3E923-E2AD-400D-A618-26ADF7F841A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:micros_relate_crm_software:11.4:*:*:*:*:*:*:*",
"matchCriteriaId": "EE3A1A04-5AAE-40D9-842A-8B46211C5D95",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them."
},
{
"lang": "es",
"value": "Las restricciones de seguridad definidas por anotaciones en Servlets en Apache Tomcat 9.0.0.M1 a 9.0.4, 8.5.0 a 8.5.27, 8.0.0.RC1 a 8.0.49 y 7.0.0 a 7.0.84 solo se aplicaban una vez se haya cargado el Servlet. Debido a que las restricciones de seguridad definidas de esta forma se aplican al patr\u00f3n URL y a cualquier URL bajo ese punto, era posible (dependiendo del orden en el qe se cargan los Servlets) que no se aplicasen algunas restricciones de seguridad. Esto podr\u00eda haber expuesto recursos a los usuarios que no estaban autorizados a acceder a ellos."
}
],
"id": "CVE-2018-1305",
"lastModified": "2024-11-21T03:59:35.267",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-02-23T23:29:00.937",
"references": [
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103144"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1040428"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0465"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0466"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1320"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2939"
},
{
"source": "security@apache.org",
"url": "https://access.redhat.com/errata/RHSA-2019:2205"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/d3354bb0a4eda4acc0a66f3eb24a213fdb75d12c7d16060b23e65781%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00004.html"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00044.html"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20180706-0001/"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3665-1/"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2018/dsa-4281"
},
{
"source": "security@apache.org",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"source": "security@apache.org",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103144"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1040428"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0465"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0466"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1320"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2939"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2019:2205"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/d3354bb0a4eda4acc0a66f3eb24a213fdb75d12c7d16060b23e65781%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00004.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00044.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20180706-0001/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3665-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2018/dsa-4281"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-01-14 15:15
Modified
2024-11-21 05:52
Severity ?
Summary
When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | tomcat | * | |
| apache | tomcat | * | |
| apache | tomcat | * | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 9.0.0 | |
| apache | tomcat | 10.0.0 | |
| apache | tomcat | 10.0.0 | |
| apache | tomcat | 10.0.0 | |
| apache | tomcat | 10.0.0 | |
| apache | tomcat | 10.0.0 | |
| apache | tomcat | 10.0.0 | |
| apache | tomcat | 10.0.0 | |
| apache | tomcat | 10.0.0 | |
| apache | tomcat | 10.0.0 | |
| debian | debian_linux | 9.0 | |
| oracle | agile_plm | 9.3.3 | |
| oracle | agile_plm | 9.3.6 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AD7B0066-F7CD-4609-91F5-A778DD56EAE9",
"versionEndIncluding": "7.0.106",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1F74CD42-7B43-4444-B121-B9C1ECFDB67D",
"versionEndIncluding": "8.5.59",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2EA947E9-FC93-4FAA-9988-27BC4C26CA36",
"versionEndIncluding": "9.0.39",
"versionStartIncluding": "9.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "9D0689FE-4BC0-4F53-8C79-34B21F9B86C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "89B129B2-FB6F-4EF9-BF12-E589A87996CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "8B6787B6-54A8-475E-BA1C-AB99334B2535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "EABB6FBC-7486-44D5-A6AD-FFF1D3F677E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*",
"matchCriteriaId": "E10C03BC-EE6B-45B2-83AE-9E8DFB58D7DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*",
"matchCriteriaId": "8A6DA0BE-908C-4DA8-A191-A0113235E99A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*",
"matchCriteriaId": "39029C72-28B4-46A4-BFF5-EC822CFB2A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*",
"matchCriteriaId": "1A2E05A3-014F-4C4D-81E5-88E725FBD6AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*",
"matchCriteriaId": "166C533C-0833-41D5-99B6-17A4FAB3CAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*",
"matchCriteriaId": "D3768C60-21FA-4B92-B98C-C3A2602D1BC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*",
"matchCriteriaId": "DDD510FA-A2E4-4BAF-A0DE-F4E5777E9325",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "9F542E12-6BA8-4504-A494-DA83E7E19BD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*",
"matchCriteriaId": "C2409CC7-6A85-4A66-A457-0D62B9895DC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*",
"matchCriteriaId": "B392A7E5-4455-4B1C-8FAC-AE6DDC70689E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*",
"matchCriteriaId": "EF411DDA-2601-449A-9046-D250419A0E1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*",
"matchCriteriaId": "D7D8F2F4-AFE2-47EA-A3FD-79B54324DE02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*",
"matchCriteriaId": "1B4FBF97-DE16-4E5E-BE19-471E01818D40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*",
"matchCriteriaId": "3B266B1E-24B5-47EE-A421-E0E3CC0C7471",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*",
"matchCriteriaId": "29614C3A-6FB3-41C7-B56E-9CC3F45B04F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*",
"matchCriteriaId": "C6AB156C-8FF6-4727-AF75-590D0DCB3F9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "C0C5F004-F7D8-45DB-B173-351C50B0EC16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "D1902D2E-1896-4D3D-9E1C-3A675255072C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "49AAF4DF-F61D-47A8-8788-A21E317A145D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "454211D0-60A2-4661-AECA-4C0121413FEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "0686F977-889F-4960-8E0B-7784B73A7F2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "558703AE-DB5E-4DFF-B497-C36694DD7B24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "ED6273F2-1165-47A4-8DD7-9E9B2472941B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "90CD7E85-4FF9-4158-AC78-4BFCBC882A65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "7EA56B52-1015-40CD-B10C-393768094269",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "501B0D4A-D636-4736-979B-D5023599CEFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "94E7764F-BF9E-463E-B446-A9A8DB92BB97",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "53A9F7EE-AF2A-43E5-B708-0198784AB45A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "AC872C5F-63AF-4BB8-8629-334FC9704AE8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "94B95C95-DF3E-49C1-9CA0-4474DD7EF7B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "310B0163-01DE-40DA-A2EA-FFA4A6100037",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "75420449-A951-4133-A5F1-4C01F2DF843B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D14ABF04-E460-4911-9C6C-B7BCEFE68E9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*",
"matchCriteriaId": "C650FEDB-E903-4C2D-AD40-282AB5F2E3C2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances."
},
{
"lang": "es",
"value": "Cuando se sirven recursos desde una ubicaci\u00f3n de red usando el sistema de archivos NTFS, Apache Tomcat versiones 10.0.0-M1 hasta 10.0.0-M9, versiones 9.0.0.M1 hasta 9.0.39, versiones 8.5.0 hasta 8.5.59 y versiones 7.0.0 hasta 7.0.106, fueron susceptibles a una divulgaci\u00f3n del c\u00f3digo fuente JSP en algunas configuraciones.\u0026#xa0;La causa ra\u00edz fue el comportamiento inesperado de la funci\u00f3n File.getCanonicalPath() de la API JRE que a su vez fue causado por el comportamiento incoherente de la API de Windows (FindFirstFileW) en algunas circunstancias"
}
],
"id": "CVE-2021-24122",
"lastModified": "2024-11-21T05:52:23.897",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-01-14T15:15:13.400",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/01/14/1"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52%40%3Cannounce.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r7382e1e35b9bc7c8f320b90ad77e74c13172d08034e20c18000fe710%40%3Cdev.tomee.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r776c64337495bf28b7d5597268114a888e3fad6045c40a0da0c66d4d%40%3Cdev.tomee.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r7e0bb9ea415724550e2b325e143b23e269579e54d66fcd7754bd0c20%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rb32a73b7cb919d4f44a2596b6b951274c0004fc8b0e393d6829a45f9%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rca833c6d42b7b9ce1563488c0929f29fcc95947d86e5e740258c8937%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20210212-0008/"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/01/14/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52%40%3Cannounce.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r7382e1e35b9bc7c8f320b90ad77e74c13172d08034e20c18000fe710%40%3Cdev.tomee.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r776c64337495bf28b7d5597268114a888e3fad6045c40a0da0c66d4d%40%3Cdev.tomee.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r7e0bb9ea415724550e2b325e143b23e269579e54d66fcd7754bd0c20%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb32a73b7cb919d4f44a2596b6b951274c0004fc8b0e393d6829a45f9%40%3Cusers.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rca833c6d42b7b9ce1563488c0929f29fcc95947d86e5e740258c8937%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20210212-0008/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-706"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-03-14 19:55
Modified
2025-04-11 00:51
Severity ?
Summary
Apache Tomcat 7.x before 7.0.11, when web.xml has no security constraints, does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0F8C62EF-1B67-456A-9C66-755439CF8556",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "33E9607B-4D28-460D-896B-E4B7FA22441E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A819E245-D641-4F19-9139-6C940504F6E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8C381275-10C5-4939-BCE3-0D1F3B3CB2EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7205475A-6D04-4042-B24E-1DA5A57029B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "08022987-B36B-4F63-88A5-A8F59195DF4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "FF4B7557-EF35-451E-B55D-3296966695AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8980E61E-27BE-4858-82B3-C0E8128AF521",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "8756BF9B-3E24-4677-87AE-31CE776541F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "88CE057E-2092-4C98-8D0C-75CF439D0A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8F194580-EE6D-4E38-87F3-F0661262256B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A9731BAA-4C6C-4259-B786-F577D8A90FA1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Tomcat 7.x before 7.0.11, when web.xml has no security constraints, does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088."
},
{
"lang": "es",
"value": "Apache Tomcat v7.x anterior a v7.0.11, cuando web.xml no tiene restricciones de seguridad, no sigue anotaciones ServletSecurity, lo que permite a atacantes remotos evitar las restricciones de acceso a trav\u00e9s de peticiones HTTP a una aplicaci\u00f3n web. Nota: esta vulnerabilidad existe debido a un parche incompleto para CVE-2011-1088."
}
],
"id": "CVE-2011-1419",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-03-14T19:55:02.637",
"references": [
{
"source": "cve@mitre.org",
"url": "http://mail-archives.apache.org/mod_mbox/www-announce/201103.mbox/%3C4D6E74FF.7050106%40apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "http://marc.info/?l=tomcat-user\u0026m=129966773405409\u0026w=2"
},
{
"source": "cve@mitre.org",
"url": "http://markmail.org/message/lzx5273wsgl5pob6"
},
{
"source": "cve@mitre.org",
"url": "http://markmail.org/message/yzmyn44f5aetmm2r"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/43684"
},
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/8131"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1079752"
},
{
"source": "cve@mitre.org",
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/71027"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/46685"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2011/0563"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/65971"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/66154"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://mail-archives.apache.org/mod_mbox/www-announce/201103.mbox/%3C4D6E74FF.7050106%40apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=tomcat-user\u0026m=129966773405409\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://markmail.org/message/lzx5273wsgl5pob6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://markmail.org/message/yzmyn44f5aetmm2r"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/43684"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/8131"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1079752"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/71027"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/46685"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2011/0563"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/65971"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/66154"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2005-12-31 05:00
Modified
2025-04-03 01:03
Severity ?
Summary
The HTTP/1.1 connector in Apache Tomcat 4.1.15 through 4.1.40 does not reject NULL bytes in a URL when allowLinking is configured, which allows remote attackers to read JSP source files and obtain sensitive information.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | tomcat | 4.1.15 | |
| apache | tomcat | 4.1.16 | |
| apache | tomcat | 4.1.17 | |
| apache | tomcat | 4.1.18 | |
| apache | tomcat | 4.1.19 | |
| apache | tomcat | 4.1.20 | |
| apache | tomcat | 4.1.21 | |
| apache | tomcat | 4.1.22 | |
| apache | tomcat | 4.1.23 | |
| apache | tomcat | 4.1.24 | |
| apache | tomcat | 4.1.25 | |
| apache | tomcat | 4.1.26 | |
| apache | tomcat | 4.1.27 | |
| apache | tomcat | 4.1.28 | |
| apache | tomcat | 4.1.29 | |
| apache | tomcat | 4.1.29 | |
| apache | tomcat | 4.1.30 | |
| apache | tomcat | 4.1.31 | |
| apache | tomcat | 4.1.32 | |
| apache | tomcat | 4.1.33 | |
| apache | tomcat | 4.1.34 | |
| apache | tomcat | 4.1.35 | |
| apache | tomcat | 4.1.36 | |
| apache | tomcat | 4.1.37 | |
| apache | tomcat | 4.1.39 | |
| apache | tomcat | 4.1.40 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.15:*:*:*:*:*:*:*",
"matchCriteriaId": "1C03E4C9-34E3-42F7-8B73-D3C595FD7EE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.16:*:*:*:*:*:*:*",
"matchCriteriaId": "FB43F47F-5BF9-43A0-BF0E-451B4A8F7137",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.17:*:*:*:*:*:*:*",
"matchCriteriaId": "DFFFE700-AAFE-4F5B-B0E2-C3DA76DE492D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.18:*:*:*:*:*:*:*",
"matchCriteriaId": "11DDD82E-5D83-4581-B2F3-F12655BBF817",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.19:*:*:*:*:*:*:*",
"matchCriteriaId": "8A0F0C91-171E-421D-BE86-11567DEFC7BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.20:*:*:*:*:*:*:*",
"matchCriteriaId": "F22D2621-D305-43CE-B00D-9A7563B061F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.21:*:*:*:*:*:*:*",
"matchCriteriaId": "9A5D55E8-D3A3-4784-8AC6-CCB07E470AB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.22:*:*:*:*:*:*:*",
"matchCriteriaId": "7F4245BA-B05C-49DE-B2E0-1E588209ED3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.23:*:*:*:*:*:*:*",
"matchCriteriaId": "8633532B-9785-4259-8840-B08529E20DCC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.24:*:*:*:*:*:*:*",
"matchCriteriaId": "B1D9BD7E-FCC2-404B-A057-1A10997DAFF9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.25:*:*:*:*:*:*:*",
"matchCriteriaId": "F935ED72-58F4-49C1-BD9F-5473E0B9D8CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.26:*:*:*:*:*:*:*",
"matchCriteriaId": "FADB75DC-8713-4F0C-9F06-30DA6F6EF6B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.27:*:*:*:*:*:*:*",
"matchCriteriaId": "2EA52901-2D16-4F7E-BF5E-780B42A55D6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.28:alpha:*:*:*:*:*:*",
"matchCriteriaId": "65C47E50-048C-4C2E-9896-5B70AC63CFF3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.29:*:*:*:*:*:*:*",
"matchCriteriaId": "8BF6952D-6308-4029-8B63-0BD9C648C60F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.29:alpha:*:*:*:*:*:*",
"matchCriteriaId": "02F88EFB-520A-40E7-AE4D-B167B2AC2EFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.30:*:*:*:*:*:*:*",
"matchCriteriaId": "94941F86-0BBF-4F30-8F13-FB895A11ED69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.31:*:*:*:*:*:*:*",
"matchCriteriaId": "17522878-4266-432A-859D-C02096C8AC0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.32:*:*:*:*:*:*:*",
"matchCriteriaId": "951FFCD7-EAC2-41E6-A53B-F90C540327E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.33:*:*:*:*:*:*:*",
"matchCriteriaId": "BF1F2738-C7D6-4206-9227-43F464887FF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.34:*:*:*:*:*:*:*",
"matchCriteriaId": "98EEB6F2-A721-45CF-A856-0E01B043C317",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.35:*:*:*:*:*:*:*",
"matchCriteriaId": "02FDE602-A56A-477E-B704-41AF92EEBB9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.36:*:*:*:*:*:*:*",
"matchCriteriaId": "5A28B11A-3BC7-41BC-8970-EE075B029F5C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.37:*:*:*:*:*:*:*",
"matchCriteriaId": "4AD3E84C-9A2E-4586-A09E-CBDEB1E7F695",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.39:*:*:*:*:*:*:*",
"matchCriteriaId": "D8F3B31D-8974-4016-ACAF-E7A917C99F84",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.40:*:*:*:*:*:*:*",
"matchCriteriaId": "7E49C8D7-1789-4518-9DC8-D8A8FEAF4233",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The HTTP/1.1 connector in Apache Tomcat 4.1.15 through 4.1.40 does not reject NULL bytes in a URL when allowLinking is configured, which allows remote attackers to read JSP source files and obtain sensitive information."
