PT-2009-3394 · Apache +2 · Apache Tomcat +2

Name of the Vulnerable Software and Affected Versions: Apache Tomcat versions 4.1.0 through 4.1.39 Apache Tomcat versions 5.5.0 through 5.5.27 Apache Tomcat versions 6.0.0 through 6.0.18 Description: The issue allows local users to read or modify the web.xml, context.xml, or tld files of arbitrar...

[SECURITY] CVE-2008-2938 - Apache Tomcat information disclosure vulnerability - Updated

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2008-2938: Apache Tomcat information disclosure vulnerability - Updated Severity: Important was moderate Vendor: The Apache Software Foundation Versions Affected: Tomcat 4.1.0 to 4.1.37 Tomcat 5.5.0 to 5.5.26 Tomcat 6.0.0 to 6.0.16 The unsupported...

[CVE-2008-2370] Apache Tomcat information disclosure vulnerability

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2008-2370: Apache Tomcat information disclosure vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: Tomcat 4.1.0 to 4.1.37 Tomcat 5.5.0 to 5.5.26 Tomcat 6.0.0 to 6.0.16 The unsupported Tomcat 3.x, 4.0.x and...

CVE-2007-2975

The admin console in Ignite Realtime Openfire 3.3.0 and earlier formerly Wildfire does not properly specify a filter mapping in web.xml, which allows remote attackers to gain privileges and execute arbitrary code by accessing functionality that is exposed through DWR, as demonstrated using the...

Directory listing enabled on Tomcat

Tomcat has directory listing enabled by default. This allows browsing directories such as /images/. It seems that the filters do not take action in preventing the unauthorized access. When directory listing is disabled /conf/web.xml in Tomcat directory Jira gives 404 errors. See...

Caucho Resin 3.0.173.0.18 - Viewfile Information Disclosure

Caucho Resin 3.0.173.0.18 - Viewfile Information Disclosure source: https://www.securityfocus.com/bid/18007/info Resin is prone to an information-disclosure vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input. An attacker can exploit this...

Sun JavaMail 1.x - Multiple Information Disclosure Vulnerabilities

source: https://www.securityfocus.com/bid/13753/info Sun JavaMail is prone to multiple information disclosure vulnerabilities. The issues exist due to a lack of sufficient input sanitization performed on user-supplied requests. The following issues are reported: A remote attacker may reveal the...

CVE-2003-0043

Affected software: Jakarta Tomcat prior to 3.3.1a when used with JDK 1.3.1 or earlier. Root cause: processing of web.xml uses trusted privileges, enabling remote attackers to read portions of some files. Impact: information disclosure (partial). Exploitation details are not provided in the suppli...

CVE-2003-0043

Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, uses trusted privileges when processing the web.xml file, which could allow remote attackers to read portions of some files through the web.xml file...

CVE-2002-0493

Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions...

CVE-2003-0043

Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, uses trusted privileges when processing the web.xml file, which could allow remote attackers to read portions of some files through the web.xml file...

Fixed in Apache Tomcat 4.0.0

Moderate: Security manager bypass CVE-2002-0493 If errors are encountered during the parsing of web.xml and Tomcat is configured to use a security manager it is possible for Tomcat to start without the security manager in place. Affects: Pre-release builds of 4.0.0...

CVE-2001-0179

Allaire JRun 3.0 allows remote attackers to list contents of the WEB-INF directory, and the web.xml file in the WEB-INF directory, via a malformed URL that contains a "."...

CVE-2001-0179

Allaire JRun 3.0 is affected by an information-disclosure vulnerability where remote attackers can list the contents of WEB-INF and the web.xml in WEB-INF via a malformed URL containing a dot. This is described in the CVE record and corroborated by OpenVAS information-disclosure entries referenci...

Security Bulletin (ASB01-02) JRun 3.0

Allaire posted the following security bulletin to their site recently. The online version can be found at: http://www.allaire.com/handlers/index.cfm?ID=19546&Method=Full ------------------------------------ Allaire Security Bulletin ASB01-02 JRun 3.0: Patch available for JRun malformed URI WEB-IN...