Lucene search

K
tomcatApache TomcatTOMCAT:4659DEAC38E318C13712A886F48A7052
HistoryJul 09, 2010 - 12:00 a.m.

Fixed in Apache Tomcat 5.5.30

2010-07-0900:00:00
Apache Tomcat
tomcat.apache.org
32

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

AI Score

5.8

Confidence

High

EPSS

0.594

Percentile

97.8%

Low: SecurityManager file permission bypass CVE-2010-3718

When running under a SecurityManager, access to the file system is limited but web applications are granted read/write permissions to the work directory. This directory is used for a variety of temporary files such as the intermediate files generated when compiling JSPs to Servlets. The location of the work directory is specified by a ServletContect attribute that is meant to be read-only to web applications. However, due to a coding error, the read-only setting was not applied. Therefore, a malicious web application may modify the attribute before Tomcat applies the file permissions. This can be used to grant read/write permissions to any area on the file system which a malicious web application may then take advantage of. This vulnerability is only applicable when hosting web applications from untrusted sources such as shared hosting environments.

This was fixed in revision 1027610.

This was discovered by the Tomcat security team on 12 Oct 2010 and made public on 5 Feb 2011.

Affects: 5.5.0-5.5.29

Important: Remote Denial Of Service and Information Disclosure Vulnerability CVE-2010-2227

Several flaws in the handling of the โ€˜Transfer-Encodingโ€™ header were found that prevented the recycling of a buffer. A remote attacker could trigger this flaw which would cause subsequent requests to fail and/or information to leak between requests. This flaw is mitigated if Tomcat is behind a reverse proxy (such as Apache httpd 2.2) as the proxy should reject the invalid transfer encoding header.

This was fixed in revision 959428.

This was first reported to the Tomcat security team on 14 Jun 2010 and made public on 9 Jul 2010.

Affects: 5.5.0-5.5.29

Low: Information disclosure in authentication headers CVE-2010-1157

The WWW-Authenticate HTTP header for BASIC and DIGEST authentication includes a realm name. If a <realm-name> element is specified for the application in web.xml it will be used. However, a <realm-name> is not specified then Tomcat will generate realm name using the code snippet request.getServerName() + โ€œ:โ€ + request.getServerPort(). In some circumstances this can expose the local host name or IP address of the machine running Tomcat.

This was fixed in revision 936541.

This was first reported to the Tomcat security team on 31 Dec 2009 and made public on 21 Apr 2010.

Affects: 5.5.0-5.5.29

Affected configurations

Vulners
Node
apachetomcatRange5.5.0โ‰ฅ
OR
apachetomcatRangeโ‰ค5.5.29
VendorProductVersionCPE
apachetomcat*cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

AI Score

5.8

Confidence

High

EPSS

0.594

Percentile

97.8%