}
],
"id": "CVE-2005-4836",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 7.8,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2005-12-31T05:00:00.000",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/28483"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/28483"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2001-12-31 05:00
Modified
2025-04-03 01:03
Severity ?
Summary
Unknown vulnerability in Tomcat 3.2.1 running on HP Secure OS for Linux 1.0 allows attackers to access servlet resources. NOTE: due to the vagueness of the vendor advisory, it is not clear whether this issue is already covered by other CVE identifiers.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7079F63C-7CA8-4909-A9C8-45C4C1C1C186",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:hp:secure_os:1.0:*:linux:*:*:*:*:*",
"matchCriteriaId": "B345284D-6842-47C0-B823-B5DDC30CC8A6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unknown vulnerability in Tomcat 3.2.1 running on HP Secure OS for Linux 1.0 allows attackers to access servlet resources. NOTE: due to the vagueness of the vendor advisory, it is not clear whether this issue is already covered by other CVE identifiers."
}
],
"id": "CVE-2001-1563",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2001-12-31T05:00:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://archives.neohapsis.com/archives/hp/2001-q4/0062.html"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42892"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://archives.neohapsis.com/archives/hp/2001-q4/0062.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42892"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-06-07 23:59
Modified
2025-04-12 10:46
Severity ?
Summary
The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49E3C039-A949-4F1B-892A-57147EECB249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.0:alpha:*:*:*:*:*:*",
"matchCriteriaId": "0A354C34-A3FE-4B8A-9985-8874A0634BC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F28C7801-41B9-4552-BA1E-577967BCBBEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.1:alpha:*:*:*:*:*:*",
"matchCriteriaId": "CFE300CC-FD4A-444E-8506-E5E269D0A0A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "25B21085-7259-4685-9D1F-FF98E6489E10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:alpha:*:*:*:*:*:*",
"matchCriteriaId": "F50A3EC9-516E-48A7-839B-A73F491B5B9F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:beta:*:*:*:*:*:*",
"matchCriteriaId": "8C28F09D-5CAA-4CA7-A2B5-3B2820F5F409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "635EE321-2A1F-4FF8-95BE-0C26591969D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "9A81B035-8598-4D2C-B45F-C6C9D4B10C2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.4:alpha:*:*:*:*:*:*",
"matchCriteriaId": "FAC2FC75-97D2-4EA1-A1A0-F592A6D7C1F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E1096947-82A6-4EA8-A4F2-00D91E3F7DAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0EBFA1D3-16A6-4041-BB30-51D2EE0F2AF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.6:alpha:*:*:*:*:*:*",
"matchCriteriaId": "C4871FD1-7F8C-4677-A80B-4A0BBC71DD7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "B70B372F-EFFD-4AF7-99B5-7D1B23A0C54C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:alpha:*:*:*:*:*:*",
"matchCriteriaId": "31AB969A-9ACE-44EF-B2E5-CEC008F47C46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:beta:*:*:*:*:*:*",
"matchCriteriaId": "06217215-72E4-4478-BACB-628A0836A645",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "9C95ADA4-66F5-45C4-A677-ACE22367A75A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.8:alpha:*:*:*:*:*:*",
"matchCriteriaId": "EA810F3F-ADD3-4D3F-9DFC-DBDD87B3079C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "11951A10-39A2-4FF5-8C43-DF94730FB794",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.9:beta:*:*:*:*:*:*",
"matchCriteriaId": "8B79F2EA-C893-4359-80EC-24AE38D982E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "351E5BCF-A56B-4D91-BA3C-21A4B77D529A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2DC2BBB4-171E-4EFF-A575-A5B7FF031755",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "6B6B0504-27C1-4824-A928-A878CBBAB32D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "CE81AD36-ACD1-4C6C-8E7C-5326D1DA3045",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "D903956B-14F5-4177-AF12-0A5F1846D3C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "81F847DC-A2F5-456C-9038-16A0E85F4C3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3EBD00-1E1E-452D-AFFB-08A6BD111DDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "C6B93A3A-D487-4CA1-8257-26F8FE287B8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "BD8802B2-57E0-4AA6-BC8E-00DE60468569",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "8461DF95-18DC-4BF5-A703-7F19DA88DC30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "1F4C9BCF-9C73-4991-B02F-E08C5DA06EBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "2823789C-2CB6-4300-94DB-BDBE83ABA8E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "C5416C76-46ED-4CB1-A7F8-F24EA16DE7F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "A61429EE-4331-430C-9830-58DCCBCBCB58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "31B3593F-CEDF-423C-90F8-F88EED87DC3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "AE7862B2-E1FA-4E16-92CD-8918AB461D9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "A9E03BE3-60CC-4415-B993-D0BB00F87A30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.31:*:*:*:*:*:*:*",
"matchCriteriaId": "CE92E59A-FF0D-4D1A-8B12-CC41A7E1FD3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.32:*:*:*:*:*:*:*",
"matchCriteriaId": "BFD64FE7-ABAF-49F3-B8D0-91C37C822F4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.33:*:*:*:*:*:*:*",
"matchCriteriaId": "48E5E8C3-21AD-4230-B945-AB7DE66307B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.35:*:*:*:*:*:*:*",
"matchCriteriaId": "4945C8C1-C71B-448B-9075-07C6C92599CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.36:*:*:*:*:*:*:*",
"matchCriteriaId": "ED4730B0-2E09-408B-AFD4-FE00F73700FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.37:*:*:*:*:*:*:*",
"matchCriteriaId": "B8DE8A8A-7643-4292-BCC1-758AE0940207",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.39:*:*:*:*:*:*:*",
"matchCriteriaId": "E9B54FCD-CF7C-47E2-8513-40419E47AF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.41:*:*:*:*:*:*:*",
"matchCriteriaId": "D87EFB6D-B626-469F-907C-40C771A55833",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.43:*:*:*:*:*:*:*",
"matchCriteriaId": "6330B97B-8FC5-4D7E-A960-5D94EDD0C378",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0F8C62EF-1B67-456A-9C66-755439CF8556",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "33E9607B-4D28-460D-896B-E4B7FA22441E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A819E245-D641-4F19-9139-6C940504F6E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8C381275-10C5-4939-BCE3-0D1F3B3CB2EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*",
"matchCriteriaId": "81A31CA0-A209-4C49-AA06-C38E165E5B68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7205475A-6D04-4042-B24E-1DA5A57029B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "08022987-B36B-4F63-88A5-A8F59195DF4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*",
"matchCriteriaId": "0AA563BF-A67A-477D-956A-167ABEF885C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "FF4B7557-EF35-451E-B55D-3296966695AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8980E61E-27BE-4858-82B3-C0E8128AF521",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "8756BF9B-3E24-4677-87AE-31CE776541F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "88CE057E-2092-4C98-8D0C-75CF439D0A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8F194580-EE6D-4E38-87F3-F0661262256B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A9731BAA-4C6C-4259-B786-F577D8A90FA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "1F74A421-D019-4248-84B8-C70D4D9A8A95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "2BA27FF9-4C66-4E17-95C0-1CB2DAA6AFC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "05346F5A-FB52-4376-AAC7-9A5308216545",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "305688F2-50A6-41FB-8614-BC589DB9A789",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "D24AA431-C436-4AA5-85DF-B9AAFF2548FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "25966344-15D5-4101-9346-B06BFD2DFFF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "11F4CBAC-27B1-4EFF-955A-A63B457D0578",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "FD55B338-9DBE-4643-ABED-A08964D3AF7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0D4F710E-06EA-48F4-AC6A-6F143950F015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "2C4936C2-0B2D-4C44-98C3-443090965F5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*",
"matchCriteriaId": "48453405-2319-4327-9F4C-6F70B49452C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*",
"matchCriteriaId": "49DD9544-6424-41A6-AEC0-EC19B8A10E71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*",
"matchCriteriaId": "E4670E65-2E11-49A4-B661-57C2F60D411F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "5E8FF71D-4710-4FBB-9925-A6A26C450F7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*",
"matchCriteriaId": "31002A23-4788-4BC7-AE11-A3C2AA31716D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "7144EDDF-8265-4642-8EEB-ED52527E0A26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "DF06B5C1-B9DD-4673-A101-56E1E593ACDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "7D731065-626B-4425-8E49-F708DD457824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "B3D850EA-E537-42C8-93B9-96E15CB26747",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "E037DA05-2BEF-4F64-B8BB-307247B6A05C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.31:*:*:*:*:*:*:*",
"matchCriteriaId": "BCAF1EB5-FB34-40FC-96ED-9D073890D8BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*",
"matchCriteriaId": "D395D95B-1F4A-420E-A0F6-609360AF7B69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*",
"matchCriteriaId": "9BD221BA-0AB6-4972-8AD9-5D37AC07762F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*",
"matchCriteriaId": "E55B6565-96CB-4F6A-9A80-C3FB82F30546",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*",
"matchCriteriaId": "D3300AFE-49A4-4904-B9A0-5679F09FA01E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.36:*:*:*:*:*:*:*",
"matchCriteriaId": "ED5125CC-05F9-4678-90DB-A5C7CD24AE6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*",
"matchCriteriaId": "7BD93669-1B30-4BF8-AD7D-F60DD8D63CC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.38:*:*:*:*:*:*:*",
"matchCriteriaId": "1B904C74-B92E-4EAE-AE6C-78E2B844C3DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*",
"matchCriteriaId": "B8C8C97F-6C9D-4647-AB8A-ADAA5536DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*",
"matchCriteriaId": "2C6109D1-BC36-40C5-A02A-7AEBC949BAC0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*",
"matchCriteriaId": "DA8A7333-B4C3-4876-AE01-62F2FD315504",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*",
"matchCriteriaId": "92993E23-D805-407B-8B87-11CEEE8B212F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*",
"matchCriteriaId": "7A11BD74-305C-41E2-95B1-5008EEF5FA5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*",
"matchCriteriaId": "595442D0-9DB7-475A-AE30-8535B70E122E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*",
"matchCriteriaId": "4B0BA92A-0BD3-4CE4-9465-95E949104BAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*",
"matchCriteriaId": "6F944B72-B9EB-4EB8-AEA3-E0D7ADBE1305",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*",
"matchCriteriaId": "6AA28D3A-3EE5-4F90-B8F5-4943F7607DA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*",
"matchCriteriaId": "BFD3EB84-2ED2-49D4-8BC9-6398C2E46F0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*",
"matchCriteriaId": "DEDF6E1A-0DD6-42AB-9510-F6F4B6002C91",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*",
"matchCriteriaId": "C947E549-2459-4AFB-84A7-36BDA30B5F29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*",
"matchCriteriaId": "5D55DF79-F9BE-4907-A4D8-96C4B11189ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*",
"matchCriteriaId": "14AB5787-82D7-4F78-BE93-4556AB7A7D0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*",
"matchCriteriaId": "F8E9453E-BC9B-4F77-85FA-BA15AC55C245",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*",
"matchCriteriaId": "A7EF0518-73F9-47DB-8946-A8334936BEFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*",
"matchCriteriaId": "95AA8778-7833-4572-A71B-5FD89938CE94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*",
"matchCriteriaId": "242E47CE-EF69-4F8F-AB40-5AF2811674CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4752862B-7D26-4285-B8A0-CF082C758353",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*",
"matchCriteriaId": "58EA7199-3373-4F97-9907-3A479A02155E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "4693BD36-E522-4C8E-9667-8F3E14A05EF3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "2BBBC5EA-012C-4C5D-A61B-BAF134B300DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2A358FDF-C249-4D7A-9445-8B9E7D9D40AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "AFF96F96-34DB-4EB3-BF59-11220673FA26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "EDF3E379-47D2-4C86-8C6D-8B3C25A0E1C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "61E008F8-2F01-4DD8-853A-337B4B4163C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "6A776B25-6AF1-421B-8E47-2A7499F6B4D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "701424A2-BB06-44B5-B468-7164E4F95529",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "1BA6388C-5B6E-4651-8AE3-EBCCF61C27E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "8F9A5B7E-33A9-4651-9BE1-371A0064B661",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "F99252E8-A59C-48E1-B251-718D7FB3E399",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49E3C039-A949-4F1B-892A-57147EECB249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.0:alpha:*:*:*:*:*:*",
"matchCriteriaId": "0A354C34-A3FE-4B8A-9985-8874A0634BC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F28C7801-41B9-4552-BA1E-577967BCBBEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.1:alpha:*:*:*:*:*:*",
"matchCriteriaId": "CFE300CC-FD4A-444E-8506-E5E269D0A0A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "25B21085-7259-4685-9D1F-FF98E6489E10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:alpha:*:*:*:*:*:*",
"matchCriteriaId": "F50A3EC9-516E-48A7-839B-A73F491B5B9F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:beta:*:*:*:*:*:*",
"matchCriteriaId": "8C28F09D-5CAA-4CA7-A2B5-3B2820F5F409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "635EE321-2A1F-4FF8-95BE-0C26591969D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "9A81B035-8598-4D2C-B45F-C6C9D4B10C2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.4:alpha:*:*:*:*:*:*",
"matchCriteriaId": "FAC2FC75-97D2-4EA1-A1A0-F592A6D7C1F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E1096947-82A6-4EA8-A4F2-00D91E3F7DAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0EBFA1D3-16A6-4041-BB30-51D2EE0F2AF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.6:alpha:*:*:*:*:*:*",
"matchCriteriaId": "C4871FD1-7F8C-4677-A80B-4A0BBC71DD7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "B70B372F-EFFD-4AF7-99B5-7D1B23A0C54C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:alpha:*:*:*:*:*:*",
"matchCriteriaId": "31AB969A-9ACE-44EF-B2E5-CEC008F47C46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:beta:*:*:*:*:*:*",
"matchCriteriaId": "06217215-72E4-4478-BACB-628A0836A645",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "9C95ADA4-66F5-45C4-A677-ACE22367A75A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.8:alpha:*:*:*:*:*:*",
"matchCriteriaId": "EA810F3F-ADD3-4D3F-9DFC-DBDD87B3079C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "11951A10-39A2-4FF5-8C43-DF94730FB794",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.9:beta:*:*:*:*:*:*",
"matchCriteriaId": "8B79F2EA-C893-4359-80EC-24AE38D982E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "351E5BCF-A56B-4D91-BA3C-21A4B77D529A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2DC2BBB4-171E-4EFF-A575-A5B7FF031755",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "6B6B0504-27C1-4824-A928-A878CBBAB32D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "CE81AD36-ACD1-4C6C-8E7C-5326D1DA3045",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "D903956B-14F5-4177-AF12-0A5F1846D3C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "81F847DC-A2F5-456C-9038-16A0E85F4C3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3EBD00-1E1E-452D-AFFB-08A6BD111DDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "C6B93A3A-D487-4CA1-8257-26F8FE287B8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "BD8802B2-57E0-4AA6-BC8E-00DE60468569",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "8461DF95-18DC-4BF5-A703-7F19DA88DC30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "1F4C9BCF-9C73-4991-B02F-E08C5DA06EBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "2823789C-2CB6-4300-94DB-BDBE83ABA8E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "C5416C76-46ED-4CB1-A7F8-F24EA16DE7F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "A61429EE-4331-430C-9830-58DCCBCBCB58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "31B3593F-CEDF-423C-90F8-F88EED87DC3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "AE7862B2-E1FA-4E16-92CD-8918AB461D9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "A9E03BE3-60CC-4415-B993-D0BB00F87A30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.31:*:*:*:*:*:*:*",
"matchCriteriaId": "CE92E59A-FF0D-4D1A-8B12-CC41A7E1FD3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.32:*:*:*:*:*:*:*",
"matchCriteriaId": "BFD64FE7-ABAF-49F3-B8D0-91C37C822F4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.33:*:*:*:*:*:*:*",
"matchCriteriaId": "48E5E8C3-21AD-4230-B945-AB7DE66307B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.35:*:*:*:*:*:*:*",
"matchCriteriaId": "4945C8C1-C71B-448B-9075-07C6C92599CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.36:*:*:*:*:*:*:*",
"matchCriteriaId": "ED4730B0-2E09-408B-AFD4-FE00F73700FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.37:*:*:*:*:*:*:*",
