CVE-2009-2902 Description Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to delete work-directory files via directory traversal sequences in a WAR filename, as demonstrated by the ...war filename. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2902 http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2902 Project Category n/a Tags data Date Disclosed 2010-01-28 Date Discovered 2009-08-20 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2009-2901 Description The autodeployment process in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20, when autoDeploy is enabled, deploys appBase files that remain from a failed undeploy, which might allow remote attackers to bypass intended authentication requirements via HTTP requests. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2901 http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2901 Project Category n/a Tags data configuration Date Disclosed 2010-01-28 Date Discovered 2009-08-20 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2009-2693 Description Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in an entry in a WAR file, as demonstrated by a ../../bin/catalina.bat entry. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2693 http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html Project Category n/a Tags data Date Disclosed 2010-01-28 Date Discovered 2009-08-05 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2009-2625 Description XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2625 http://www.codenomicon.com/labs/xml/ https://bugzilla.redhat.com/show_bug.cgi?id=512921 Project Category n/a Tags data Date Disclosed 2009-08-06 Date Discovered 2009-07-28 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us…
Read More
CVE-2009-0783 Description Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0783 http://tomcat.apache.org/security-4.html http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0783 https://bz.apache.org/bugzilla/show_bug.cgi?id=29936 https://bz.apache.org/bugzilla/show_bug.cgi?id=45933 Project Category n/a Tags data Date Disclosed 2009-06-05 Date Discovered 2009-03-04 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel…
Read More
CVE-2009-0580 Description Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0580 http://tomcat.apache.org/security-4.html http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0580 Project Category n/a Tags data Date Disclosed 2009-06-05 Date Discovered 2009-02-13 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA==…
Read More
CVE-2008-5515 Description Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5515 http://www.securityfocus.com/archive/1/archive/1/504170/100/0/threaded Project Category n/a Tags data operational Date Disclosed 2009-06-16 Date Discovered 2008-12-12 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2008-2938 Description Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2938 http://www.securiteam.com/exploits/5WP0E0UP5G.html https://www.exploit-db.com/exploits/14489/ Project Category n/a Tags data configuration Date Disclosed 2008-08-13 Date Discovered 2008-06-30 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2008-2370 Description Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2370 https://mail-archives.apache.org/mod_mbox/tomcat-users/200808.mbox/%3C48931869.8070408@apache.org%3E Project Category n/a Tags data operational Date Disclosed 2008-08-04 Date Discovered 2008-05-21 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2008-1232 Description Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via a crafted string that is used in the message argument to the HttpServletResponse.sendError method. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1232 http://www.securityfocus.com/archive/1/archive/1/495021/100/0/threaded Project Category n/a Tags data operational Date Disclosed 2008-08-04 Date Discovered 2008-03-10 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
