CVE-2011-5062 Description The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check qop values, which might allow remote attackers to bypass intended integrity-protection requirements via a qop=auth value, a different vulnerability than CVE-2011-1184. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-5062 https://access.redhat.com/security/cve/CVE-2011-5062 Project Category n/a Tags data functional Date Disclosed 2012-01-14 Date Discovered 2012-01-14 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2011-4905 Description Apache ActiveMQ before 5.6.0 allows remote attackers to cause a denial of service (file-descriptor exhaustion and broker crash or hang) by sending many openwire failover:tcp:// connection requests. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4905 https://issues.apache.org/jira/browse/AMQ-3294 Project Category n/a Tags data operational Date Disclosed 2012-01-05 Date Discovered 2011-12-23 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2011-4858 Description Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4858 http://www.rapid7.com/db/modules/auxiliary/dos/http/hashcollision_dos https://www.exploit-db.com/exploits/18305/ http://www.kb.cert.org/vuls/id/903934 Project Category n/a Tags data operational Date Disclosed 2012-01-05 Date Discovered 2011-12-16 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2011-3376 Description org/apache/catalina/core/DefaultInstanceManager.java in Apache Tomcat 7.x before 7.0.22 does not properly restrict ContainerServlets in the Manager application, which allows local users to gain privileges by using an untrusted web application to access the Manager application's functionality. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3376 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.22 https://bugzilla.redhat.com/show_bug.cgi?id=752371 Project Category n/a Tags data Date Disclosed 2011-11-11 Date Discovered 2011-08-30 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2011-3375 Description Apache Tomcat 6.0.30 through 6.0.33 and 7.x before 7.0.22 does not properly perform certain caching and recycling operations involving request objects, which allows remote attackers to obtain unintended read access to IP address and HTTP header information in opportunistic circumstances by reading TCP data. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3375 http://seclists.org/fulldisclosure/2012/Jan/236 Project Category n/a Tags data operational Date Disclosed 2012-01-19 Date Discovered 2011-08-30 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2011-2526 Description Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.19, when sendfile is enabled for the HTTP APR or HTTP NIO connector, does not validate certain request attributes, which allows local users to bypass intended file access restrictions or cause a denial of service (infinite loop or JVM crash) by leveraging an untrusted web application. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2526 http://www.securityfocus.com/archive/1/archive/1/518889/100/0/threaded Project Category n/a Tags data functional other Date Disclosed 2011-07-14 Date Discovered 2011-06-15 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2011-2481 Description Apache Tomcat 7.0.x before 7.0.17 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application. NOTE: this vulnerability exists because of a CVE-2009-0783 regression. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2481 https://tomcat.apache.org/security-7.html https://seclists.org/fulldisclosure/2011/Aug/106 Project Category n/a Tags data operational Date Disclosed 2011-08-15 Date Discovered 2011-06-15 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? …
Read More
CVE-2011-2204 Description Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.17, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2204 http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-7.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2204 Project Category n/a Tags data configuration Date Disclosed 2011-06-29 Date Discovered 2011-05-31 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2011-1582 Description Apache Tomcat 7.0.12 and 7.0.13 processes the first request to a servlet without following security constraints that have been configured through annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088, CVE-2011-1183, and CVE-2011-1419. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1582 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.14_%28released_12_May_2011%29 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1582 Project Category n/a Tags data functional Date Disclosed 2011-05-20 Date Discovered 2011-04-05 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2011-1475 Description The HTTP BIO connector in Apache Tomcat 7.0.x before 7.0.12 does not properly handle HTTP pipelining, which allows remote attackers to read responses intended for other clients in opportunistic circumstances by examining the application data in HTTP packets, related to "a mix-up of responses for requests from different users." Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1475 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.12 https://bz.apache.org/bugzilla/show_bug.cgi?id=50957 Project Category n/a Tags data Date Disclosed 2011-04-08 Date Discovered 2011-03-21 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