"matchCriteriaId": "B8DE8A8A-7643-4292-BCC1-758AE0940207",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.39:*:*:*:*:*:*:*",
"matchCriteriaId": "E9B54FCD-CF7C-47E2-8513-40419E47AF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.41:*:*:*:*:*:*:*",
"matchCriteriaId": "D87EFB6D-B626-469F-907C-40C771A55833",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.43:*:*:*:*:*:*:*",
"matchCriteriaId": "6330B97B-8FC5-4D7E-A960-5D94EDD0C378",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0F8C62EF-1B67-456A-9C66-755439CF8556",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "33E9607B-4D28-460D-896B-E4B7FA22441E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A819E245-D641-4F19-9139-6C940504F6E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8C381275-10C5-4939-BCE3-0D1F3B3CB2EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*",
"matchCriteriaId": "81A31CA0-A209-4C49-AA06-C38E165E5B68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7205475A-6D04-4042-B24E-1DA5A57029B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "08022987-B36B-4F63-88A5-A8F59195DF4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*",
"matchCriteriaId": "0AA563BF-A67A-477D-956A-167ABEF885C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "FF4B7557-EF35-451E-B55D-3296966695AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8980E61E-27BE-4858-82B3-C0E8128AF521",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "8756BF9B-3E24-4677-87AE-31CE776541F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "88CE057E-2092-4C98-8D0C-75CF439D0A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8F194580-EE6D-4E38-87F3-F0661262256B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A9731BAA-4C6C-4259-B786-F577D8A90FA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "1F74A421-D019-4248-84B8-C70D4D9A8A95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "2BA27FF9-4C66-4E17-95C0-1CB2DAA6AFC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "05346F5A-FB52-4376-AAC7-9A5308216545",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "305688F2-50A6-41FB-8614-BC589DB9A789",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "D24AA431-C436-4AA5-85DF-B9AAFF2548FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "25966344-15D5-4101-9346-B06BFD2DFFF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "11F4CBAC-27B1-4EFF-955A-A63B457D0578",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "FD55B338-9DBE-4643-ABED-A08964D3AF7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0D4F710E-06EA-48F4-AC6A-6F143950F015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "2C4936C2-0B2D-4C44-98C3-443090965F5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*",
"matchCriteriaId": "48453405-2319-4327-9F4C-6F70B49452C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*",
"matchCriteriaId": "49DD9544-6424-41A6-AEC0-EC19B8A10E71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*",
"matchCriteriaId": "E4670E65-2E11-49A4-B661-57C2F60D411F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "5E8FF71D-4710-4FBB-9925-A6A26C450F7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*",
"matchCriteriaId": "31002A23-4788-4BC7-AE11-A3C2AA31716D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "7144EDDF-8265-4642-8EEB-ED52527E0A26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "DF06B5C1-B9DD-4673-A101-56E1E593ACDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "7D731065-626B-4425-8E49-F708DD457824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "B3D850EA-E537-42C8-93B9-96E15CB26747",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "E037DA05-2BEF-4F64-B8BB-307247B6A05C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.31:*:*:*:*:*:*:*",
"matchCriteriaId": "BCAF1EB5-FB34-40FC-96ED-9D073890D8BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*",
"matchCriteriaId": "D395D95B-1F4A-420E-A0F6-609360AF7B69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*",
"matchCriteriaId": "9BD221BA-0AB6-4972-8AD9-5D37AC07762F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*",
"matchCriteriaId": "E55B6565-96CB-4F6A-9A80-C3FB82F30546",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*",
"matchCriteriaId": "D3300AFE-49A4-4904-B9A0-5679F09FA01E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.36:*:*:*:*:*:*:*",
"matchCriteriaId": "ED5125CC-05F9-4678-90DB-A5C7CD24AE6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*",
"matchCriteriaId": "7BD93669-1B30-4BF8-AD7D-F60DD8D63CC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.38:*:*:*:*:*:*:*",
"matchCriteriaId": "1B904C74-B92E-4EAE-AE6C-78E2B844C3DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*",
"matchCriteriaId": "B8C8C97F-6C9D-4647-AB8A-ADAA5536DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*",
"matchCriteriaId": "2C6109D1-BC36-40C5-A02A-7AEBC949BAC0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*",
"matchCriteriaId": "DA8A7333-B4C3-4876-AE01-62F2FD315504",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*",
"matchCriteriaId": "92993E23-D805-407B-8B87-11CEEE8B212F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*",
"matchCriteriaId": "7A11BD74-305C-41E2-95B1-5008EEF5FA5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*",
"matchCriteriaId": "595442D0-9DB7-475A-AE30-8535B70E122E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*",
"matchCriteriaId": "4B0BA92A-0BD3-4CE4-9465-95E949104BAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*",
"matchCriteriaId": "6F944B72-B9EB-4EB8-AEA3-E0D7ADBE1305",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*",
"matchCriteriaId": "6AA28D3A-3EE5-4F90-B8F5-4943F7607DA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*",
"matchCriteriaId": "BFD3EB84-2ED2-49D4-8BC9-6398C2E46F0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*",
"matchCriteriaId": "DEDF6E1A-0DD6-42AB-9510-F6F4B6002C91",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*",
"matchCriteriaId": "C947E549-2459-4AFB-84A7-36BDA30B5F29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*",
"matchCriteriaId": "5D55DF79-F9BE-4907-A4D8-96C4B11189ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*",
"matchCriteriaId": "14AB5787-82D7-4F78-BE93-4556AB7A7D0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*",
"matchCriteriaId": "F8E9453E-BC9B-4F77-85FA-BA15AC55C245",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*",
"matchCriteriaId": "A7EF0518-73F9-47DB-8946-A8334936BEFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*",
"matchCriteriaId": "95AA8778-7833-4572-A71B-5FD89938CE94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*",
"matchCriteriaId": "242E47CE-EF69-4F8F-AB40-5AF2811674CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4752862B-7D26-4285-B8A0-CF082C758353",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*",
"matchCriteriaId": "58EA7199-3373-4F97-9907-3A479A02155E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "4693BD36-E522-4C8E-9667-8F3E14A05EF3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "2BBBC5EA-012C-4C5D-A61B-BAF134B300DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2A358FDF-C249-4D7A-9445-8B9E7D9D40AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "AFF96F96-34DB-4EB3-BF59-11220673FA26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "EDF3E379-47D2-4C86-8C6D-8B3C25A0E1C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "61E008F8-2F01-4DD8-853A-337B4B4163C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "6A776B25-6AF1-421B-8E47-2A7499F6B4D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "701424A2-BB06-44B5-B468-7164E4F95529",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "1BA6388C-5B6E-4651-8AE3-EBCCF61C27E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "8F9A5B7E-33A9-4651-9BE1-371A0064B661",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "F99252E8-A59C-48E1-B251-718D7FB3E399",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:hp:hp-ux:11.31:*:*:*:*:*:*:*",
"matchCriteriaId": "0FC82871-E47F-4431-AAE0-A714D7D22670",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation."
},
{
"lang": "es",
"value": "La implementaci\u00f3n Expression Language (EL) en Apache Tomcat 6.x anterior a 6.0.44, 7.x anterior a 7.0.58, y 8.x anterior a 8.0.16 no considera correctamente la posibilidad de una interfaz accesible implementada por una clase no accesible, lo que permite a atacantes evadir un mecanismo de protecci\u00f3n SecurityManager a trav\u00e9s de una aplicaci\u00f3n web que aprovecha el uso de privilegios incorrectos durante la evaluaci\u00f3n EL."
}
],
"id": "CVE-2014-7810",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-06-07T23:59:03.580",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=145974991225029\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1621.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1622.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0492.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2046.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1644018"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1645642"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-8.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2015/dsa-3428"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2016/dsa-3447"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2016/dsa-3530"
},
{
"source": "secalert@redhat.com",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/74665"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1032330"
},
{
"source": "secalert@redhat.com",
"url": "http://www.ubuntu.com/usn/USN-2654-1"
},
{
"source": "secalert@redhat.com",
"url": "http://www.ubuntu.com/usn/USN-2655-1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=145974991225029\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1621.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1622.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0492.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2046.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1644018"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1645642"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-8.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2015/dsa-3428"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3447"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2016/dsa-3530"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/74665"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1032330"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ubuntu.com/usn/USN-2654-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ubuntu.com/usn/USN-2655-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-10 19:15
Modified
2025-06-16 17:15
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially
crafted, invalid trailer header could cause Tomcat to treat a single
request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.
Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FE1F7111-22BD-489A-B2C9-E67E0D601824",
"versionEndExcluding": "8.5.94",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "37FCE624-DD65-4AC5-A602-BB66E0E54CFC",
"versionEndExcluding": "9.0.81",
"versionStartIncluding": "9.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0995DE67-7E3B-4CFE-AB96-E2243F994755",
"versionEndExcluding": "10.1.14",
"versionStartIncluding": "10.1.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "9D0689FE-4BC0-4F53-8C79-34B21F9B86C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "89B129B2-FB6F-4EF9-BF12-E589A87996CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "8B6787B6-54A8-475E-BA1C-AB99334B2535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "EABB6FBC-7486-44D5-A6AD-FFF1D3F677E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*",
"matchCriteriaId": "E10C03BC-EE6B-45B2-83AE-9E8DFB58D7DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*",
"matchCriteriaId": "8A6DA0BE-908C-4DA8-A191-A0113235E99A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*",
"matchCriteriaId": "39029C72-28B4-46A4-BFF5-EC822CFB2A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*",
"matchCriteriaId": "1A2E05A3-014F-4C4D-81E5-88E725FBD6AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*",
"matchCriteriaId": "166C533C-0833-41D5-99B6-17A4FAB3CAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*",
"matchCriteriaId": "D3768C60-21FA-4B92-B98C-C3A2602D1BC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*",
"matchCriteriaId": "DDD510FA-A2E4-4BAF-A0DE-F4E5777E9325",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "9F542E12-6BA8-4504-A494-DA83E7E19BD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*",
"matchCriteriaId": "C2409CC7-6A85-4A66-A457-0D62B9895DC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*",
"matchCriteriaId": "B392A7E5-4455-4B1C-8FAC-AE6DDC70689E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*",
"matchCriteriaId": "EF411DDA-2601-449A-9046-D250419A0E1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*",
"matchCriteriaId": "D7D8F2F4-AFE2-47EA-A3FD-79B54324DE02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*",
"matchCriteriaId": "1B4FBF97-DE16-4E5E-BE19-471E01818D40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*",
"matchCriteriaId": "3B266B1E-24B5-47EE-A421-E0E3CC0C7471",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*",
"matchCriteriaId": "29614C3A-6FB3-41C7-B56E-9CC3F45B04F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*",
"matchCriteriaId": "C6AB156C-8FF6-4727-AF75-590D0DCB3F9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "C0C5F004-F7D8-45DB-B173-351C50B0EC16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "D1902D2E-1896-4D3D-9E1C-3A675255072C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "49AAF4DF-F61D-47A8-8788-A21E317A145D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "454211D0-60A2-4661-AECA-4C0121413FEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "0686F977-889F-4960-8E0B-7784B73A7F2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "558703AE-DB5E-4DFF-B497-C36694DD7B24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "ED6273F2-1165-47A4-8DD7-9E9B2472941B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "6D402B5D-5901-43EB-8E6A-ECBD512CE367",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "33C71AE1-B38E-4783-BAC2-3CDA7B4D9EBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "F6BD4180-D3E8-42AB-96B1-3869ECF47F6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "64668CCF-DBC9-442D-9E0F-FD40E1D0DDB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone13:*:*:*:*:*:*",
"matchCriteriaId": "FC64BB57-4912-481E-AE8D-C8FCD36142BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone14:*:*:*:*:*:*",
"matchCriteriaId": "49B43BFD-6B6C-4E6D-A9D8-308709DDFB44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone15:*:*:*:*:*:*",
"matchCriteriaId": "919C16BD-79A7-4597-8D23-2CBDED2EF615",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone16:*:*:*:*:*:*",
"matchCriteriaId": "81B27C03-D626-42EC-AE4E-1E66624908E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone17:*:*:*:*:*:*",
"matchCriteriaId": "BD81405D-81A5-4683-A355-B39C912DAD2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone18:*:*:*:*:*:*",
"matchCriteriaId": "2DCE3576-86BC-4BB8-A5FB-1274744DFD7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone19:*:*:*:*:*:*",
"matchCriteriaId": "5571F54A-2EAC-41B6-BDA9-7D33CFE97F70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "9846609D-51FC-4CDD-97B3-8C6E07108F14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone20:*:*:*:*:*:*",
"matchCriteriaId": "ED30E850-C475-4133-BDE3-74CB3768D787",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "2E321FB4-0B0C-497A-BB75-909D888C93CB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "3B0CAE57-AF7A-40E6-9519-F5C9F422C1BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "7CB9D150-EED6-4AE9-BCBE-48932E50035E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "D334103F-F64E-4869-BCC8-670A5AFCC76C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "941FCF7B-FFB6-4967-95C7-BB3D32C73DAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "CE1A9030-B397-4BA6-8E13-DA1503872DDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "6284B74A-1051-40A7-9D74-380FEEEC3F88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "D1AA7FF6-E8E7-4BF6-983E-0A99B0183008",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "57088BDD-A136-45EF-A8A1-2EBF79CEC2CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "B32D1D7A-A04F-444E-8F45-BB9A9E4B0199",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "2AAD52CE-94F5-4F98-A027-9A7E68818CB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "F1F981F5-035A-4EDD-8A9F-481EE8BC7FF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "03A171AF-2EC8-4422-912C-547CDB58CAAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "538E68C4-0BA4-495F-AEF8-4EF6EE7963CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "49350A6E-5E1D-45B2-A874-3B8601B3ADCC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "5F50942F-DF54-46C0-8371-9A476DD3EEA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "D12C2C95-B79F-4AA4-8CE3-99A3EE7991AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "98792138-DD56-42DF-9612-3BDC65EEC117",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "46D69DCC-AE4D-4EA5-861C-D60951444C6C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Input Validation vulnerability in Apache Tomcat.Tomcat\u00a0from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially \ncrafted, invalid trailer header could cause Tomcat to treat a single \nrequest as multiple requests leading to the possibility of request \nsmuggling when behind a reverse proxy.\n\nUsers are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue."
},
{
"lang": "es",
"value": "Vulnerabilidad de validaci\u00f3n de entrada incorrecta en Apache Tomcat.Tomcat desde 11.0.0-M1 hasta 11.0.0-M11, desde 10.1.0-M1 hasta 10.1.13, desde 9.0.0-M1 hasta 9.0.81 y desde 8.5.0 hasta 8.5 .93 no analizaron correctamente los encabezados de las colas HTTP. Un encabezado de avance no v\u00e1lido y especialmente manipulado podr\u00eda hacer que Tomcat trate una sola solicitud como solicitudes m\u00faltiples, lo que genera la posibilidad de contrabando de solicitudes cuando est\u00e1 detr\u00e1s de un proxy inverso. Se recomienda a los usuarios actualizar a la versi\u00f3n 11.0.0-M12 en adelante, 10.1.14 en adelante, 9.0.81 en adelante o 8.5.94 en adelante, que solucionan el problema."
