Fixed in Apache Tomcat 5.5.26

Low: Session hi-jacking CVE-2007-5333 The previous fix for CVE-2007-3385 was incomplete. It did not consider the use of quotes or %5C within a cookie value. Affects: 5.5.0-5.5.25 Low: Elevated privileges CVE-2007-5342 The JULI logging component allows web applications to provide their own logging...

Fixed in Apache Tomcat 5.5.21

Moderate: Session hi-jacking CVE-2008-0128 When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is transmitted without the "secure" attribute, resulting in it being transmitted to any content that is - by purpose or error - requested via http from the same server. Affects:...

Fixed in Apache Tomcat 4.1.39

Moderate: Session hi-jacking CVE-2008-0128 When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is transmitted without the "secure" attribute, resulting in it being transmitted to any content that is - by purpose or error - requested via http from the same server. This was fixed i...

Fixed in Apache Tomcat 5.5.25, 5.0.SVN

Low: Cross-site scripting CVE-2007-2449 JSPs within the examples web application did not escape user provided data before including it in the output. This enabled a XSS attack. These JSPs now filter the data before use. This issue may be mitigated by undeploying the examples web application. Note...

Fixed in Apache Tomcat 6.0.14

Low: Cross-site scripting CVE-2007-2449 JSPs within the examples web application did not escape user provided data before including it in the output. This enabled a XSS attack. These JSPs now filter the data before use. This issue may be mitigated by undeploying the examples web application. Note...

Fixed in Apache Tomcat 5.5.24, 5.0.SVN

Moderate: Cross-site scripting CVE-2007-1355 The JSP and Servlet included in the sample application within the Tomcat documentation webapp did not escape user provided data before including it in the output. This enabled a XSS attack. These pages have been simplified not to use any user provided...

Fixed in Apache Tomcat JK Connector 1.2.23

Important: Information disclosure CVE-2007-1860 The issue is related to CVE-2007-0450, the patch for which was insufficient. When multiple components firewalls, caches, proxies and Tomcat process a request, the request URL should not get decoded multiple times in an iterative way by these...

Fixed in Apache Tomcat 5.5.18, 5.0.SVN

Moderate: Cross-site scripting CVE-2006-7195 The implicit-objects.jsp in the examples webapp displayed a number of unfiltered header values. This enabled a XSS attack. These values are now filtered. Affects: 5.0.0-5.0.30, 5.5.0-5.5.17...

Fixed in Apache Tomcat 5.5.21, 5.0.SVN

Low: Cross-site scripting CVE-2007-1358 Web pages that display the Accept-Language header value sent by the client are susceptible to a cross-site scripting attack if they assume the Accept-Language header value conforms to RFC 2616. Under normal circumstances this would not be possible to exploi...

Fixed in Apache Tomcat 5.5.22, 5.0.SVN

Important: Directory traversal CVE-2007-0450 The fix for this issue was insufficient. A fix was also required in the JK connector module for httpd. See CVE-2007-1860 for further information. Tomcat permits '', '%2F' and '%5C' as path delimiters. When Tomcat is used behind a proxy including, but...

Fixed in Apache Tomcat 5.5.23, 5.0.SVN

Important: Information disclosure CVE-2005-2090 Requests with multiple content-length headers should be rejected as invalid. When multiple components firewalls, caches, proxies and Tomcat process a sequence of requests where one or more requests contain multiple content-length headers and several...

Fixed in Apache Tomcat JK Connector 1.2.21

Critical: Arbitrary code execution and denial of service CVE-2007-0774 An unsafe memory copy in the URI handler for the native JK connector could result in a stack overflow condition which could be leveraged to execute arbitrary code or crash the web server. Affects: JK 1.2.19-1.2.20 Source shipp...

Fixed in Apache Tomcat 6.0.10

Important: Directory traversal CVE-2007-0450 Tomcat permits '', '%2F' and '%5C' as path delimiters. When Tomcat is used behind a proxy including, but not limited to, Apache HTTP server with modproxy and modjk configured to only proxy some contexts, a HTTP request containing strings like "/\../"...

