CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
AI Score
Confidence
High
EPSS
Percentile
97.8%
Low: SecurityManager file permission bypass CVE-2010-3718
When running under a SecurityManager, access to the file system is limited but web applications are granted read/write permissions to the work directory. This directory is used for a variety of temporary files such as the intermediate files generated when compiling JSPs to Servlets. The location of the work directory is specified by a ServletContect attribute that is meant to be read-only to web applications. However, due to a coding error, the read-only setting was not applied. Therefore, a malicious web application may modify the attribute before Tomcat applies the file permissions. This can be used to grant read/write permissions to any area on the file system which a malicious web application may then take advantage of. This vulnerability is only applicable when hosting web applications from untrusted sources such as shared hosting environments.
This was fixed in revision 1027610.
This was discovered by the Tomcat security team on 12 Oct 2010 and made public on 5 Feb 2011.
Affects: 5.5.0-5.5.29
Important: Remote Denial Of Service and Information Disclosure Vulnerability CVE-2010-2227
Several flaws in the handling of the โTransfer-Encodingโ header were found that prevented the recycling of a buffer. A remote attacker could trigger this flaw which would cause subsequent requests to fail and/or information to leak between requests. This flaw is mitigated if Tomcat is behind a reverse proxy (such as Apache httpd 2.2) as the proxy should reject the invalid transfer encoding header.
This was fixed in revision 959428.
This was first reported to the Tomcat security team on 14 Jun 2010 and made public on 9 Jul 2010.
Affects: 5.5.0-5.5.29
Low: Information disclosure in authentication headers CVE-2010-1157
The WWW-Authenticate HTTP header for BASIC and DIGEST authentication includes a realm name. If a <realm-name> element is specified for the application in web.xml it will be used. However, a <realm-name> is not specified then Tomcat will generate realm name using the code snippet request.getServerName() + โ:โ + request.getServerPort(). In some circumstances this can expose the local host name or IP address of the machine running Tomcat.
This was fixed in revision 936541.
This was first reported to the Tomcat security team on 31 Dec 2009 and made public on 21 Apr 2010.
Affects: 5.5.0-5.5.29