}
],
"id": "CVE-2023-45648",
"lastModified": "2025-06-16T17:15:27.480",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-10-10T19:15:09.690",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2023/10/10/10"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"
},
{
"source": "security@apache.org",
"url": "https://security.netapp.com/advisory/ntap-20231103-0007/"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5521"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5522"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2023/10/10/10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20231103-0007/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5521"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5522"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-03-22 11:15
Modified
2025-02-13 15:15
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Summary
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67 | Mailing List, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67 | Mailing List, Patch, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B5B9F578-C5AF-47B9-8DCB-956FE1142895",
"versionEndExcluding": "8.5.86",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F53E1703-7327-4B44-8641-9335B78714E3",
"versionEndExcluding": "9.0.72",
"versionStartExcluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "55049943-7BFB-4022-B790-84466E2E873F",
"versionEndExcluding": "10.1.6",
"versionStartExcluding": "10.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "D1AA7FF6-E8E7-4BF6-983E-0A99B0183008",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "2AAD52CE-94F5-4F98-A027-9A7E68818CB6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "\nWhen using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not\u00a0include the secure attribute. This could result in the user agent\u00a0transmitting the session cookie over an insecure channel.\n\n\n\n\n\n\n\n"
}
],
"id": "CVE-2023-28708",
"lastModified": "2025-02-13T15:15:16.783",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-03-22T11:15:10.623",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Patch",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-523"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-02-19 01:00
Modified
2025-04-11 00:51
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0F8C62EF-1B67-456A-9C66-755439CF8556",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A819E245-D641-4F19-9139-6C940504F6E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8C381275-10C5-4939-BCE3-0D1F3B3CB2EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7205475A-6D04-4042-B24E-1DA5A57029B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "08022987-B36B-4F63-88A5-A8F59195DF4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "FF4B7557-EF35-451E-B55D-3296966695AC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D11D6FB7-CBDB-48C1-98CB-1B3CAA36C5D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49E3C039-A949-4F1B-892A-57147EECB249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F28C7801-41B9-4552-BA1E-577967BCBBEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "25B21085-7259-4685-9D1F-FF98E6489E10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "635EE321-2A1F-4FF8-95BE-0C26591969D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "9A81B035-8598-4D2C-B45F-C6C9D4B10C2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E1096947-82A6-4EA8-A4F2-00D91E3F7DAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0EBFA1D3-16A6-4041-BB30-51D2EE0F2AF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "B70B372F-EFFD-4AF7-99B5-7D1B23A0C54C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "9C95ADA4-66F5-45C4-A677-ACE22367A75A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "11951A10-39A2-4FF5-8C43-DF94730FB794",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "351E5BCF-A56B-4D91-BA3C-21A4B77D529A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2DC2BBB4-171E-4EFF-A575-A5B7FF031755",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "6B6B0504-27C1-4824-A928-A878CBBAB32D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "CE81AD36-ACD1-4C6C-8E7C-5326D1DA3045",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "D903956B-14F5-4177-AF12-0A5F1846D3C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "81F847DC-A2F5-456C-9038-16A0E85F4C3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3EBD00-1E1E-452D-AFFB-08A6BD111DDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "C6B93A3A-D487-4CA1-8257-26F8FE287B8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "BD8802B2-57E0-4AA6-BC8E-00DE60468569",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "8461DF95-18DC-4BF5-A703-7F19DA88DC30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "1F4C9BCF-9C73-4991-B02F-E08C5DA06EBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "2823789C-2CB6-4300-94DB-BDBE83ABA8E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "C5416C76-46ED-4CB1-A7F8-F24EA16DE7F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "A61429EE-4331-430C-9830-58DCCBCBCB58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "31B3593F-CEDF-423C-90F8-F88EED87DC3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "AE7862B2-E1FA-4E16-92CD-8918AB461D9A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EB203AEC-2A94-48CA-A0E0-B5A8EBF028B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6E98B82A-22E5-4E6C-90AE-56F5780EA147",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "34672E90-C220-436B-9143-480941227933",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "92883AFA-A02F-41A5-9977-ABEAC8AD2970",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "989A78F8-EE92-465F-8A8D-ECF0B58AFE7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "1F5B6627-B4A4-4E2D-B96C-CA37CCC8C804",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "ACFB09F3-32D1-479C-8C39-D7329D9A6623",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "D56581E2-9ECD-426A-96D8-A9D958900AD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "717F6995-5AF0-484C-90C0-A82F25FD2E32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "5B0C01D5-773F-469C-9E69-170C2844AAA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.10:*:*:*:*:*:*:*",
"matchCriteriaId": "EB03FDFB-4DBF-4B70-BFA3-570D1DE67695",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.11:*:*:*:*:*:*:*",
"matchCriteriaId": "9F5CF79C-759B-4FF9-90EE-847264059E93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.12:*:*:*:*:*:*:*",
"matchCriteriaId": "357651FD-392E-4775-BF20-37A23B3ABAE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.13:*:*:*:*:*:*:*",
"matchCriteriaId": "585B9476-6B86-4809-9B9E-26112114CB59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.14:*:*:*:*:*:*:*",
"matchCriteriaId": "6145036D-4FCE-4EBE-A137-BDFA69BA54F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.15:*:*:*:*:*:*:*",
"matchCriteriaId": "E437055A-0A81-413F-AB08-0E9D0DC9EA30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.16:*:*:*:*:*:*:*",
"matchCriteriaId": "9276A093-9C98-4617-9941-2276995F5848",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.17:*:*:*:*:*:*:*",
"matchCriteriaId": "97C9C36C-EF7E-4D42-9749-E2FF6CE35A2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.18:*:*:*:*:*:*:*",
"matchCriteriaId": "C98575E2-E39A-4A8F-B5B5-BD280B8367BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.19:*:*:*:*:*:*:*",
"matchCriteriaId": "5BDA08E7-A417-44E8-9C89-EB22BEEC3B9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.20:*:*:*:*:*:*:*",
"matchCriteriaId": "DCD1B6BE-CF07-4DA8-A703-4A48506C8AD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.21:*:*:*:*:*:*:*",
"matchCriteriaId": "5878E08E-2741-4798-94E9-BA8E07386B12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.22:*:*:*:*:*:*:*",
"matchCriteriaId": "69F6BAB7-C099-4345-A632-7287AEA555B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.23:*:*:*:*:*:*:*",
"matchCriteriaId": "F3AAF031-D16B-4D51-9581-2D1376A5157B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.24:*:*:*:*:*:*:*",
"matchCriteriaId": "51120689-F5C0-4DF1-91AA-314C40A46C58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.25:*:*:*:*:*:*:*",
"matchCriteriaId": "F67477AB-85F6-421C-9C0B-C8EFB1B200CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.26:*:*:*:*:*:*:*",
"matchCriteriaId": "16D0C265-2ED9-42CF-A7D6-C7FAE4246A1B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.27:*:*:*:*:*:*:*",
"matchCriteriaId": "5D70CFD9-B55D-4A29-B94C-D33F3E881A8F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.28:*:*:*:*:*:*:*",
"matchCriteriaId": "C1195878-CCC9-49BC-9AC7-1F88F0DFAB82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.29:*:*:*:*:*:*:*",
"matchCriteriaId": "375C26A9-623E-483A-BC11-468D9DE278C1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.30:*:*:*:*:*:*:*",
"matchCriteriaId": "BCDDD480-3C9E-4BE9-848A-99A13145C2AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.31:*:*:*:*:*:*:*",
"matchCriteriaId": "42BB8770-0BB4-4F23-AE24-58745095060D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de ejecuci\u00f3n de comandos en sitios cruzados (XSS) en la interfaz de HTML Manager en Apache Software Foundation Tomcat v7.0 antes de v7.0.6, v5.5 antes de v5.5.32 y v6.0 antes de v6.0.30 permiten a atacantes remotos inyectar secuencias de comandos web o HTML, como se demuestra a trav\u00e9s de una etiqueta display-name."
}
],
"id": "CVE-2011-0013",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-02-19T01:00:01.557",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=130168502603566\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=132215163318824\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=132215163318824\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=136485229118404\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=136485229118404\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=139344343412337\u0026w=2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/43192"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/45022"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/57126"
},
{
"source": "secalert@redhat.com",
"url": "http://securityreason.com/securityalert/8093"
},
{
"source": "secalert@redhat.com",
"url": "http://support.apple.com/kb/HT5002"
},
{
"source": "secalert@redhat.com",
"url": "http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5098550.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.32"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.30"
},
{
"source": "secalert@redhat.com",
"url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.6_%28released_14_Jan_2011%29"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2011/dsa-2160"
},
{
"source": "secalert@redhat.com",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:030"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0791.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0896.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0897.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2011-1845.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/516209/30/90/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/46174"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "http://www.securitytracker.com/id?1025026"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2011/0376"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=675786"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12878"
},
{
"source": "secalert@redhat.com",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14945"
},
{
"source": "secalert@redhat.com",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19269"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=130168502603566\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=132215163318824\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=132215163318824\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=136485229118404\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=136485229118404\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=139344343412337\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/43192"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/45022"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/57126"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/8093"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.apple.com/kb/HT5002"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5098550.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.32"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.30"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.6_%28released_14_Jan_2011%29"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2011/dsa-2160"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:030"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0791.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0896.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0897.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2011-1845.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/516209/30/90/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/46174"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securitytracker.com/id?1025026"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2011/0376"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=675786"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12878"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14945"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19269"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-05-10 00:19
Modified
2025-04-09 00:30
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616".
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CBB47E3B-ECDD-4A05-9920-90696089C4C0",
"versionEndIncluding": "4.1.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "914E1404-01A2-4F94-AA40-D5EA20F55AD3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "81FB1106-B26D-45BE-A511-8E69131BBA52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "401A213A-FED3-49C0-B823-2E02EA528905",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0BFE5AD8-DB14-4632-9D2A-F2013579CA7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "7641278D-3B8B-4CD2-B284-2047B65514A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BB7B9911-E836-4A96-A0E8-D13C957EC0EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D2341C51-A239-4A4A-B0DC-30F18175442C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0E300013-0CE7-4313-A553-74A6A247B3E9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted \"Accept-Language headers that do not conform to RFC 2616\"."
},
{
"lang": "es",
"value": "Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en ciertas aplicaciones que usan Apache Tomcat 4.0.0 hasta 4.0.6 y 4.1.0 hasta 4.1.34 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elecci\u00f3n mediante \"cabeceras Accept-Language que no cumplen la RFC 2616\" artesanales."
}
],
"id": "CVE-2007-1358",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 4.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2007-05-10T00:19:00.000",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx"
},
{
"source": "secalert@redhat.com",
"url": "http://docs.info.apple.com/article.html?artnum=306172"
},
{
"source": "secalert@redhat.com",
"url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795"
},
{
"source": "secalert@redhat.com",
"url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795"
},
{
"source": "secalert@redhat.com",
"url": "http://jvn.jp/jp/JVN%2316535199/index.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html"
},
{
"source": "secalert@redhat.com",
"url": "http://osvdb.org/34881"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2008-0630.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/25721"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/26235"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/26660"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/27037"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/27727"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/30899"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/30908"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/31493"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/33668"
},
{
"source": "secalert@redhat.com",
"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1"
},
{
"source": "secalert@redhat.com",
"url": "http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.fujitsu.com/global/support/software/security/products-f/interstage-200704e.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/471719/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/500396/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/500412/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/24524"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/25159"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id?1018269"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2007/1729"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2007/2732"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2007/3087"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2007/3386"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2008/1979/references"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2009/0233"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10679"
},
{
"source": "secalert@redhat.com",
"url": "https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://docs.info.apple.com/article.html?artnum=306172"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://jvn.jp/jp/JVN%2316535199/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/34881"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2008-0630.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/25721"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/26235"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/26660"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/27037"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/27727"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/30899"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/30908"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/31493"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/33668"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.fujitsu.com/global/support/software/security/products-f/interstage-200704e.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/471719/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/500396/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/500412/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/24524"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/25159"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id?1018269"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2007/1729"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2007/2732"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2007/3087"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2007/3386"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/1979/references"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2009/0233"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10679"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-01-28 20:30
Modified
2025-04-11 00:51
Severity ?
Summary
Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in an entry in a WAR file, as demonstrated by a ../../bin/catalina.bat entry.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EB203AEC-2A94-48CA-A0E0-B5A8EBF028B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6E98B82A-22E5-4E6C-90AE-56F5780EA147",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "34672E90-C220-436B-9143-480941227933",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "92883AFA-A02F-41A5-9977-ABEAC8AD2970",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "989A78F8-EE92-465F-8A8D-ECF0B58AFE7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "1F5B6627-B4A4-4E2D-B96C-CA37CCC8C804",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "ACFB09F3-32D1-479C-8C39-D7329D9A6623",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "D56581E2-9ECD-426A-96D8-A9D958900AD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "717F6995-5AF0-484C-90C0-A82F25FD2E32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "5B0C01D5-773F-469C-9E69-170C2844AAA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.10:*:*:*:*:*:*:*",
"matchCriteriaId": "EB03FDFB-4DBF-4B70-BFA3-570D1DE67695",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.11:*:*:*:*:*:*:*",
"matchCriteriaId": "9F5CF79C-759B-4FF9-90EE-847264059E93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.12:*:*:*:*:*:*:*",
"matchCriteriaId": "357651FD-392E-4775-BF20-37A23B3ABAE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.13:*:*:*:*:*:*:*",
"matchCriteriaId": "585B9476-6B86-4809-9B9E-26112114CB59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.14:*:*:*:*:*:*:*",
"matchCriteriaId": "6145036D-4FCE-4EBE-A137-BDFA69BA54F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.15:*:*:*:*:*:*:*",
"matchCriteriaId": "E437055A-0A81-413F-AB08-0E9D0DC9EA30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.16:*:*:*:*:*:*:*",
"matchCriteriaId": "9276A093-9C98-4617-9941-2276995F5848",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.17:*:*:*:*:*:*:*",
"matchCriteriaId": "97C9C36C-EF7E-4D42-9749-E2FF6CE35A2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.18:*:*:*:*:*:*:*",
"matchCriteriaId": "C98575E2-E39A-4A8F-B5B5-BD280B8367BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.19:*:*:*:*:*:*:*",
"matchCriteriaId": "5BDA08E7-A417-44E8-9C89-EB22BEEC3B9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.20:*:*:*:*:*:*:*",
"matchCriteriaId": "DCD1B6BE-CF07-4DA8-A703-4A48506C8AD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.21:*:*:*:*:*:*:*",
"matchCriteriaId": "5878E08E-2741-4798-94E9-BA8E07386B12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.22:*:*:*:*:*:*:*",
"matchCriteriaId": "69F6BAB7-C099-4345-A632-7287AEA555B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.23:*:*:*:*:*:*:*",
"matchCriteriaId": "F3AAF031-D16B-4D51-9581-2D1376A5157B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.24:*:*:*:*:*:*:*",
"matchCriteriaId": "51120689-F5C0-4DF1-91AA-314C40A46C58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.25:*:*:*:*:*:*:*",
"matchCriteriaId": "F67477AB-85F6-421C-9C0B-C8EFB1B200CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.26:*:*:*:*:*:*:*",
"matchCriteriaId": "16D0C265-2ED9-42CF-A7D6-C7FAE4246A1B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.27:*:*:*:*:*:*:*",
"matchCriteriaId": "5D70CFD9-B55D-4A29-B94C-D33F3E881A8F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.28:*:*:*:*:*:*:*",
"matchCriteriaId": "C1195878-CCC9-49BC-9AC7-1F88F0DFAB82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D11D6FB7-CBDB-48C1-98CB-1B3CAA36C5D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49E3C039-A949-4F1B-892A-57147EECB249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F28C7801-41B9-4552-BA1E-577967BCBBEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "25B21085-7259-4685-9D1F-FF98E6489E10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "635EE321-2A1F-4FF8-95BE-0C26591969D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "9A81B035-8598-4D2C-B45F-C6C9D4B10C2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E1096947-82A6-4EA8-A4F2-00D91E3F7DAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0EBFA1D3-16A6-4041-BB30-51D2EE0F2AF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "B70B372F-EFFD-4AF7-99B5-7D1B23A0C54C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "9C95ADA4-66F5-45C4-A677-ACE22367A75A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "11951A10-39A2-4FF5-8C43-DF94730FB794",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "351E5BCF-A56B-4D91-BA3C-21A4B77D529A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2DC2BBB4-171E-4EFF-A575-A5B7FF031755",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "6B6B0504-27C1-4824-A928-A878CBBAB32D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "CE81AD36-ACD1-4C6C-8E7C-5326D1DA3045",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "D903956B-14F5-4177-AF12-0A5F1846D3C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "81F847DC-A2F5-456C-9038-16A0E85F4C3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3EBD00-1E1E-452D-AFFB-08A6BD111DDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "C6B93A3A-D487-4CA1-8257-26F8FE287B8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "BD8802B2-57E0-4AA6-BC8E-00DE60468569",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "8461DF95-18DC-4BF5-A703-7F19DA88DC30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "1F4C9BCF-9C73-4991-B02F-E08C5DA06EBA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in an entry in a WAR file, as demonstrated by a ../../bin/catalina.bat entry."
