CVE-2012-4534 Description org/apache/tomcat/util/net/NioEndpoint.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28, when the NIO connector is used in conjunction with sendfile and HTTPS, allows remote attackers to cause a denial of service (infinite loop) by terminating the connection during the reading of a response. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4534 http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-7.html https://bz.apache.org/bugzilla/show_bug.cgi?id=52858 Project Category n/a Tags data operational configuration Date Disclosed 2012-12-19 Date Discovered 2012-08-21 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2012-3546 Description org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote attackers to bypass security-constraint checks by leveraging a previous setUserPrincipal call and then placing /j_security_check at the end of a URI. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3546 https://mail-archives.apache.org/mod_mbox/tomcat-announce/201212.mbox/%3C50BE5367.6090809@apache.org%3E Project Category n/a Tags operational functional Date Disclosed 2012-12-19 Date Discovered 2012-06-14 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2012-2733 Description java/org/apache/coyote/http11/InternalNioInputBuffer.java in the HTTP NIO connector in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28 does not properly restrict the request-header size, which allows remote attackers to cause a denial of service (memory consumption) via a large amount of header data. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2733 http://mail-archives.apache.org/mod_mbox/www-announce/201211.mbox/%3C5098445A.3020407@apache.org%3E https://bugs.mageia.org/show_bug.cgi?id=8692 Project Category n/a Tags data operational Date Disclosed 2012-11-16 Date Discovered 2012-05-14 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2012-0022 Description Apache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.34, and 7.x before 7.0.23 uses an inefficient approach for handling parameters, which allows remote attackers to cause a denial of service (CPU consumption) via a request that contains many parameters and parameter values, a different vulnerability than CVE-2011-4858. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0022 http://tomcat.10.x6.nabble.com/CVE-2012-0022-details-td4000347.html Project Category n/a Tags data operational Date Disclosed 2012-01-18 Date Discovered 2011-12-07 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2011-4905 Description Apache ActiveMQ before 5.6.0 allows remote attackers to cause a denial of service (file-descriptor exhaustion and broker crash or hang) by sending many openwire failover:tcp:// connection requests. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4905 https://issues.apache.org/jira/browse/AMQ-3294 Project Category n/a Tags data operational Date Disclosed 2012-01-05 Date Discovered 2011-12-23 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2011-4858 Description Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4858 http://www.rapid7.com/db/modules/auxiliary/dos/http/hashcollision_dos https://www.exploit-db.com/exploits/18305/ http://www.kb.cert.org/vuls/id/903934 Project Category n/a Tags data operational Date Disclosed 2012-01-05 Date Discovered 2011-12-16 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2011-3375 Description Apache Tomcat 6.0.30 through 6.0.33 and 7.x before 7.0.22 does not properly perform certain caching and recycling operations involving request objects, which allows remote attackers to obtain unintended read access to IP address and HTTP header information in opportunistic circumstances by reading TCP data. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3375 http://seclists.org/fulldisclosure/2012/Jan/236 Project Category n/a Tags data operational Date Disclosed 2012-01-19 Date Discovered 2011-08-30 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2011-2481 Description Apache Tomcat 7.0.x before 7.0.17 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application. NOTE: this vulnerability exists because of a CVE-2009-0783 regression. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2481 https://tomcat.apache.org/security-7.html https://seclists.org/fulldisclosure/2011/Aug/106 Project Category n/a Tags data operational Date Disclosed 2011-08-15 Date Discovered 2011-06-15 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? …
Read More
CVE-2010-3718 Description Apache Tomcat 7.0.0 through 7.0.3, 6.0.x, and 5.5.x, when running within a SecurityManager, does not make the ServletContext attribute read-only, which allows local web applications to read or write files outside of the intended working directory, as demonstrated using a directory traversal attack. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating…
Read More
CVE-2008-5515 Description Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5515 http://www.securityfocus.com/archive/1/archive/1/504170/100/0/threaded Project Category n/a Tags data operational Date Disclosed 2009-06-16 Date Discovered 2008-12-12 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
