CVE-2010-2087 Description Oracle Mojarra 1.2_14 and 2.0.2, as used in IBM WebSphere Application Server, Caucho Resin, and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2087 http://www.blackhat.com/presentations/bh-dc-10/Byrne_David/BlackHat-DC-2010-Byrne-SGUI-slides.pdf Project Category n/a Tags data Date Disclosed 2010-05-27 Date Discovered 2010-05-27 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable?  Contact us so we can help you.

CVE-2010-1157 Description Apache Tomcat 5.5.0 through 5.5.29 and 6.0.0 through 6.0.26 might allow remote attackers to discover the server's hostname or IP address by sending a request for a resource that requires (1) BASIC or (2) DIGEST authentication, and then reading the realm field in the WWW-Authenticate header in the reply. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1157 http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html https://svn.apache.org/viewvc?view=revision&revision=936540 https://svn.apache.org/viewvc?view=revision&revision=936541 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-1157 Project Category n/a Tags data Date Disclosed 2010-04-23 Date Discovered 2010-03-29 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable?  Contact us so we can help you.

CVE-2009-2902 Description Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to delete work-directory files via directory traversal sequences in a WAR filename, as demonstrated by the ...war filename. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2902 http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2902 Project Category n/a Tags data Date Disclosed 2010-01-28 Date Discovered 2009-08-20 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable?  Contact us so we can help you.

CVE-2009-2693 Description Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in an entry in a WAR file, as demonstrated by a ../../bin/catalina.bat entry. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2693 http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html Project Category n/a Tags data Date Disclosed 2010-01-28 Date Discovered 2009-08-05 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable?  Contact us so we can help you.

CVE-2009-2625 Description XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2625 http://www.codenomicon.com/labs/xml/ https://bugzilla.redhat.com/show_bug.cgi?id=512921 Project Category n/a Tags data Date Disclosed 2009-08-06 Date Discovered 2009-07-28 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable?  Contact us…

CVE-2009-0783 Description Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0783 http://tomcat.apache.org/security-4.html http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0783 https://bz.apache.org/bugzilla/show_bug.cgi?id=29936 https://bz.apache.org/bugzilla/show_bug.cgi?id=45933 Project Category n/a Tags data Date Disclosed 2009-06-05 Date Discovered 2009-03-04 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel…

CVE-2009-0580 Description Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0580 http://tomcat.apache.org/security-4.html http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0580 Project Category n/a Tags data Date Disclosed 2009-06-05 Date Discovered 2009-02-13 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA==…