},
{
"lang": "es",
"value": "Vulnerabilidad de salto de directorio en Apache Tomcat v5.5.0 a la v5.5.28 y v6.0.0 a la v6.0.20, permite a atacantes remotos crear, sobrescribir archivos de su elecci\u00f3n a trav\u00e9s de .. (punto punto) en una entrada en un archivo WAR, como se demostr\u00f3 con la entrada ../../bin/catalina.bat."
}
],
"id": "CVE-2009-2693",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.8,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-01-28T20:30:01.167",
"references": [
{
"source": "cve@mitre.org",
"url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02241113"
},
{
"source": "cve@mitre.org",
"url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02241113"
},
{
"source": "cve@mitre.org",
"url": "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00090.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-updates/2013-01/msg00037.html"
},
{
"source": "cve@mitre.org",
"url": "http://marc.info/?l=bugtraq\u0026m=127420533226623\u0026w=2"
},
{
"source": "cve@mitre.org",
"url": "http://marc.info/?l=bugtraq\u0026m=127420533226623\u0026w=2"
},
{
"source": "cve@mitre.org",
"url": "http://marc.info/?l=bugtraq\u0026m=133469267822771\u0026w=2"
},
{
"source": "cve@mitre.org",
"url": "http://marc.info/?l=bugtraq\u0026m=133469267822771\u0026w=2"
},
{
"source": "cve@mitre.org",
"url": "http://marc.info/?l=bugtraq\u0026m=136485229118404\u0026w=2"
},
{
"source": "cve@mitre.org",
"url": "http://marc.info/?l=bugtraq\u0026m=136485229118404\u0026w=2"
},
{
"source": "cve@mitre.org",
"url": "http://marc.info/?l=bugtraq\u0026m=139344343412337\u0026w=2"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/38316"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/38346"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/38541"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/38687"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/39317"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/40330"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/40813"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/43310"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/57126"
},
{
"source": "cve@mitre.org",
"url": "http://securitytracker.com/id?1023505"
},
{
"source": "cve@mitre.org",
"url": "http://support.apple.com/kb/HT4077"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?rev=892815\u0026view=rev"
},
{
"source": "cve@mitre.org",
"url": "http://svn.apache.org/viewvc?rev=902650\u0026view=rev"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "cve@mitre.org",
"url": "http://ubuntu.com/usn/usn-899-1"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2011/dsa-2207"
},
{
"source": "cve@mitre.org",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:176"
},
{
"source": "cve@mitre.org",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:177"
},
{
"source": "cve@mitre.org",
"url": "http://www.redhat.com/support/errata/RHSA-2010-0119.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.redhat.com/support/errata/RHSA-2010-0580.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.redhat.com/support/errata/RHSA-2010-0582.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/509148/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/516397/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/37944"
},
{
"source": "cve@mitre.org",
"url": "http://www.vmware.com/security/advisories/VMSA-2011-0003.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2010/0213"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2010/1559"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2010/1986"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/55855"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19355"
},
{
"source": "cve@mitre.org",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7017"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02241113"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02241113"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00090.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2013-01/msg00037.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=127420533226623\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=127420533226623\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=133469267822771\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=133469267822771\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=136485229118404\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=136485229118404\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=139344343412337\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/38316"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/38346"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/38541"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/38687"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/39317"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/40330"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/40813"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/43310"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/57126"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securitytracker.com/id?1023505"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.apple.com/kb/HT4077"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?rev=892815\u0026view=rev"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?rev=902650\u0026view=rev"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://ubuntu.com/usn/usn-899-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2011/dsa-2207"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:176"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:177"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2010-0119.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2010-0580.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2010-0582.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/509148/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/516397/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/37944"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vmware.com/security/advisories/VMSA-2011-0003.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2010/0213"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2010/1559"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2010/1986"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/55855"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19355"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7017"
}
],
"sourceIdentifier": "cve@mitre.org",
"vendorComments": [
{
"comment": "Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2693\n\nThe Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/\n\nThis issue has been addressed in JBoss Enterprise Web Server 1.0.1: https://rhn.redhat.com/errata/RHSA-2010-0119.html",
"lastModified": "2010-03-02T00:00:00",
"organization": "Red Hat"
}
],
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-02-15 14:57
Modified
2025-04-11 00:51
Severity ?
Summary
Apache Tomcat 7.x uses world-readable permissions for the log directory and its files, which might allow local users to obtain sensitive information by reading a file. NOTE: One Tomcat distributor has stated "The tomcat log directory does not contain any sensitive information."
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0F8C62EF-1B67-456A-9C66-755439CF8556",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "33E9607B-4D28-460D-896B-E4B7FA22441E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A819E245-D641-4F19-9139-6C940504F6E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8C381275-10C5-4939-BCE3-0D1F3B3CB2EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*",
"matchCriteriaId": "81A31CA0-A209-4C49-AA06-C38E165E5B68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7205475A-6D04-4042-B24E-1DA5A57029B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "08022987-B36B-4F63-88A5-A8F59195DF4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*",
"matchCriteriaId": "0AA563BF-A67A-477D-956A-167ABEF885C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "FF4B7557-EF35-451E-B55D-3296966695AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8980E61E-27BE-4858-82B3-C0E8128AF521",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "8756BF9B-3E24-4677-87AE-31CE776541F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "88CE057E-2092-4C98-8D0C-75CF439D0A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8F194580-EE6D-4E38-87F3-F0661262256B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A9731BAA-4C6C-4259-B786-F577D8A90FA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "1F74A421-D019-4248-84B8-C70D4D9A8A95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "2BA27FF9-4C66-4E17-95C0-1CB2DAA6AFC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "05346F5A-FB52-4376-AAC7-9A5308216545",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "305688F2-50A6-41FB-8614-BC589DB9A789",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "D24AA431-C436-4AA5-85DF-B9AAFF2548FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "25966344-15D5-4101-9346-B06BFD2DFFF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "11F4CBAC-27B1-4EFF-955A-A63B457D0578",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "FD55B338-9DBE-4643-ABED-A08964D3AF7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0D4F710E-06EA-48F4-AC6A-6F143950F015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "2C4936C2-0B2D-4C44-98C3-443090965F5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*",
"matchCriteriaId": "48453405-2319-4327-9F4C-6F70B49452C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*",
"matchCriteriaId": "49DD9544-6424-41A6-AEC0-EC19B8A10E71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*",
"matchCriteriaId": "E4670E65-2E11-49A4-B661-57C2F60D411F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "5E8FF71D-4710-4FBB-9925-A6A26C450F7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*",
"matchCriteriaId": "31002A23-4788-4BC7-AE11-A3C2AA31716D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "7144EDDF-8265-4642-8EEB-ED52527E0A26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "DF06B5C1-B9DD-4673-A101-56E1E593ACDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "7D731065-626B-4425-8E49-F708DD457824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "B3D850EA-E537-42C8-93B9-96E15CB26747",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "E037DA05-2BEF-4F64-B8BB-307247B6A05C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.31:*:*:*:*:*:*:*",
"matchCriteriaId": "BCAF1EB5-FB34-40FC-96ED-9D073890D8BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*",
"matchCriteriaId": "D395D95B-1F4A-420E-A0F6-609360AF7B69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*",
"matchCriteriaId": "9BD221BA-0AB6-4972-8AD9-5D37AC07762F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*",
"matchCriteriaId": "E55B6565-96CB-4F6A-9A80-C3FB82F30546",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*",
"matchCriteriaId": "D3300AFE-49A4-4904-B9A0-5679F09FA01E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.36:*:*:*:*:*:*:*",
"matchCriteriaId": "ED5125CC-05F9-4678-90DB-A5C7CD24AE6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*",
"matchCriteriaId": "7BD93669-1B30-4BF8-AD7D-F60DD8D63CC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.38:*:*:*:*:*:*:*",
"matchCriteriaId": "1B904C74-B92E-4EAE-AE6C-78E2B844C3DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*",
"matchCriteriaId": "B8C8C97F-6C9D-4647-AB8A-ADAA5536DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*",
"matchCriteriaId": "2C6109D1-BC36-40C5-A02A-7AEBC949BAC0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*",
"matchCriteriaId": "DA8A7333-B4C3-4876-AE01-62F2FD315504",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*",
"matchCriteriaId": "92993E23-D805-407B-8B87-11CEEE8B212F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*",
"matchCriteriaId": "7A11BD74-305C-41E2-95B1-5008EEF5FA5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*",
"matchCriteriaId": "595442D0-9DB7-475A-AE30-8535B70E122E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*",
"matchCriteriaId": "4B0BA92A-0BD3-4CE4-9465-95E949104BAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*",
"matchCriteriaId": "6F944B72-B9EB-4EB8-AEA3-E0D7ADBE1305",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*",
"matchCriteriaId": "6AA28D3A-3EE5-4F90-B8F5-4943F7607DA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*",
"matchCriteriaId": "BFD3EB84-2ED2-49D4-8BC9-6398C2E46F0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*",
"matchCriteriaId": "DEDF6E1A-0DD6-42AB-9510-F6F4B6002C91",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*",
"matchCriteriaId": "C947E549-2459-4AFB-84A7-36BDA30B5F29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "secalert@redhat.com",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Tomcat 7.x uses world-readable permissions for the log directory and its files, which might allow local users to obtain sensitive information by reading a file. NOTE: One Tomcat distributor has stated \"The tomcat log directory does not contain any sensitive information.\""
},
{
"lang": "es",
"value": "** DISPUTADA ** Apache Tomcat 7.x utiliza permisos de lectura para todos para los directorios de registros LOG y sus archivos, lo que permitir\u00eda a usuarios locales obtener informaci\u00f3n sensible mediante la lectura de un archivo. NOTA: Un distribuidor Tomcat ha declarado \"El directorio de registros LOG de Tomcat no contiene ninguna informaci\u00f3n sensible\"."
}
],
"id": "CVE-2013-0346",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-02-15T14:57:07.613",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2013/02/23/5"
},
{
"source": "secalert@redhat.com",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=924841"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2013/02/23/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=924841"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-07-13 17:30
Modified
2025-04-11 00:51
Severity ?
Summary
Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not properly handle an invalid Transfer-Encoding header, which allows remote attackers to cause a denial of service (application outage) or obtain sensitive information via a crafted header that interferes with "recycling of a buffer."
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EB203AEC-2A94-48CA-A0E0-B5A8EBF028B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6E98B82A-22E5-4E6C-90AE-56F5780EA147",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "34672E90-C220-436B-9143-480941227933",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "92883AFA-A02F-41A5-9977-ABEAC8AD2970",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "989A78F8-EE92-465F-8A8D-ECF0B58AFE7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "1F5B6627-B4A4-4E2D-B96C-CA37CCC8C804",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "ACFB09F3-32D1-479C-8C39-D7329D9A6623",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "D56581E2-9ECD-426A-96D8-A9D958900AD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "717F6995-5AF0-484C-90C0-A82F25FD2E32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "5B0C01D5-773F-469C-9E69-170C2844AAA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.10:*:*:*:*:*:*:*",
"matchCriteriaId": "EB03FDFB-4DBF-4B70-BFA3-570D1DE67695",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.11:*:*:*:*:*:*:*",
"matchCriteriaId": "9F5CF79C-759B-4FF9-90EE-847264059E93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.12:*:*:*:*:*:*:*",
"matchCriteriaId": "357651FD-392E-4775-BF20-37A23B3ABAE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.13:*:*:*:*:*:*:*",
"matchCriteriaId": "585B9476-6B86-4809-9B9E-26112114CB59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.14:*:*:*:*:*:*:*",
"matchCriteriaId": "6145036D-4FCE-4EBE-A137-BDFA69BA54F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.15:*:*:*:*:*:*:*",
"matchCriteriaId": "E437055A-0A81-413F-AB08-0E9D0DC9EA30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.16:*:*:*:*:*:*:*",
"matchCriteriaId": "9276A093-9C98-4617-9941-2276995F5848",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.17:*:*:*:*:*:*:*",
"matchCriteriaId": "97C9C36C-EF7E-4D42-9749-E2FF6CE35A2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.18:*:*:*:*:*:*:*",
"matchCriteriaId": "C98575E2-E39A-4A8F-B5B5-BD280B8367BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.19:*:*:*:*:*:*:*",
"matchCriteriaId": "5BDA08E7-A417-44E8-9C89-EB22BEEC3B9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.20:*:*:*:*:*:*:*",
"matchCriteriaId": "DCD1B6BE-CF07-4DA8-A703-4A48506C8AD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.21:*:*:*:*:*:*:*",
"matchCriteriaId": "5878E08E-2741-4798-94E9-BA8E07386B12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.22:*:*:*:*:*:*:*",
"matchCriteriaId": "69F6BAB7-C099-4345-A632-7287AEA555B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.23:*:*:*:*:*:*:*",
"matchCriteriaId": "F3AAF031-D16B-4D51-9581-2D1376A5157B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.24:*:*:*:*:*:*:*",
"matchCriteriaId": "51120689-F5C0-4DF1-91AA-314C40A46C58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.25:*:*:*:*:*:*:*",
"matchCriteriaId": "F67477AB-85F6-421C-9C0B-C8EFB1B200CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.26:*:*:*:*:*:*:*",
"matchCriteriaId": "16D0C265-2ED9-42CF-A7D6-C7FAE4246A1B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.27:*:*:*:*:*:*:*",
"matchCriteriaId": "5D70CFD9-B55D-4A29-B94C-D33F3E881A8F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.28:*:*:*:*:*:*:*",
"matchCriteriaId": "C1195878-CCC9-49BC-9AC7-1F88F0DFAB82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:5.5.29:*:*:*:*:*:*:*",
"matchCriteriaId": "375C26A9-623E-483A-BC11-468D9DE278C1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49E3C039-A949-4F1B-892A-57147EECB249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F28C7801-41B9-4552-BA1E-577967BCBBEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "25B21085-7259-4685-9D1F-FF98E6489E10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "635EE321-2A1F-4FF8-95BE-0C26591969D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "9A81B035-8598-4D2C-B45F-C6C9D4B10C2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E1096947-82A6-4EA8-A4F2-00D91E3F7DAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0EBFA1D3-16A6-4041-BB30-51D2EE0F2AF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "B70B372F-EFFD-4AF7-99B5-7D1B23A0C54C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "9C95ADA4-66F5-45C4-A677-ACE22367A75A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "11951A10-39A2-4FF5-8C43-DF94730FB794",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "351E5BCF-A56B-4D91-BA3C-21A4B77D529A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2DC2BBB4-171E-4EFF-A575-A5B7FF031755",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "6B6B0504-27C1-4824-A928-A878CBBAB32D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "CE81AD36-ACD1-4C6C-8E7C-5326D1DA3045",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "D903956B-14F5-4177-AF12-0A5F1846D3C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "81F847DC-A2F5-456C-9038-16A0E85F4C3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3EBD00-1E1E-452D-AFFB-08A6BD111DDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "C6B93A3A-D487-4CA1-8257-26F8FE287B8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "BD8802B2-57E0-4AA6-BC8E-00DE60468569",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "8461DF95-18DC-4BF5-A703-7F19DA88DC30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "1F4C9BCF-9C73-4991-B02F-E08C5DA06EBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "2823789C-2CB6-4300-94DB-BDBE83ABA8E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "C5416C76-46ED-4CB1-A7F8-F24EA16DE7F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "A61429EE-4331-430C-9830-58DCCBCBCB58",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "33E9607B-4D28-460D-896B-E4B7FA22441E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not properly handle an invalid Transfer-Encoding header, which allows remote attackers to cause a denial of service (application outage) or obtain sensitive information via a crafted header that interferes with \"recycling of a buffer.\""
},
{
"lang": "es",
"value": "Apache Tomcat v5.5.0 hasta v5.5.29, v6.0.0 hasta v6.0.27 y v7.0.0 beta, no maneja apropiadamente una cabecera Transer-Encoding inv\u00e1lida, lo que permite a atacantes remotos causar una denegaci\u00f3n de servicio (indisponibilidad de la aplicaci\u00f3n) u obtener informaci\u00f3n sensible a trav\u00e9s de una cabecera manipulada que interfiera con el \"reciclado del b\u00faffer\" (\"recycling of a buffer\")."