Fixed in Apache Tomcat 6.0.9

Moderate: Session hi-jacking CVE-2008-0128 When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is transmitted without the "secure" attribute, resulting in it being transmitted to any content that is - by purpose or error - requested via http from the same server. Affects:...

Fixed in Apache Tomcat 6.0.6

Low: Cross-site scripting CVE-2007-1358 Web pages that display the Accept-Language header value sent by the client are susceptible to a cross-site scripting attack if they assume the Accept-Language header value conforms to RFC 2616. Under normal circumstances this would not be possible to exploi...

Fixed in Apache Tomcat 5.5.17, 5.0.SVN

Important: Information disclosure CVE-2007-1858 The default SSL configuration permitted the use of insecure cipher suites including the anonymous cipher suite. The default configuration no longer permits the use of insecure cipher suites. Affects: 5.0.0-5.0.30, 5.5.0-5.5.16...

Fixed in Apache Tomcat JK Connector 1.2.16

Important: Information disclosure CVE-2006-7197 The Tomcat AJP connector contained a bug that sometimes set a too long length for the chunks delivered by sendbodychunks AJP messages. Bugs of this type can cause modjk to read beyond buffer boundaries and thus reveal sensitive memory information to...

Fixed in Apache Tomcat 5.5.16, 5.0.SVN

Low: Cross-site scripting CVE-2006-7196 The calendar application included as part of the JSP examples is susceptible to a cross-site scripting attack as it does not escape user provided data before including it in the returned page. Affects: 5.0.0-5.0.30, 5.5.0-5.5.15...

Fixed in Apache Tomcat 5.5.13, 5.0.SVN

Low: Directory listing CVE-2006-3835 This is expected behaviour when directory listings are enabled. The semicolon ; is the separator for path parameters so inserting one before a file name changes the request into a request for a directory with a path parameter. If directory listings are enabled...

Fixed in Apache Tomcat 4.1.32

Low: Information disclosure CVE-2008-3271 Bug 25835 can, in rare circumstances - this has only been reproduced using a debugger to force a particular processing sequence for two threads - allow a user from a non-permitted IP address to gain access to a context that is protected with a valve that...

Fixed in Apache Tomcat 4.1.37

Important: Information disclosure CVE-2005-3164 If a client specifies a Content-Length but disconnects before sending any of the request body, the deprecated AJP connector processes the request using the request body of the previous request. Users are advised to use the default, supported Coyote...

Fixed in Apache Tomcat 4.1.36

Important: Information disclosure CVE-2005-2090 Requests with multiple content-length headers should be rejected as invalid. When multiple components firewalls, caches, proxies and Tomcat process a sequence of requests where one or more requests contain multiple content-length headers and several...

Fixed in Apache Tomcat 6.0.11

Moderate: Cross-site scripting CVE-2007-1355 The JSP and Servlet included in the sample application within the Tomcat documentation webapp did not escape user provided data before including it in the output. This enabled a XSS attack. These pages have been simplified not to use any user provided...

Fixed in Apache Tomcat 5.5.7, 5.0.SVN

Low: Cross-site scripting CVE-2005-4838 Various JSPs included as part of the JSP examples and the Tomcat Manager are susceptible to a cross-site scripting attack as they do not escape user provided data before including it in the returned page. Affects: 5.0.0-5.0.30, 5.5.0-5.5.6...

Fixed in Apache Tomcat 3.3.2

Moderate: Cross site scripting CVE-2003-0044 The root web application and the examples web application contained a number a cross-site scripting vulnerabilities. Note that is it recommended that the examples web application is not installed on production servers. Affects: 3.0, 3.1-3.1.1, 3.2-3.2....

Fixed in Apache Tomcat 3.3.1

Important: Denial of service CVE-2003-0045 JSP page names that match a Windows DOS device name, such as aux.jsp, may cause the thread processing the request to become unresponsive. A sequence of such requests may cause all request processing threads, and hence Tomcat, to become unresponsive...

