Tomcat@3.3 Security Vulnerabilities and Issues — Tomcat@3.3 CVE List

Lucene search

ApacheTomcat3.3

16 matches found

CVE•added 2014/02/26 2:55 p.m.•894 views

CVE-2013-4590

Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration...

4.3CVSS8.8AI score0.01173EPSS

CVE•added 2013/11/13 3:55 p.m.•756 views

CVE-2013-6357

Cross-site request forgery (CSRF) vulnerability in the Manager application in Apache Tomcat 5.5.25 and earlier allows remote attackers to hijack the authentication of administrators for requests that manipulate application deployment via the POST method, as demonstrated by a /manager/html/undeploy?...

6.8CVSS7AI score0.00603EPSS

CVE•added 2014/02/26 2:55 p.m.•719 views

CVE-2013-4286

Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-...

5.8CVSS9.3AI score0.8199EPSS

CVE•added 2014/02/26 2:55 p.m.•655 views

CVE-2013-4322

Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial...

4.3CVSS9.1AI score0.67322EPSS

CVE•added 2009/11/12 11:30 p.m.•109 views

CVE-2009-3548

The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the administrative user, which allows remote attackers to gain privileges.

7.5CVSS7.8AI score0.88795EPSS

CVE•added 2007/08/14 10:17 p.m.•91 views

CVE-2007-3385

Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 does not properly handle the " character sequence in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks.

4.3CVSS5.3AI score0.69407EPSS

CVE•added 2007/08/14 10:17 p.m.•84 views

CVE-2007-3382

Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 treats single quotes ("'") as delimiters in cookies, which might cause sensitive information such as session IDs to be leaked and allow remote attackers to conduct session hijacking attacks.

4.3CVSS7.3AI score0.86383EPSS

CVE•added 2004/09/01 4:0 a.m.•59 views

CVE-2003-0043

Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, uses trusted privileges when processing the web.xml file, which could allow remote attackers to read portions of some files through the web.xml file.

5CVSS6.3AI score0.02561EPSS

CVE•added 2004/09/01 4:0 a.m.•57 views

CVE-2002-1148

The default servlet (org.apache.catalina.servlets.DefaultServlet) in Tomcat 4.0.4 and 4.1.10 and earlier allows remote attackers to read source code for server files via a direct request to the servlet.

5CVSS6.4AI score0.39379EPSS

CVE•added 2004/09/01 4:0 a.m.•56 views

CVE-2003-0045

Jakarta Tomcat before 3.3.1a on certain Windows systems may allow remote attackers to cause a denial of service (thread hang and resource consumption) via a request for a JSP page containing an MS-DOS device name, such as aux.jsp.

5CVSS6.6AI score0.0171EPSS

CVE•added 2005/07/14 4:0 a.m.•55 views

CVE-2002-2006

The default installation of Apache Tomcat 4.0 through 4.1 and 3.0 through 3.3.1 allows remote attackers to obtain the installation path and other sensitive system information via the (1) SnoopServlet or (2) TroubleShooter example servlets.

5CVSS6.1AI score0.32359EPSS

CVE•added 2003/02/07 5:0 a.m.•55 views

CVE-2003-0042

Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, allows remote attackers to list directories even with an index.html or other file present, or obtain unprocessed source code for a JSP file, via a URL containing a null character.

5CVSS6.5AI score0.55831EPSS

CVE•added 2005/05/02 4:0 a.m.•54 views

CVE-2005-0808

Apache Tomcat before 5.x allows remote attackers to cause a denial of service (application crash) via a crafted AJP12 packet to TCP port 8007.

5CVSS6.6AI score0.17541EPSS

CVE•added 2007/08/08 1:17 a.m.•54 views

CVE-2007-3384

Multiple cross-site scripting (XSS) vulnerabilities in examples/servlet/CookieExample in Apache Tomcat 3.3 through 3.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) Name or (2) Value field, related to error messages.

4.3CVSS5.6AI score0.02821EPSS

CVE•added 2003/02/07 5:0 a.m.•51 views

CVE-2003-0044

Multiple cross-site scripting (XSS) vulnerabilities in the (1) examples and (2) ROOT web applications for Jakarta Tomcat 3.x through 3.3.1a allow remote attackers to insert arbitrary web script or HTML.

6.8CVSS5.7AI score0.27285EPSS

CVE•added 2005/06/28 4:0 a.m.•42 views

CVE-2002-1895

The servlet engine in Jakarta Apache Tomcat 3.3 and 4.0.4, when using IIS and the ajp1.3 connector, allows remote attackers to cause a denial of service (crash) via a large number of HTTP GET requests for an MS-DOS device such as AUX, LPT1, CON, or PRN.

5CVSS7.1AI score0.02785EPSS