}
],
"id": "CVE-2010-2227",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-07-13T17:30:03.750",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://geronimo.apache.org/21x-security-report.html"
},
{
"source": "secalert@redhat.com",
"url": "http://geronimo.apache.org/22x-security-report.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050207.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050214.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=129070310906557\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=129070310906557\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=136485229118404\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=136485229118404\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=139344343412337\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/40813"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/41025"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/42079"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/42368"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/42454"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/43310"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/44183"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/57126"
},
{
"source": "secalert@redhat.com",
"url": "http://securitytracker.com/id?1024180"
},
{
"source": "secalert@redhat.com",
"url": "http://support.apple.com/kb/HT5002"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=958911"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=958977"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=959428"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2011/dsa-2207"
},
{
"source": "secalert@redhat.com",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:176"
},
{
"source": "secalert@redhat.com",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:177"
},
{
"source": "secalert@redhat.com",
"url": "http://www.novell.com/support/viewContent.do?externalId=7007274"
},
{
"source": "secalert@redhat.com",
"url": "http://www.novell.com/support/viewContent.do?externalId=7007275"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2010-0580.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2010-0581.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2010-0582.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2010-0583.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/512272/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/516397/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/41544"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vmware.com/security/advisories/VMSA-2011-0003.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2010/1986"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2010/2868"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2010/3056"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/60264"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18532"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://geronimo.apache.org/21x-security-report.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://geronimo.apache.org/22x-security-report.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050207.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050214.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=129070310906557\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=129070310906557\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=136485229118404\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=136485229118404\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=139344343412337\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/40813"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/41025"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/42079"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/42368"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/42454"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/43310"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/44183"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/57126"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securitytracker.com/id?1024180"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.apple.com/kb/HT5002"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=958911"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=958977"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=959428"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-5.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2011/dsa-2207"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:176"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:177"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.novell.com/support/viewContent.do?externalId=7007274"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.novell.com/support/viewContent.do?externalId=7007275"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2010-0580.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2010-0581.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2010-0582.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2010-0583.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/512272/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/516397/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/41544"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vmware.com/security/advisories/VMSA-2011-0003.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2010/1986"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2010/2868"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2010/3056"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/60264"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18532"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2002-10-04 04:00
Modified
2025-04-03 01:03
Severity ?
Summary
The Java Server Pages (JSP) engine in Tomcat allows web page owners to cause a denial of service (engine crash) on the web server via a JSP page that calls WPrinterJob().pageSetup(null,null).
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0BFE5AD8-DB14-4632-9D2A-F2013579CA7D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Java Server Pages (JSP) engine in Tomcat allows web page owners to cause a denial of service (engine crash) on the web server via a JSP page that calls WPrinterJob().pageSetup(null,null)."
}
],
"id": "CVE-2002-0936",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2002-10-04T04:00:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0095.html"
},
{
"source": "cve@mitre.org",
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.iss.net/security_center/static/9339.php"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://www.securityfocus.com/bid/4995"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0095.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://tomcat.apache.org/security-4.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.iss.net/security_center/static/9339.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://www.securityfocus.com/bid/4995"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-04-08 15:17
Modified
2025-04-11 00:51
Severity ?
Summary
The HTTP BIO connector in Apache Tomcat 7.0.x before 7.0.12 does not properly handle HTTP pipelining, which allows remote attackers to read responses intended for other clients in opportunistic circumstances by examining the application data in HTTP packets, related to "a mix-up of responses for requests from different users."
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0F8C62EF-1B67-456A-9C66-755439CF8556",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "33E9607B-4D28-460D-896B-E4B7FA22441E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A819E245-D641-4F19-9139-6C940504F6E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8C381275-10C5-4939-BCE3-0D1F3B3CB2EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7205475A-6D04-4042-B24E-1DA5A57029B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "08022987-B36B-4F63-88A5-A8F59195DF4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "FF4B7557-EF35-451E-B55D-3296966695AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8980E61E-27BE-4858-82B3-C0E8128AF521",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "8756BF9B-3E24-4677-87AE-31CE776541F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "88CE057E-2092-4C98-8D0C-75CF439D0A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8F194580-EE6D-4E38-87F3-F0661262256B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A9731BAA-4C6C-4259-B786-F577D8A90FA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "1F74A421-D019-4248-84B8-C70D4D9A8A95",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The HTTP BIO connector in Apache Tomcat 7.0.x before 7.0.12 does not properly handle HTTP pipelining, which allows remote attackers to read responses intended for other clients in opportunistic circumstances by examining the application data in HTTP packets, related to \"a mix-up of responses for requests from different users.\""
},
{
"lang": "es",
"value": "El conector HTTP BIO en Apache Tomcat v7.0.x anterior a v7.0.12 no controla correctamente HTTP \"pipelining\", permitiendo a atacantes remotos leer las respuestas para otros clientes en circunstancias oportunistas mediante la examinaci\u00f3n de los datos de la aplicaci\u00f3n en paquetes HTTP, relacionado con una \"una mezcla de respuestas a las peticiones de los diferentes usuarios\""
}
],
"id": "CVE-2011-1475",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-04-08T15:17:28.243",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://seclists.org/fulldisclosure/2011/Apr/97"
},
{
"source": "secalert@redhat.com",
"url": "http://securityreason.com/securityalert/8188"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1086349"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1086352"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/517363"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/47199"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id?1025303"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2011/0894"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/66676"
},
{
"source": "secalert@redhat.com",
"url": "https://issues.apache.org/bugzilla/show_bug.cgi?id=50957"
},
{
"source": "secalert@redhat.com",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12374"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2011/Apr/97"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/8188"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1086349"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1086352"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/517363"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/47199"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id?1025303"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2011/0894"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/66676"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://issues.apache.org/bugzilla/show_bug.cgi?id=50957"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12374"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2003-01-17 05:00
Modified
2025-04-03 01:03
Severity ?
Summary
Apache Tomcat 4.0.5 and earlier, when using both the invoker servlet and the default servlet, allows remote attackers to read source code for server files or bypass certain protections, a variant of CAN-2002-1148.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "914E1404-01A2-4F94-AA40-D5EA20F55AD3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "81FB1106-B26D-45BE-A511-8E69131BBA52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "401A213A-FED3-49C0-B823-2E02EA528905",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0BFE5AD8-DB14-4632-9D2A-F2013579CA7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "7641278D-3B8B-4CD2-B284-2047B65514A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BB7B9911-E836-4A96-A0E8-D13C957EC0EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0E300013-0CE7-4313-A553-74A6A247B3E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.3:beta:*:*:*:*:*:*",
"matchCriteriaId": "B7E52BE7-5281-4430-8846-E41CF34FC214",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.9:beta:*:*:*:*:*:*",
"matchCriteriaId": "CBDA8066-294D-431E-B026-C03707DFBCD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:4.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C92F3744-C8F9-4E29-BF1A-25E03A32F2C0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Tomcat 4.0.5 and earlier, when using both the invoker servlet and the default servlet, allows remote attackers to read source code for server files or bypass certain protections, a variant of CAN-2002-1148."
},
{
"lang": "es",
"value": "Apache Tomcat 4.0.5 y anteriores, cuando usando el servlet invocador y el servlet por defecto, permite a atacantes remotos leer c\u00f3digo fuente de ficheros del servidor o evadir ciertas protecciones, una variante de CAN-2002-1148"
}
],
"id": "CVE-2002-1394",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2003-01-17T05:00:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://issues.apache.org/bugzilla/show_bug.cgi?id=13365"
},
{
"source": "cve@mitre.org",
"url": "http://marc.info/?l=bugtraq\u0026m=103470282514938\u0026w=2"
},
{
"source": "cve@mitre.org",
"url": "http://marc.info/?l=tomcat-dev\u0026m=103417249325526\u0026w=2"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2003/dsa-225"
},
{
"source": "cve@mitre.org",
"url": "http://www.redhat.com/support/errata/RHSA-2003-075.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.redhat.com/support/errata/RHSA-2003-082.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/6562"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/10376"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://issues.apache.org/bugzilla/show_bug.cgi?id=13365"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=103470282514938\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=tomcat-dev\u0026m=103417249325526\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2003/dsa-225"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2003-075.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2003-082.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/6562"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/10376"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-05-31 11:17
Modified
2025-04-12 10:46
Severity ?
Summary
Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4752862B-7D26-4285-B8A0-CF082C758353",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*",
"matchCriteriaId": "58EA7199-3373-4F97-9907-3A479A02155E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "4693BD36-E522-4C8E-9667-8F3E14A05EF3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "2BBBC5EA-012C-4C5D-A61B-BAF134B300DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2A358FDF-C249-4D7A-9445-8B9E7D9D40AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "AFF96F96-34DB-4EB3-BF59-11220673FA26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "EDF3E379-47D2-4C86-8C6D-8B3C25A0E1C4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "029C1DD4-3B41-47D2-97D2-73A7D3D89817",
"versionEndIncluding": "6.0.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6:*:*:*:*:*:*:*",
"matchCriteriaId": "83BA996F-C770-4E36-8FD8-916EA64E9A34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D11D6FB7-CBDB-48C1-98CB-1B3CAA36C5D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49E3C039-A949-4F1B-892A-57147EECB249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.0:alpha:*:*:*:*:*:*",
"matchCriteriaId": "0A354C34-A3FE-4B8A-9985-8874A0634BC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F28C7801-41B9-4552-BA1E-577967BCBBEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.1:alpha:*:*:*:*:*:*",
"matchCriteriaId": "CFE300CC-FD4A-444E-8506-E5E269D0A0A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "25B21085-7259-4685-9D1F-FF98E6489E10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:alpha:*:*:*:*:*:*",
"matchCriteriaId": "F50A3EC9-516E-48A7-839B-A73F491B5B9F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:beta:*:*:*:*:*:*",
"matchCriteriaId": "8C28F09D-5CAA-4CA7-A2B5-3B2820F5F409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "635EE321-2A1F-4FF8-95BE-0C26591969D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "9A81B035-8598-4D2C-B45F-C6C9D4B10C2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.4:alpha:*:*:*:*:*:*",
"matchCriteriaId": "FAC2FC75-97D2-4EA1-A1A0-F592A6D7C1F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E1096947-82A6-4EA8-A4F2-00D91E3F7DAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0EBFA1D3-16A6-4041-BB30-51D2EE0F2AF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.6:alpha:*:*:*:*:*:*",
"matchCriteriaId": "C4871FD1-7F8C-4677-A80B-4A0BBC71DD7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "B70B372F-EFFD-4AF7-99B5-7D1B23A0C54C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:alpha:*:*:*:*:*:*",
"matchCriteriaId": "31AB969A-9ACE-44EF-B2E5-CEC008F47C46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:beta:*:*:*:*:*:*",
"matchCriteriaId": "06217215-72E4-4478-BACB-628A0836A645",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "9C95ADA4-66F5-45C4-A677-ACE22367A75A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.8:alpha:*:*:*:*:*:*",
"matchCriteriaId": "EA810F3F-ADD3-4D3F-9DFC-DBDD87B3079C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "11951A10-39A2-4FF5-8C43-DF94730FB794",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.9:beta:*:*:*:*:*:*",
"matchCriteriaId": "8B79F2EA-C893-4359-80EC-24AE38D982E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "351E5BCF-A56B-4D91-BA3C-21A4B77D529A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2DC2BBB4-171E-4EFF-A575-A5B7FF031755",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "6B6B0504-27C1-4824-A928-A878CBBAB32D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "CE81AD36-ACD1-4C6C-8E7C-5326D1DA3045",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "D903956B-14F5-4177-AF12-0A5F1846D3C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "81F847DC-A2F5-456C-9038-16A0E85F4C3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3EBD00-1E1E-452D-AFFB-08A6BD111DDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "C6B93A3A-D487-4CA1-8257-26F8FE287B8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "BD8802B2-57E0-4AA6-BC8E-00DE60468569",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "8461DF95-18DC-4BF5-A703-7F19DA88DC30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "1F4C9BCF-9C73-4991-B02F-E08C5DA06EBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "2823789C-2CB6-4300-94DB-BDBE83ABA8E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "C5416C76-46ED-4CB1-A7F8-F24EA16DE7F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "A61429EE-4331-430C-9830-58DCCBCBCB58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "31B3593F-CEDF-423C-90F8-F88EED87DC3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "AE7862B2-E1FA-4E16-92CD-8918AB461D9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "A9E03BE3-60CC-4415-B993-D0BB00F87A30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.31:*:*:*:*:*:*:*",
"matchCriteriaId": "CE92E59A-FF0D-4D1A-8B12-CC41A7E1FD3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.32:*:*:*:*:*:*:*",
"matchCriteriaId": "BFD64FE7-ABAF-49F3-B8D0-91C37C822F4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.33:*:*:*:*:*:*:*",
"matchCriteriaId": "48E5E8C3-21AD-4230-B945-AB7DE66307B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.35:*:*:*:*:*:*:*",
"matchCriteriaId": "4945C8C1-C71B-448B-9075-07C6C92599CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.36:*:*:*:*:*:*:*",
"matchCriteriaId": "ED4730B0-2E09-408B-AFD4-FE00F73700FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.37:*:*:*:*:*:*:*",
"matchCriteriaId": "B8DE8A8A-7643-4292-BCC1-758AE0940207",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0F8C62EF-1B67-456A-9C66-755439CF8556",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "33E9607B-4D28-460D-896B-E4B7FA22441E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A819E245-D641-4F19-9139-6C940504F6E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8C381275-10C5-4939-BCE3-0D1F3B3CB2EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*",
"matchCriteriaId": "81A31CA0-A209-4C49-AA06-C38E165E5B68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7205475A-6D04-4042-B24E-1DA5A57029B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "08022987-B36B-4F63-88A5-A8F59195DF4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*",
"matchCriteriaId": "0AA563BF-A67A-477D-956A-167ABEF885C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "FF4B7557-EF35-451E-B55D-3296966695AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8980E61E-27BE-4858-82B3-C0E8128AF521",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "8756BF9B-3E24-4677-87AE-31CE776541F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "88CE057E-2092-4C98-8D0C-75CF439D0A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8F194580-EE6D-4E38-87F3-F0661262256B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A9731BAA-4C6C-4259-B786-F577D8A90FA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "1F74A421-D019-4248-84B8-C70D4D9A8A95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "2BA27FF9-4C66-4E17-95C0-1CB2DAA6AFC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "05346F5A-FB52-4376-AAC7-9A5308216545",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "305688F2-50A6-41FB-8614-BC589DB9A789",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "D24AA431-C436-4AA5-85DF-B9AAFF2548FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "25966344-15D5-4101-9346-B06BFD2DFFF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "11F4CBAC-27B1-4EFF-955A-A63B457D0578",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "FD55B338-9DBE-4643-ABED-A08964D3AF7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0D4F710E-06EA-48F4-AC6A-6F143950F015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "2C4936C2-0B2D-4C44-98C3-443090965F5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*",
"matchCriteriaId": "48453405-2319-4327-9F4C-6F70B49452C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*",
"matchCriteriaId": "49DD9544-6424-41A6-AEC0-EC19B8A10E71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*",
"matchCriteriaId": "E4670E65-2E11-49A4-B661-57C2F60D411F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "5E8FF71D-4710-4FBB-9925-A6A26C450F7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*",
"matchCriteriaId": "31002A23-4788-4BC7-AE11-A3C2AA31716D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "7144EDDF-8265-4642-8EEB-ED52527E0A26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "DF06B5C1-B9DD-4673-A101-56E1E593ACDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "7D731065-626B-4425-8E49-F708DD457824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "B3D850EA-E537-42C8-93B9-96E15CB26747",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "E037DA05-2BEF-4F64-B8BB-307247B6A05C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.31:*:*:*:*:*:*:*",
"matchCriteriaId": "BCAF1EB5-FB34-40FC-96ED-9D073890D8BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*",
"matchCriteriaId": "D395D95B-1F4A-420E-A0F6-609360AF7B69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*",
"matchCriteriaId": "9BD221BA-0AB6-4972-8AD9-5D37AC07762F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*",
"matchCriteriaId": "E55B6565-96CB-4F6A-9A80-C3FB82F30546",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*",
"matchCriteriaId": "D3300AFE-49A4-4904-B9A0-5679F09FA01E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.36:*:*:*:*:*:*:*",
"matchCriteriaId": "ED5125CC-05F9-4678-90DB-A5C7CD24AE6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*",
"matchCriteriaId": "7BD93669-1B30-4BF8-AD7D-F60DD8D63CC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.38:*:*:*:*:*:*:*",
"matchCriteriaId": "1B904C74-B92E-4EAE-AE6C-78E2B844C3DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*",
"matchCriteriaId": "B8C8C97F-6C9D-4647-AB8A-ADAA5536DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*",
"matchCriteriaId": "2C6109D1-BC36-40C5-A02A-7AEBC949BAC0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*",
"matchCriteriaId": "DA8A7333-B4C3-4876-AE01-62F2FD315504",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*",
"matchCriteriaId": "92993E23-D805-407B-8B87-11CEEE8B212F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*",
"matchCriteriaId": "7A11BD74-305C-41E2-95B1-5008EEF5FA5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*",
"matchCriteriaId": "595442D0-9DB7-475A-AE30-8535B70E122E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*",
"matchCriteriaId": "4B0BA92A-0BD3-4CE4-9465-95E949104BAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*",
"matchCriteriaId": "6F944B72-B9EB-4EB8-AEA3-E0D7ADBE1305",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*",
"matchCriteriaId": "6AA28D3A-3EE5-4F90-B8F5-4943F7607DA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*",
"matchCriteriaId": "BFD3EB84-2ED2-49D4-8BC9-6398C2E46F0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*",
"matchCriteriaId": "DEDF6E1A-0DD6-42AB-9510-F6F4B6002C91",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*",
"matchCriteriaId": "C947E549-2459-4AFB-84A7-36BDA30B5F29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*",
"matchCriteriaId": "5D55DF79-F9BE-4907-A4D8-96C4B11189ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*",
"matchCriteriaId": "14AB5787-82D7-4F78-BE93-4556AB7A7D0E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application."
