Fixed in Apache Tomcat 4.1.37

Important: Information disclosure CVE-2005-3164

If a client specifies a Content-Length but disconnects before sending any of the request body, the deprecated AJP connector processes the request using the request body of the previous request. Users are advised to use the default, supported Coyote AJP connector which does not exhibit this issue.

Affects: 4.0.1-4.0.6, 4.1.0-4.1.36

Moderate: Cross-site scripting CVE-2007-1355

The JSP and Servlet included in the sample application within the Tomcat documentation webapp did not escape user provided data before including it in the output. This enabled a XSS attack. These pages have been simplified not to use any user provided data in the output.

Affects: 4.0.1-4.0.6, 4.1.0-4.1.36

Low: Cross-site scripting CVE-2007-2449

JSPs within the examples web application did not escape user provided data before including it in the output. This enabled a XSS attack. These JSPs now filter the data before use. This issue may be mitigated by undeploying the examples web application. Note that it is recommended that the examples web application is not installed on a production system.

Affects: 4.0.0-4.0.6, 4.1.0-4.1.36

Low: Cross-site scripting CVE-2007-2450

The Manager web application did not escape user provided data before including it in the output. This enabled a XSS attack. This application now filters the data before use. This issue may be mitigated by logging out (closing the browser) of the application once the management tasks have been completed.

Affects: 4.0.1-4.0.6, 4.1.0-4.1.36

Low: Session hi-jacking CVE-2007-3382

Tomcat incorrectly treated a single quote character (') in a cookie value as a delimiter. In some circumstances this lead to the leaking of information such as session ID to an attacker.

Affects: 4.1.0-4.1.36

Low: Cross-site scripting CVE-2007-3383

When reporting error messages, the SendMailServlet (part of the examples web application) did not escape user provided data before including it in the output. This enabled a XSS attack. This Servlet now filters the data before use. This issue may be mitigated by undeploying the examples web application. Note that it is recommended that the examples web application is not installed on a production system.

Affects: 4.0.0-4.0.6, 4.1.0-4.1.36

Low: Session hi-jacking CVE-2007-3385

Tomcat incorrectly handled the character sequence " in a cookie value. In some circumstances this lead to the leaking of information such as session ID to an attacker.

Affects: 4.1.0-4.1.36

Low: Session hi-jacking CVE-2007-5333

The previous fix for CVE-2007-3385 was incomplete. It did not consider the use of quotes or %5C within a cookie value.

Affects: 4.1.0-4.1.36

Important: Information disclosure CVE-2007-5461

When Tomcat’s WebDAV servlet is configured for use with a context and has been enabled for write, some WebDAV requests that specify an entity with a SYSTEM tag can result in the contents of arbitary files being returned to the client.

Affects: 4.0.0-4.0.6, 4.1.0-4.1.36