CVE-2012-2379 Description Apache CXF 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1, when a Supporting Token specifies a child WS-SecurityPolicy 1.1 or 1.2 policy, does not properly ensure that an XML element is signed or encrypted, which has unspecified impact and attack vectors. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating…
Read More
CVE-2012-2378 Description Apache CXF 2.4.5 through 2.4.7, 2.5.1 through 2.5.3, and 2.6.x before 2.6.1, does not properly enforce child policies of a WS-SecurityPolicy 1.1 SupportingToken policy on the client side, which allows remote attackers to bypass the (1) AlgorithmSuite, (2) SignedParts, (3) SignedElements, (4) EncryptedParts, and (5) EncryptedElements policies. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2378 http://cxf.apache.org/cve-2012-2378.html Project Category n/a Tags data Date Disclosed 2013-01-05 Date Discovered 2012-04-19 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2012-0881 Description Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0881 https://issues.apache.org/jira/browse/XERCESJ-1685 Project Category n/a Tags data functional Date Disclosed 2017-10-30 Date Discovered 2012-01-19 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2012-0022 Description Apache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.34, and 7.x before 7.0.23 uses an inefficient approach for handling parameters, which allows remote attackers to cause a denial of service (CPU consumption) via a request that contains many parameters and parameter values, a different vulnerability than CVE-2011-4858. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0022 http://tomcat.10.x6.nabble.com/CVE-2012-0022-details-td4000347.html Project Category n/a Tags data operational Date Disclosed 2012-01-18 Date Discovered 2011-12-07 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2011-5064 Description DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-5064 http://tomcat.apache.org/security-6.html Project Category n/a Tags data functional Date Disclosed 2012-01-14 Date Discovered 2012-01-14 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2011-5063 Description The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check realm values, which might allow remote attackers to bypass intended access restrictions by leveraging the availability of a protection space with weaker authentication or authorization requirements, a different vulnerability than CVE-2011-1184. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-5063 Project Category n/a Tags data functional Date Disclosed 2012-01-14 Date Discovered 2012-01-14 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2011-5062 Description The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check qop values, which might allow remote attackers to bypass intended integrity-protection requirements via a qop=auth value, a different vulnerability than CVE-2011-1184. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-5062 https://access.redhat.com/security/cve/CVE-2011-5062 Project Category n/a Tags data functional Date Disclosed 2012-01-14 Date Discovered 2012-01-14 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2011-4905 Description Apache ActiveMQ before 5.6.0 allows remote attackers to cause a denial of service (file-descriptor exhaustion and broker crash or hang) by sending many openwire failover:tcp:// connection requests. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4905 https://issues.apache.org/jira/browse/AMQ-3294 Project Category n/a Tags data operational Date Disclosed 2012-01-05 Date Discovered 2011-12-23 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2011-4858 Description Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4858 http://www.rapid7.com/db/modules/auxiliary/dos/http/hashcollision_dos https://www.exploit-db.com/exploits/18305/ http://www.kb.cert.org/vuls/id/903934 Project Category n/a Tags data operational Date Disclosed 2012-01-05 Date Discovered 2011-12-16 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2011-3376 Description org/apache/catalina/core/DefaultInstanceManager.java in Apache Tomcat 7.x before 7.0.22 does not properly restrict ContainerServlets in the Manager application, which allows local users to gain privileges by using an untrusted web application to access the Manager application's functionality. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3376 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.22 https://bugzilla.redhat.com/show_bug.cgi?id=752371 Project Category n/a Tags data Date Disclosed 2011-11-11 Date Discovered 2011-08-30 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