},
{
"lang": "es",
"value": "Apache Tomcat anterior a 6.0.40, 7.x anterior a 7.0.54 y 8.x anterior a 8.0.6 no restringe debidamente el cargador de clase que accede al analizador XML utilizado con una hoja de estilo XSLT, lo que permite a atacantes remotos (1) leer archivos arbitrarios a trav\u00e9s de una aplicaci\u00f3n web manipulada que proporciona una declaraci\u00f3n de entidad externa XML en conjunto con una referencia de entidad, relacionado con un problema de entidad externa XML (XXE) o (2) leer archivos asociados con aplicaciones web diferentes en una instancia Tomcat \u00fanica a trav\u00e9s de una aplicaci\u00f3n web manipulada."
}
],
"id": "CVE-2014-0119",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-05-31T11:17:13.357",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://advisories.mageia.org/MGASA-2014-0268.html"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=141017844705317\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=141017844705317\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=144498216801440\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html"
},
{
"source": "secalert@redhat.com",
"url": "http://seclists.org/fulldisclosure/2014/Dec/23"
},
{
"source": "secalert@redhat.com",
"url": "http://seclists.org/fulldisclosure/2014/May/141"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/59732"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/59873"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/60729"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1588193"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1588199"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1589640"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1589837"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1589980"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1589983"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1589985"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1589990"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1589992"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1589997"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1590028"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1590036"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1593815"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1593821"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-8.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21678231"
},
{
"source": "secalert@redhat.com",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21681528"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2016/dsa-3530"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2016/dsa-3552"
},
{
"source": "secalert@redhat.com",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:052"
},
{
"source": "secalert@redhat.com",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:053"
},
{
"source": "secalert@redhat.com",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:084"
},
{
"source": "secalert@redhat.com",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/534161/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/67669"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1030298"
},
{
"source": "secalert@redhat.com",
"url": "http://www.ubuntu.com/usn/USN-2654-1"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html"
},
{
"source": "secalert@redhat.com",
"url": "https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://advisories.mageia.org/MGASA-2014-0268.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=141017844705317\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=141017844705317\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=144498216801440\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2014/Dec/23"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2014/May/141"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/59732"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/59873"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/60729"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1588193"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1588199"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1589640"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1589837"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1589980"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1589983"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1589985"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1589990"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1589992"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1589997"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1590028"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1590036"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1593815"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1593821"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-8.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21678231"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21681528"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3530"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3552"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:052"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:053"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:084"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/534161/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/67669"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1030298"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ubuntu.com/usn/USN-2654-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-05-13 08:15
Modified
2024-11-21 06:52
Severity ?
Summary
If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/6ckmjfb1k61dyzkto9vm2k5jvt4o7w7c | Mailing List, Vendor Advisory | |
| security@apache.org | https://security.netapp.com/advisory/ntap-20220629-0003/ | Third Party Advisory | |
| security@apache.org | https://www.oracle.com/security-alerts/cpujul2022.html | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/6ckmjfb1k61dyzkto9vm2k5jvt4o7w7c | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20220629-0003/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.oracle.com/security-alerts/cpujul2022.html | Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3B143436-1959-4C1D-B2B1-CA0C05DF7189",
"versionEndExcluding": "8.5.76",
"versionStartIncluding": "8.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "28EE10E6-F8E8-4446-9D59-38457FE55B97",
"versionEndExcluding": "9.0.21",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*",
"matchCriteriaId": "C650FEDB-E903-4C2D-AD40-282AB5F2E3C2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors."
},
{
"lang": "es",
"value": "Si una aplicaci\u00f3n web env\u00eda un mensaje WebSocket simult\u00e1neamente con el cierre de la conexi\u00f3n WebSocket cuando es ejecutado en Apache Tomcat versiones 8.5.0 a 8.5.75 o Apache Tomcat versiones 9.0.0.M1 a 9.0.20, es posible que la aplicaci\u00f3n siga usando el socket despu\u00e9s de que se haya cerrado. El manejo de errores que es activado en este caso podr\u00eda causar que el objeto agrupado sea colocado en el pool dos veces. Esto podr\u00eda resultar en que las conexiones subsiguientes usaran el mismo objeto de forma concurrente, lo que podr\u00eda resultar en que los datos sean devueltos al uso incorrecto y/o a otros errores"
}
],
"id": "CVE-2022-25762",
"lastModified": "2024-11-21T06:52:57.447",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-13T08:15:06.843",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/6ckmjfb1k61dyzkto9vm2k5jvt4o7w7c"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20220629-0003/"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/6ckmjfb1k61dyzkto9vm2k5jvt4o7w7c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20220629-0003/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-404"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-404"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-02-16 00:59
Modified
2025-04-12 10:46
Severity ?
Summary
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data after an error has occurred, which allows remote attackers to conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49E3C039-A949-4F1B-892A-57147EECB249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.0:alpha:*:*:*:*:*:*",
"matchCriteriaId": "0A354C34-A3FE-4B8A-9985-8874A0634BC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F28C7801-41B9-4552-BA1E-577967BCBBEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.1:alpha:*:*:*:*:*:*",
"matchCriteriaId": "CFE300CC-FD4A-444E-8506-E5E269D0A0A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "25B21085-7259-4685-9D1F-FF98E6489E10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:alpha:*:*:*:*:*:*",
"matchCriteriaId": "F50A3EC9-516E-48A7-839B-A73F491B5B9F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:beta:*:*:*:*:*:*",
"matchCriteriaId": "8C28F09D-5CAA-4CA7-A2B5-3B2820F5F409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "635EE321-2A1F-4FF8-95BE-0C26591969D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "9A81B035-8598-4D2C-B45F-C6C9D4B10C2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.4:alpha:*:*:*:*:*:*",
"matchCriteriaId": "FAC2FC75-97D2-4EA1-A1A0-F592A6D7C1F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E1096947-82A6-4EA8-A4F2-00D91E3F7DAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0EBFA1D3-16A6-4041-BB30-51D2EE0F2AF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.6:alpha:*:*:*:*:*:*",
"matchCriteriaId": "C4871FD1-7F8C-4677-A80B-4A0BBC71DD7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "B70B372F-EFFD-4AF7-99B5-7D1B23A0C54C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:alpha:*:*:*:*:*:*",
"matchCriteriaId": "31AB969A-9ACE-44EF-B2E5-CEC008F47C46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:beta:*:*:*:*:*:*",
"matchCriteriaId": "06217215-72E4-4478-BACB-628A0836A645",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "9C95ADA4-66F5-45C4-A677-ACE22367A75A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.8:alpha:*:*:*:*:*:*",
"matchCriteriaId": "EA810F3F-ADD3-4D3F-9DFC-DBDD87B3079C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "11951A10-39A2-4FF5-8C43-DF94730FB794",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.9:beta:*:*:*:*:*:*",
"matchCriteriaId": "8B79F2EA-C893-4359-80EC-24AE38D982E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "351E5BCF-A56B-4D91-BA3C-21A4B77D529A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2DC2BBB4-171E-4EFF-A575-A5B7FF031755",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "6B6B0504-27C1-4824-A928-A878CBBAB32D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "CE81AD36-ACD1-4C6C-8E7C-5326D1DA3045",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "D903956B-14F5-4177-AF12-0A5F1846D3C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "81F847DC-A2F5-456C-9038-16A0E85F4C3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3EBD00-1E1E-452D-AFFB-08A6BD111DDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "C6B93A3A-D487-4CA1-8257-26F8FE287B8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "BD8802B2-57E0-4AA6-BC8E-00DE60468569",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "8461DF95-18DC-4BF5-A703-7F19DA88DC30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "1F4C9BCF-9C73-4991-B02F-E08C5DA06EBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "2823789C-2CB6-4300-94DB-BDBE83ABA8E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "C5416C76-46ED-4CB1-A7F8-F24EA16DE7F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "A61429EE-4331-430C-9830-58DCCBCBCB58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "31B3593F-CEDF-423C-90F8-F88EED87DC3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "AE7862B2-E1FA-4E16-92CD-8918AB461D9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "A9E03BE3-60CC-4415-B993-D0BB00F87A30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.31:*:*:*:*:*:*:*",
"matchCriteriaId": "CE92E59A-FF0D-4D1A-8B12-CC41A7E1FD3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.32:*:*:*:*:*:*:*",
"matchCriteriaId": "BFD64FE7-ABAF-49F3-B8D0-91C37C822F4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.33:*:*:*:*:*:*:*",
"matchCriteriaId": "48E5E8C3-21AD-4230-B945-AB7DE66307B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.35:*:*:*:*:*:*:*",
"matchCriteriaId": "4945C8C1-C71B-448B-9075-07C6C92599CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.36:*:*:*:*:*:*:*",
"matchCriteriaId": "ED4730B0-2E09-408B-AFD4-FE00F73700FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.37:*:*:*:*:*:*:*",
"matchCriteriaId": "B8DE8A8A-7643-4292-BCC1-758AE0940207",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.39:*:*:*:*:*:*:*",
"matchCriteriaId": "E9B54FCD-CF7C-47E2-8513-40419E47AF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.41:*:*:*:*:*:*:*",
"matchCriteriaId": "D87EFB6D-B626-469F-907C-40C771A55833",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0F8C62EF-1B67-456A-9C66-755439CF8556",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "33E9607B-4D28-460D-896B-E4B7FA22441E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A819E245-D641-4F19-9139-6C940504F6E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8C381275-10C5-4939-BCE3-0D1F3B3CB2EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*",
"matchCriteriaId": "81A31CA0-A209-4C49-AA06-C38E165E5B68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7205475A-6D04-4042-B24E-1DA5A57029B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "08022987-B36B-4F63-88A5-A8F59195DF4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*",
"matchCriteriaId": "0AA563BF-A67A-477D-956A-167ABEF885C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "FF4B7557-EF35-451E-B55D-3296966695AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8980E61E-27BE-4858-82B3-C0E8128AF521",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "8756BF9B-3E24-4677-87AE-31CE776541F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "88CE057E-2092-4C98-8D0C-75CF439D0A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8F194580-EE6D-4E38-87F3-F0661262256B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A9731BAA-4C6C-4259-B786-F577D8A90FA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "1F74A421-D019-4248-84B8-C70D4D9A8A95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "2BA27FF9-4C66-4E17-95C0-1CB2DAA6AFC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "05346F5A-FB52-4376-AAC7-9A5308216545",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "305688F2-50A6-41FB-8614-BC589DB9A789",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "D24AA431-C436-4AA5-85DF-B9AAFF2548FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "25966344-15D5-4101-9346-B06BFD2DFFF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "11F4CBAC-27B1-4EFF-955A-A63B457D0578",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "FD55B338-9DBE-4643-ABED-A08964D3AF7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0D4F710E-06EA-48F4-AC6A-6F143950F015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "2C4936C2-0B2D-4C44-98C3-443090965F5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*",
"matchCriteriaId": "48453405-2319-4327-9F4C-6F70B49452C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*",
"matchCriteriaId": "49DD9544-6424-41A6-AEC0-EC19B8A10E71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*",
"matchCriteriaId": "E4670E65-2E11-49A4-B661-57C2F60D411F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "5E8FF71D-4710-4FBB-9925-A6A26C450F7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*",
"matchCriteriaId": "31002A23-4788-4BC7-AE11-A3C2AA31716D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "7144EDDF-8265-4642-8EEB-ED52527E0A26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "DF06B5C1-B9DD-4673-A101-56E1E593ACDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "7D731065-626B-4425-8E49-F708DD457824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "B3D850EA-E537-42C8-93B9-96E15CB26747",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "E037DA05-2BEF-4F64-B8BB-307247B6A05C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.31:*:*:*:*:*:*:*",
"matchCriteriaId": "BCAF1EB5-FB34-40FC-96ED-9D073890D8BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*",
"matchCriteriaId": "D395D95B-1F4A-420E-A0F6-609360AF7B69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*",
"matchCriteriaId": "9BD221BA-0AB6-4972-8AD9-5D37AC07762F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*",
"matchCriteriaId": "E55B6565-96CB-4F6A-9A80-C3FB82F30546",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*",
"matchCriteriaId": "D3300AFE-49A4-4904-B9A0-5679F09FA01E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.36:*:*:*:*:*:*:*",
"matchCriteriaId": "ED5125CC-05F9-4678-90DB-A5C7CD24AE6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*",
"matchCriteriaId": "7BD93669-1B30-4BF8-AD7D-F60DD8D63CC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.38:*:*:*:*:*:*:*",
"matchCriteriaId": "1B904C74-B92E-4EAE-AE6C-78E2B844C3DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*",
"matchCriteriaId": "B8C8C97F-6C9D-4647-AB8A-ADAA5536DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*",
"matchCriteriaId": "2C6109D1-BC36-40C5-A02A-7AEBC949BAC0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*",
"matchCriteriaId": "DA8A7333-B4C3-4876-AE01-62F2FD315504",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*",
"matchCriteriaId": "92993E23-D805-407B-8B87-11CEEE8B212F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*",
"matchCriteriaId": "7A11BD74-305C-41E2-95B1-5008EEF5FA5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*",
"matchCriteriaId": "595442D0-9DB7-475A-AE30-8535B70E122E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*",
"matchCriteriaId": "4B0BA92A-0BD3-4CE4-9465-95E949104BAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*",
"matchCriteriaId": "6F944B72-B9EB-4EB8-AEA3-E0D7ADBE1305",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*",
"matchCriteriaId": "6AA28D3A-3EE5-4F90-B8F5-4943F7607DA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*",
"matchCriteriaId": "BFD3EB84-2ED2-49D4-8BC9-6398C2E46F0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*",
"matchCriteriaId": "DEDF6E1A-0DD6-42AB-9510-F6F4B6002C91",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*",
"matchCriteriaId": "C947E549-2459-4AFB-84A7-36BDA30B5F29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*",
"matchCriteriaId": "5D55DF79-F9BE-4907-A4D8-96C4B11189ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*",
"matchCriteriaId": "14AB5787-82D7-4F78-BE93-4556AB7A7D0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*",
"matchCriteriaId": "F8E9453E-BC9B-4F77-85FA-BA15AC55C245",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4752862B-7D26-4285-B8A0-CF082C758353",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*",
"matchCriteriaId": "58EA7199-3373-4F97-9907-3A479A02155E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "4693BD36-E522-4C8E-9667-8F3E14A05EF3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "2BBBC5EA-012C-4C5D-A61B-BAF134B300DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2A358FDF-C249-4D7A-9445-8B9E7D9D40AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "AFF96F96-34DB-4EB3-BF59-11220673FA26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "EDF3E379-47D2-4C86-8C6D-8B3C25A0E1C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "61E008F8-2F01-4DD8-853A-337B4B4163C6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data after an error has occurred, which allows remote attackers to conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding."
