CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
AI Score
Confidence
High
EPSS
Percentile
96.6%
Low: Arbitrary file deletion and/or alteration on deploy CVE-2009-2693
When deploying WAR files, the WAR files were not checked for directory traversal attempts. This allows an attacker to create arbitrary content outside of the web root by including entries such as โฆ/โฆ/bin/catalina.sh in the WAR.
This was fixed in revision 902650.
This was first reported to the Tomcat security team on 30 Jul 2009 and made public on 1 Mar 2010.
Affects: 5.5.0-5.5.28
Low: Insecure partial deploy after failed undeploy CVE-2009-2901
By default, Tomcat automatically deploys any directories placed in a hostโs appBase. This behaviour is controlled by the autoDeploy attribute of a host which defaults to true. After a failed undeploy, the remaining files will be deployed as a result of the autodeployment process. Depending on circumstances, files normally protected by one or more security constraints may be deployed without those security constraints, making them accessible without authentication. This issue only affects Windows platforms
This was fixed in revision 902650.
This was first reported to the Tomcat security team on 30 Jul 2009 and made public on 1 Mar 2010.
Affects: 5.5.0-5.5.28 (Windows only)
Low: Unexpected file deletion in work directory CVE-2009-2902
When deploying WAR files, the WAR file names were not checked for directory traversal attempts. For example, deploying and undeploying โฆwar allows an attacker to cause the deletion of the current contents of the hostโs work directory which may cause problems for currently running applications.
This was fixed in revision 902650.
This was first reported to the Tomcat security team on 30 Jul 2009 and made public on 1 Mar 2010.
Affects: 5.5.0-5.5.28
Low: Insecure default password CVE-2009-3548
The Windows installer defaults to a blank password for the administrative user. If this is not changed during the install process, then by default a user is created with the name admin, roles admin and manager and a blank password.
Affects: 5.5.0-5.5.28
This was first reported to the Tomcat security team on 26 Oct 2009 and made public on 9 Nov 2009.
This was fixed in revision 919006.