Lucene search

K
tomcatApache TomcatTOMCAT:0B64F54283D152613DC4C77D34E010AF
HistoryApr 20, 2010 - 12:00 a.m.

Fixed in Apache Tomcat 5.5.29

2010-04-2000:00:00
Apache Tomcat
tomcat.apache.org
23

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

5.9

Confidence

High

EPSS

0.231

Percentile

96.6%

Low: Arbitrary file deletion and/or alteration on deploy CVE-2009-2693

When deploying WAR files, the WAR files were not checked for directory traversal attempts. This allows an attacker to create arbitrary content outside of the web root by including entries such as โ€ฆ/โ€ฆ/bin/catalina.sh in the WAR.

This was fixed in revision 902650.

This was first reported to the Tomcat security team on 30 Jul 2009 and made public on 1 Mar 2010.

Affects: 5.5.0-5.5.28

Low: Insecure partial deploy after failed undeploy CVE-2009-2901

By default, Tomcat automatically deploys any directories placed in a hostโ€™s appBase. This behaviour is controlled by the autoDeploy attribute of a host which defaults to true. After a failed undeploy, the remaining files will be deployed as a result of the autodeployment process. Depending on circumstances, files normally protected by one or more security constraints may be deployed without those security constraints, making them accessible without authentication. This issue only affects Windows platforms

This was fixed in revision 902650.

This was first reported to the Tomcat security team on 30 Jul 2009 and made public on 1 Mar 2010.

Affects: 5.5.0-5.5.28 (Windows only)

Low: Unexpected file deletion in work directory CVE-2009-2902

When deploying WAR files, the WAR file names were not checked for directory traversal attempts. For example, deploying and undeploying โ€ฆwar allows an attacker to cause the deletion of the current contents of the hostโ€™s work directory which may cause problems for currently running applications.

This was fixed in revision 902650.

This was first reported to the Tomcat security team on 30 Jul 2009 and made public on 1 Mar 2010.

Affects: 5.5.0-5.5.28

Low: Insecure default password CVE-2009-3548

The Windows installer defaults to a blank password for the administrative user. If this is not changed during the install process, then by default a user is created with the name admin, roles admin and manager and a blank password.

Affects: 5.5.0-5.5.28

This was first reported to the Tomcat security team on 26 Oct 2009 and made public on 9 Nov 2009.

This was fixed in revision 919006.

Affected configurations

Vulners
Node
apachetomcatRange5.5.0โ‰ฅ
OR
apachetomcatRangeโ‰ค5.5.28
VendorProductVersionCPE
apachetomcat*cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

5.9

Confidence

High

EPSS

0.231

Percentile

96.6%