Fixed in Apache Tomcat 3.3.1a

Important: Information disclosure CVE-2003-0043 When used with JDK 1.3.1 or earlier, web.xml files were read with trusted privileges enabling files outside of the web application to be read even when running under a security manager. Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3a-3.3.1 Important:...

Fixed in Apache Tomcat 4.1.12, 4.0.5

Important: Information disclosure CVE-2002-1148 A specially crafted URL using the default servlet can enable an attacker to obtain the source of JSP pages. Affects: 4.0.0-4.0.4, 4.1.0-4.1.11...

Fixed in Apache Tomcat 4.1.29

Moderate: Cross-site scripting CVE-2002-1567 The unmodified requested URL is included in the 404 response header. The new lines in this URL appear to the client to be the end of the header section. The remaining part of the URL, including the script elements, is treated as part of the response bo...

Fixed in Apache Tomcat 4.1.13, 4.0.6

Important: Information disclosure CVE-2002-1394 A specially crafted URL using the invoker servlet in conjunction with the default servlet can enable an attacker to obtain the source of JSP pages or, under special circumstances, a static resource that would otherwise have been protected by a...

Fixed in Apache Tomcat 4.1.3

Important: Denial of service CVE-2002-0935 A malformed HTTP request can cause the request processing thread to become unresponsive. A sequence of such requests will cause all request processing threads, and hence Tomcat as a whole, to become unresponsive. Affects: 4.0.0-4.0.2?, 4.0.3, 4.0.4-4.0.6...

Fixed in Apache Tomcat 4.1.0

Important: Denial of service CVE-2003-0866 A malformed HTTP request can cause the request processing thread to become unresponsive. A sequence of such requests will cause all request processing threads, and hence Tomcat as a whole, to become unresponsive. Affects: 4.0.0-4.0.6 Low: Information...

Fixed in Apache Tomcat 4.0.0

Moderate: Security manager bypass CVE-2002-0493 If errors are encountered during the parsing of web.xml and Tomcat is configured to use a security manager it is possible for Tomcat to start without the security manager in place. Affects: Pre-release builds of 4.0.0...

Fixed in Apache Tomcat 3.2.4

Moderate: Information disclosure CVE-2001-1563 No specifics are provided in the vulnerability report. This may be a summary of other issues reported against 3.2.x Affects: 3.2?, 3.2.1, 3.2.2-3.2.3?...

Fixed in Apache Tomcat 4.0.2

Low: Information disclosure CVE-2002-2009, CVE-2001-0917 Requests for JSP files where the file name is preceded by '+/', '/', '/' or '%20/' or a request for a JSP with a long file name would result in in an error page that included the full file system path to the JSP file. Affects: 4.0.0-4.0.1...

Fixed in Apache Tomcat 3.2.2

Moderate: Cross site scripting CVE-2001-0829 The default 404 error page does not escape URLs. This allows XSS attacks using specially crafted URLs. Affects: 3.0, 3.1-3.1.1, 3.2-3.2.1 Moderate: Information disclosure CVE-2001-0590 A specially crafted URL can be used to obtain the source for JSPs...

Fixed in Apache Tomcat 3.2

Low: Information disclosure CVE-2000-0759 Requesting a JSP that does not exist results in an error page that includes the full file system page of the current context. Affects: 3.1 Important: Information disclosure CVE-2000-0672 Access to the admin context is not protected. This context allows an...

Fixed in Apache Tomcat 3.3a

Moderate: Information disclosure CVE-2002-2007 Non-standard requests to the sample applications installed by default could result in unexpected directory listings or disclosure of the full file system path for a JSP. Affects: 3.2.3-3.2.4 Low: Information disclosure CVE-2002-2006, CVE-2000-0760 Th...

Fixed in Apache Tomcat 3.1

Important: Information disclosure CVE-2000-1210 source.jsp, provided as part of the examples, allows an attacker to read arbitrary files via a .. dot dot in the argument to source.jsp. Affects: 3.0...