Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
gentooGentoo FoundationGLSA-201206-24
HistoryJun 24, 2012 - 12:00 a.m.

Apache Tomcat: Multiple vulnerabilities

2012-06-2400:00:00
Gentoo Foundation
security.gentoo.org
71

4.2 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.971 High

EPSS

Percentile

99.8%

JSON

Background

Apache Tomcat is a Servlet-3.0/JSP-2.2 Container.

Description

Multiple vulnerabilities have been discovered in Apache Tomcat. Please review the CVE identifiers referenced below for details.

Impact

The vulnerabilities allow an attacker to cause a Denial of Service, to hijack a session, to bypass authentication, to inject webscript, to enumerate valid usernames, to read, modify and overwrite arbitrary files, to bypass intended access restrictions, to delete work-directory files, to discover the server’s hostname or IP, to bypass read permissions for files or HTTP headers, to read or write files outside of the intended working directory, and to obtain sensitive information by reading a log file.

Workaround

There is no known workaround at this time.

Resolution

All Apache Tomcat 6.0.x users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=www-servers/tomcat-6.0.35"

All Apache Tomcat 7.0.x users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=www-servers/tomcat-7.0.23"
OSVersionArchitecturePackageVersionFilename
Gentooanyallwww-servers/tomcat< 7.0.23UNKNOWN

Related

openvas 82
nessus 62
redhat 15
osv 2
debian 3
tomcat 8
centos 3
oraclelinux 5
securityvulns 4
fedora 5
ubuntu 4
suse 2
prion 1
ubuntucve 1
cve 1
github 1
openvas
openvas
Gentoo Security Advisory GLSA 201206-24 (apache tomcat)
2012-08-10 00:00:00
Gentoo Security Advisory GLSA 201206-24 (apache tomcat)
2012-08-10 00:00:00
Debian Security Advisory DSA 2401-1 (tomcat6)
2012-02-12 00:00:00
nessus
nessus
GLSA-201206-24 : Apache Tomcat: Multiple vulnerabilities
2012-06-25 00:00:00
Debian DSA-2401-1 : tomcat6 - several vulnerabilities
2012-02-03 00:00:00
RHEL 5 / 6 : JBoss Web Server (RHSA-2012:0682)
2014-11-08 00:00:00
redhat
redhat
(RHSA-2012:0682) Moderate: tomcat6 security and bug fix update
2012-05-21 00:00:00
(RHSA-2012:0681) Moderate: tomcat6 security and bug fix update
2012-05-21 16:31:40
(RHSA-2012:0680) Moderate: tomcat5 security and bug fix update
2012-05-21 00:00:00
osv
osv
tomcat6 - several
2012-02-02 00:00:00
Access restriction bypass in Apache Tomcat
2022-05-14 02:55:47
debian
debian
[SECURITY] [DSA 2401-1] tomcat6 security update
2012-02-02 19:29:50
[SECURITY] [DSA 2207-1] tomcat5.5 security update
2011-03-29 22:35:34
[SECURITY] [DSA 2160-1] tomcat6 security update
2011-02-13 18:36:11
tomcat
tomcat
Fixed in Apache Tomcat 5.5.34
2011-09-22 00:00:00
Fixed in Apache Tomcat 6.0.33
2011-08-18 00:00:00
Fixed in Apache Tomcat 7.0.12
2011-04-06 00:00:00
centos
centos
tomcat5 security update
2011-12-20 19:18:57
tomcat6 security update
2011-12-22 16:00:12
tomcat5 security update
2009-07-29 17:30:22
oraclelinux
oraclelinux
tomcat6 security and bug fix update
2011-12-05 00:00:00
tomcat5 security update
2011-12-20 00:00:00
tomcat5 security update
2012-04-11 00:00:00
securityvulns
securityvulns
[security bulletin] HPSBMA02535 SSRT100029 rev.1 - HP Performance Manager, Remote Unauthorized Access, Cross Site Scripting &#40;XSS&#41;, Denial of Service &#40;DoS&#41;
2010-05-20 00:00:00
HP Performance Manager multiple security vulnerabilities
2010-05-20 00:00:00
Apache Tomcat multiple security vulnerabilities
2009-06-14 00:00:00
fedora
fedora
[SECURITY] Fedora 14 Update: tomcat6-6.0.26-27.fc14
2011-10-20 09:55:07
[SECURITY] Fedora 11 Update: tomcat6-6.0.20-1.fc11
2009-11-27 21:36:22
[SECURITY] Fedora 12 Update: tomcat6-6.0.20-1.fc12
2009-11-27 21:50:49
ubuntu
ubuntu
Tomcat vulnerabilities
2009-06-15 00:00:00
Tomcat vulnerabilities
2011-11-08 00:00:00
Tomcat vulnerabilities
2010-02-11 00:00:00
suse
suse
Security update for tomcat6 (important)
2012-02-07 04:08:27
tomcat6: Fix multiple weaknesses in HTTP DIGESTS (important)
2012-02-09 19:09:55
prion
prion
Design/Logic Flaw
2011-05-20 22:55:00
ubuntucve
ubuntucve
CVE-2011-1582
2011-05-20 00:00:00
cve
cve
CVE-2011-1582
2011-05-20 22:55:00
github
github
Access restriction bypass in Apache Tomcat
2022-05-14 02:55:47

4.2 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.971 High

EPSS

Percentile

99.8%

JSON
Related for GLSA-201206-24
openvas82nessus62redhat15osv2debian3tomcat8centos3oraclelinux5securityvulns4fedora5ubuntu4suse2prion1ubuntucve1cve1github1