Oracle Linux 7 : tomcat (ELSA-2017-2247)

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2017-2247 advisory. - Resolves: rhbz1459747 CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism - Resolves: rhbz1441481 CVE-2017-5647 tomcat: Incorre...

Scientific Linux Security Update : tomcat on SL7.x (noarch) (20161103)

The following packages have been upgraded to a newer upstream version: tomcat 7.0.69. Security Fixes : - A CSRF flaw was found in Tomcat's the index pages for the Manager and Host Manager applications. These applications included a valid CSRF token when issuing a redirect as a result of an...

tomcat: security manager bypass via StatusManagerServlet

It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs...

tomcat: security manager bypass via StatusManagerServlet

It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs...

tomcat: security manager bypass via StatusManagerServlet

It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs...

Moderate: Red Hat Security Advisory: tomcat security, bug fix, and enhancement update

An update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the...

tomcat: security manager bypass via StatusManagerServlet

It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs...

tomcat: security manager bypass via StatusManagerServlet

It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs...

Moderate: Red Hat Security Advisory: Red Hat JBoss Web Server 3.0.3 update

Red Hat JBoss Web Server 3.0.3 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerabilit...

tomcat: security manager bypass via StatusManagerServlet

It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs...

tomcat: security manager bypass via StatusManagerServlet

It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs...

Amazon Linux AMI : tomcat7 (ALAS-2016-680)

ResourceLinkFactory.setGlobalContext is a public method and was discovered to be accessible by web applications running under a security manager without any checks. This allowed a malicious web application to inject a malicious global context that could in turn be used to disrupt other web...

Amazon Linux AMI : tomcat6 (ALAS-2016-681)

A directory traversal vulnerability in RequestUtil.java was discovered which allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. slash dot dot in a pathname used by a web application in a getResource, getResourceAsStream, or...

Amazon Linux AMI : tomcat8 (ALAS-2016-679)

ResourceLinkFactory.setGlobalContext is a public method and was discovered to be accessible by web applications running under a security manager without any checks. This allowed a malicious web application to inject a malicious global context that could in turn be used to disrupt other web...

Amazon Linux: Security Advisory (ALAS-2016-680)

The remote host is missing an update for the SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Medium: tomcat7

Issue Overview: ResourceLinkFactory.setGlobalContext is a public method and was discovered to be accessible by web applications running under a security manager without any checks. This allowed a malicious web application to inject a malicious global context that could in turn be used to disrupt...

Medium: tomcat8

Issue Overview: ResourceLinkFactory.setGlobalContext is a public method and was discovered to be accessible by web applications running under a security manager without any checks. This allowed a malicious web application to inject a malicious global context that could in turn be used to disrupt...

CVE-2016-0706

Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended...

Apache Tomcat 6.0.x < 6.0.45 Multiple Vulnerabilities

According to its self-reported version number, the Apache Tomcat service running on the remote host is 6.0.x prior to 6.0.45. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists in the getResource, getResourceAsStream, and getResourcePaths...

Fixed in Apache Tomcat 6.0.45

Low: Limited directory traversal CVE-2015-5174 This issue only affects users running untrusted web applications under a security manager. When accessing resources via the ServletContext methods getResource getResourceAsStream and getResourcePaths the paths should be limited to the current web...