CVE-2011-1582 Description Apache Tomcat 7.0.12 and 7.0.13 processes the first request to a servlet without following security constraints that have been configured through annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088, CVE-2011-1183, and CVE-2011-1419. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1582 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.14_%28released_12_May_2011%29 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1582 Project Category n/a Tags data functional Date Disclosed 2011-05-20 Date Discovered 2011-04-05 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2011-1184 Description The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1184 http://mail-archives.apache.org/mod_mbox/www-announce/201109.mbox/%3C4E805D2E.8010401@apache.org%3E Project Category n/a Tags functional Date Disclosed 2012-01-14 Date Discovered…
Read More
CVE-2011-0013 Description Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0013 http://www.securitytracker.com/id?1025026 Project Category n/a Tags data functional privileged Date Disclosed 2011-02-18 Date Discovered 2010-12-07 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2010-4172 Description Multiple cross-site scripting (XSS) vulnerabilities in the Manager application in Apache Tomcat 6.0.12 through 6.0.29 and 7.0.0 through 7.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) orderBy or (2) sort parameter to sessionsList.jsp, or unspecified input to (3) sessionDetail.jsp or (4) java/org/apache/catalina/manager/JspHelper.java, related to use of untrusted web applications. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4172 http://mail-archives.apache.org/mod_mbox/www-announce/201011.mbox/%3C4CEABE79.8030203@apache.org%3E Project Category n/a Tags data functional Date Disclosed 2010-11-26 Date Discovered 2010-11-04 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help…
Read More
CVE-2007-5461 Description Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. A workaround, as suggested in the security bulletin, is to "limit write access to trusted users." Ref: http://mail-archives.apache.org/mod_mbox/tomcat-users/200710.mbox/%3C47135C2D.1000705@apache.org%3E Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5461 https://www.exploit-db.com/exploits/4530/ http://mail-archives.apache.org/mod_mbox/tomcat-users/200710.mbox/%3C47135C2D.1000705@apache.org%3E Project Category n/a Tags configuration functional Date Disclosed 2007-10-15 Date Discovered 2007-10-15 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel…
Read More