},
{
"lang": "es",
"value": "java/org/apache/coyote/http11/filters/ChunkedInputFilter.java en Apache Tomcat 6.x anterior a 6.0.42, 7.x anterior a 7.0.55, y 8.x anterior a 8.0.9 no maneja correctamente los intentos de seguir leyendo datos despu\u00e9s de un error haya ocurrido, lo que permite a atacantes remotos realizar ataques de la infiltraci\u00f3n de solicitudes HTTP o causar una denegaci\u00f3n de servicio (consumo de recursos) mediante la transmisi\u00f3n de datos con la codificaci\u00f3n malformada de transferencias fragmentadas."
}
],
"id": "CVE-2014-0227",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-02-16T00:59:00.057",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://advisories.mageia.org/MGASA-2015-0081.html"
},
{
"source": "secalert@redhat.com",
"url": "http://archives.neohapsis.com/archives/bugtraq/2015-02/0067.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-February/150282.html"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=143393515412274\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=143393515412274\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=143403519711434\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=143403519711434\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0983.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0991.html"
},
{
"source": "secalert@redhat.com",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1600984"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-8.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2016/dsa-3447"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2016/dsa-3530"
},
{
"source": "secalert@redhat.com",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:052"
},
{
"source": "secalert@redhat.com",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:053"
},
{
"source": "secalert@redhat.com",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:084"
},
{
"source": "secalert@redhat.com",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/72717"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1032791"
},
{
"source": "secalert@redhat.com",
"url": "http://www.ubuntu.com/usn/USN-2654-1"
},
{
"source": "secalert@redhat.com",
"url": "http://www.ubuntu.com/usn/USN-2655-1"
},
{
"source": "secalert@redhat.com",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1109196"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "secalert@redhat.com",
"url": "https://source.jboss.org/changelog/JBossWeb?cs=2455"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://advisories.mageia.org/MGASA-2015-0081.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://archives.neohapsis.com/archives/bugtraq/2015-02/0067.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-February/150282.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=143393515412274\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=143393515412274\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=143403519711434\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=143403519711434\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0983.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0991.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1600984"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-6.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-7.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tomcat.apache.org/security-8.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3447"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3530"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:052"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:053"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:084"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/72717"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1032791"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ubuntu.com/usn/USN-2654-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ubuntu.com/usn/USN-2655-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1109196"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://source.jboss.org/changelog/JBossWeb?cs=2455"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-19"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-10 18:15
Modified
2025-02-13 17:17
Severity ?
Summary
Incomplete Cleanup vulnerability in Apache Tomcat.
The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased,
in progress refactoring that exposed a potential denial of service on
Windows if a web application opened a stream for an uploaded file but
failed to close the stream. The file would never be deleted from disk
creating the possibility of an eventual denial of service due to the
disk being full.
Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2023/10/10/8 | Mailing List, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82 | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2023/10/10/8 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82 | Mailing List, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7EFFF75C-6B29-4D93-A8EC-BC8360D0048E",
"versionEndExcluding": "8.5.94",
"versionStartIncluding": "8.5.85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F819B992-BA2C-4A30-A8A1-C57806AB1C31",
"versionEndExcluding": "9.0.81",
"versionStartIncluding": "9.0.70",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incomplete Cleanup vulnerability in Apache Tomcat.\n\nThe internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, \nin progress refactoring that exposed a potential denial of service on \nWindows if a web application opened a stream for an uploaded file but \nfailed to close the stream. The file would never be deleted from disk \ncreating the possibility of an eventual denial of service due to the \ndisk being full.\n\nUsers are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue."
},
{
"lang": "es",
"value": "Vulnerabilidad de limpieza incompleta en Apache Tomcat. El fork interno de Commons FileUpload empaquetado con Apache Tomcat 9.0.70 a 9.0.80 y 8.5.85 a 8.5.93 inclu\u00eda una refactorizaci\u00f3n en curso que expuso una posible denegaci\u00f3n de servicio en Windows si una aplicaci\u00f3n web abr\u00eda una secuencia para un archivo cargado pero no lograba cerrar la secuencia. El archivo nunca se eliminar\u00eda del disco, creando la posibilidad de una eventual denegaci\u00f3n de servicio debido a que el disco est\u00e9 lleno. Se recomienda a los usuarios actualizar a la versi\u00f3n 9.0.81 en adelante o 8.5.94 en adelante, lo que soluciona el problema."
}
],
"id": "CVE-2023-42794",
"lastModified": "2025-02-13T17:17:09.493",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-10T18:15:18.863",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2023/10/10/8"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2023/10/10/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-459"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-04-17 16:59
Modified
2025-04-20 01:37
Severity ?
Summary
A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49E3C039-A949-4F1B-892A-57147EECB249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F28C7801-41B9-4552-BA1E-577967BCBBEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "25B21085-7259-4685-9D1F-FF98E6489E10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "635EE321-2A1F-4FF8-95BE-0C26591969D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "9A81B035-8598-4D2C-B45F-C6C9D4B10C2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E1096947-82A6-4EA8-A4F2-00D91E3F7DAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0EBFA1D3-16A6-4041-BB30-51D2EE0F2AF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "B70B372F-EFFD-4AF7-99B5-7D1B23A0C54C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "9C95ADA4-66F5-45C4-A677-ACE22367A75A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "11951A10-39A2-4FF5-8C43-DF94730FB794",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "351E5BCF-A56B-4D91-BA3C-21A4B77D529A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2DC2BBB4-171E-4EFF-A575-A5B7FF031755",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "6B6B0504-27C1-4824-A928-A878CBBAB32D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "CE81AD36-ACD1-4C6C-8E7C-5326D1DA3045",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "D903956B-14F5-4177-AF12-0A5F1846D3C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "81F847DC-A2F5-456C-9038-16A0E85F4C3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "AF3EBD00-1E1E-452D-AFFB-08A6BD111DDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "C6B93A3A-D487-4CA1-8257-26F8FE287B8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "BD8802B2-57E0-4AA6-BC8E-00DE60468569",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "8461DF95-18DC-4BF5-A703-7F19DA88DC30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "1F4C9BCF-9C73-4991-B02F-E08C5DA06EBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.21:*:*:*:*:*:*:*",
"matchCriteriaId": "0682A754-5E5E-48D4-836A-16841FD59445",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.22:*:*:*:*:*:*:*",
"matchCriteriaId": "3A8F2DFC-6A74-43AB-A813-957A1F7097A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.23:*:*:*:*:*:*:*",
"matchCriteriaId": "277332E0-60D9-4318-A068-901F3B037FA9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "2823789C-2CB6-4300-94DB-BDBE83ABA8E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.25:*:*:*:*:*:*:*",
"matchCriteriaId": "759588B8-DD36-474E-978B-75638962E743",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "C5416C76-46ED-4CB1-A7F8-F24EA16DE7F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "A61429EE-4331-430C-9830-58DCCBCBCB58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "31B3593F-CEDF-423C-90F8-F88EED87DC3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "AE7862B2-E1FA-4E16-92CD-8918AB461D9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "A9E03BE3-60CC-4415-B993-D0BB00F87A30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.31:*:*:*:*:*:*:*",
"matchCriteriaId": "CE92E59A-FF0D-4D1A-8B12-CC41A7E1FD3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.32:*:*:*:*:*:*:*",
"matchCriteriaId": "BFD64FE7-ABAF-49F3-B8D0-91C37C822F4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.33:*:*:*:*:*:*:*",
"matchCriteriaId": "48E5E8C3-21AD-4230-B945-AB7DE66307B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.34:*:*:*:*:*:*:*",
"matchCriteriaId": "2949EC36-0056-43F0-93EC-681EAC22B112",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.35:*:*:*:*:*:*:*",
"matchCriteriaId": "4945C8C1-C71B-448B-9075-07C6C92599CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.36:*:*:*:*:*:*:*",
"matchCriteriaId": "ED4730B0-2E09-408B-AFD4-FE00F73700FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.37:*:*:*:*:*:*:*",
"matchCriteriaId": "B8DE8A8A-7643-4292-BCC1-758AE0940207",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.38:*:*:*:*:*:*:*",
"matchCriteriaId": "3CB6826E-FEBF-4DD7-BED5-1942DFA73BE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.39:*:*:*:*:*:*:*",
"matchCriteriaId": "E9B54FCD-CF7C-47E2-8513-40419E47AF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.40:*:*:*:*:*:*:*",
"matchCriteriaId": "8B9AC2B8-D1AC-48E2-B88E-C7837D4F8A7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.41:*:*:*:*:*:*:*",
"matchCriteriaId": "D87EFB6D-B626-469F-907C-40C771A55833",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.42:*:*:*:*:*:*:*",
"matchCriteriaId": "38DA4B34-1759-4FC5-82E9-B2223905B9B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.43:*:*:*:*:*:*:*",
"matchCriteriaId": "6330B97B-8FC5-4D7E-A960-5D94EDD0C378",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.44:*:*:*:*:*:*:*",
"matchCriteriaId": "2A0B2FA4-772E-4B23-8B3F-CC86515E4226",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.45:*:*:*:*:*:*:*",
"matchCriteriaId": "0AE27868-CBD2-4EB9-8732-DD4C0E10D6D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.46:*:*:*:*:*:*:*",
"matchCriteriaId": "7B1F7611-C424-4B5E-94B3-3B69EABF342E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.47:*:*:*:*:*:*:*",
"matchCriteriaId": "4C132EED-8FCA-4FDA-9FF6-C5FA44E8DA2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.48:*:*:*:*:*:*:*",
"matchCriteriaId": "46481E7E-D9D5-4C4D-AC83-DD7B6EAE19DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.49:*:*:*:*:*:*:*",
"matchCriteriaId": "58B30850-6168-45CA-9766-1DA4AF019178",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.50:*:*:*:*:*:*:*",
"matchCriteriaId": "DD4209CB-A607-4258-BCEA-287D8BD385FF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.51:*:*:*:*:*:*:*",
"matchCriteriaId": "A4AF1795-3D24-463F-B632-298E5CA4380D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:6.0.52:*:*:*:*:*:*:*",
"matchCriteriaId": "AFF4F31C-F376-47A8-8986-BD4E6C606990",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0F8C62EF-1B67-456A-9C66-755439CF8556",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A819E245-D641-4F19-9139-6C940504F6E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8C381275-10C5-4939-BCE3-0D1F3B3CB2EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7205475A-6D04-4042-B24E-1DA5A57029B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "08022987-B36B-4F63-88A5-A8F59195DF4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "FF4B7557-EF35-451E-B55D-3296966695AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8980E61E-27BE-4858-82B3-C0E8128AF521",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "8756BF9B-3E24-4677-87AE-31CE776541F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "88CE057E-2092-4C98-8D0C-75CF439D0A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8F194580-EE6D-4E38-87F3-F0661262256B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A9731BAA-4C6C-4259-B786-F577D8A90FA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "1F74A421-D019-4248-84B8-C70D4D9A8A95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "2BA27FF9-4C66-4E17-95C0-1CB2DAA6AFC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "05346F5A-FB52-4376-AAC7-9A5308216545",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "305688F2-50A6-41FB-8614-BC589DB9A789",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "D24AA431-C436-4AA5-85DF-B9AAFF2548FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "25966344-15D5-4101-9346-B06BFD2DFFF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "11F4CBAC-27B1-4EFF-955A-A63B457D0578",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "FD55B338-9DBE-4643-ABED-A08964D3AF7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0D4F710E-06EA-48F4-AC6A-6F143950F015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "2C4936C2-0B2D-4C44-98C3-443090965F5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*",
"matchCriteriaId": "48453405-2319-4327-9F4C-6F70B49452C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*",
"matchCriteriaId": "49DD9544-6424-41A6-AEC0-EC19B8A10E71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*",
"matchCriteriaId": "E4670E65-2E11-49A4-B661-57C2F60D411F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "5E8FF71D-4710-4FBB-9925-A6A26C450F7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*",
"matchCriteriaId": "31002A23-4788-4BC7-AE11-A3C2AA31716D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "7144EDDF-8265-4642-8EEB-ED52527E0A26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "DF06B5C1-B9DD-4673-A101-56E1E593ACDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "7D731065-626B-4425-8E49-F708DD457824",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "B3D850EA-E537-42C8-93B9-96E15CB26747",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "E037DA05-2BEF-4F64-B8BB-307247B6A05C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.31:*:*:*:*:*:*:*",
"matchCriteriaId": "BCAF1EB5-FB34-40FC-96ED-9D073890D8BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*",
"matchCriteriaId": "D395D95B-1F4A-420E-A0F6-609360AF7B69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*",
"matchCriteriaId": "9BD221BA-0AB6-4972-8AD9-5D37AC07762F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*",
"matchCriteriaId": "E55B6565-96CB-4F6A-9A80-C3FB82F30546",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*",
"matchCriteriaId": "D3300AFE-49A4-4904-B9A0-5679F09FA01E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.36:*:*:*:*:*:*:*",
"matchCriteriaId": "ED5125CC-05F9-4678-90DB-A5C7CD24AE6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*",
"matchCriteriaId": "7BD93669-1B30-4BF8-AD7D-F60DD8D63CC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.38:*:*:*:*:*:*:*",
"matchCriteriaId": "1B904C74-B92E-4EAE-AE6C-78E2B844C3DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*",
"matchCriteriaId": "B8C8C97F-6C9D-4647-AB8A-ADAA5536DDE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*",
"matchCriteriaId": "2C6109D1-BC36-40C5-A02A-7AEBC949BAC0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*",
"matchCriteriaId": "DA8A7333-B4C3-4876-AE01-62F2FD315504",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*",
"matchCriteriaId": "92993E23-D805-407B-8B87-11CEEE8B212F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*",
"matchCriteriaId": "7A11BD74-305C-41E2-95B1-5008EEF5FA5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*",
"matchCriteriaId": "595442D0-9DB7-475A-AE30-8535B70E122E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*",
"matchCriteriaId": "4B0BA92A-0BD3-4CE4-9465-95E949104BAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*",
"matchCriteriaId": "6F944B72-B9EB-4EB8-AEA3-E0D7ADBE1305",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*",
"matchCriteriaId": "6AA28D3A-3EE5-4F90-B8F5-4943F7607DA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*",
"matchCriteriaId": "BFD3EB84-2ED2-49D4-8BC9-6398C2E46F0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*",
"matchCriteriaId": "DEDF6E1A-0DD6-42AB-9510-F6F4B6002C91",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*",
"matchCriteriaId": "C947E549-2459-4AFB-84A7-36BDA30B5F29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.51:*:*:*:*:*:*:*",
"matchCriteriaId": "67A0EA46-5AEA-4D0A-B89E-6560FA10EC08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*",
"matchCriteriaId": "5D55DF79-F9BE-4907-A4D8-96C4B11189ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*",
"matchCriteriaId": "14AB5787-82D7-4F78-BE93-4556AB7A7