5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.972 High
EPSS
Percentile
99.8%
Note: The issues below were fixed in Apache Tomcat 6.0.38 but the release vote for 6.0.38 did not pass. Therefore, although users must download 6.0.39 to obtain a version that includes the fixes for these issues, version 6.0.38 is not included in the list of affected versions.
Low: Frame injection in documentation Javadoc CVE-2013-1571
Tomcat 6 is built with Java 5 which is known to generate Javadoc with a frame injection vulnerability.
The published Javadoc on the Apache Tomcat website was fixed the day this issue was announced. The Javadoc generation for releases was fixed in revision 1557724.
This issue was published by Oracle on 18 June 2013.
Affects: 6.0.0-6.0.37
Important: Information disclosure CVE-2013-4286
The fix for CVE-2005-2090 was not complete. It did not cover the following cases:
Requests with multiple content-length headers or with a content-length header when chunked encoding is being used should be rejected as invalid. When multiple components (firewalls, caches, proxies and Tomcat) process a sequence of requests where one or more requests contain either multiple content-length headers or a content-length header when chunked encoding is being used and several components do not reject the request and make different decisions as to which content-length header to use an attacker can poison a web-cache, perform an XSS attack and obtain sensitive information from requests other then their own. Tomcat now rejects requests with multiple content-length headers or with a content-length header when chunked encoding is being used.
This was fixed in revision 1552565.
This issue was identified by the Apache Tomcat security team on 15 August 2013 and made public on 25 February 2014.
Affects: 6.0.0 to 6.0.37
Important: Denial of service CVE-2013-4322
The fix for CVE-2012-3544 was not complete. It did not cover the following cases:
This was fixed in revision 1556540.
The first part of this issue was identified by the Apache Tomcat security team on 27 August 2013 and the second part by Saran Neti of TELUS Security Labs on 5 November 2013. It was made public on 25 February 2014.
Affects: 6.0.0 to 6.0.37
Low: Information disclosure CVE-2013-4590
Application provided XML files such as web.xml, context.xml, *.tld, *.tagx and *.jspx allowed XXE which could be used to expose Tomcat internals to an attacker. This vulnerability only occurs when Tomcat is running web applications from untrusted sources such as in a shared hosting environment.
This was fixed in revision 1558828.
This issue was identified by the Apache Tomcat security team on 29 October 2013 and made public on 25 February 2014.
Affects: 6.0.0 to 6.0.37
Low: Session fixation CVE-2014-0033
Previous fixes to path parameter handling (1149220) introduced a regression that meant session IDs provided in the URL were considered even when disableURLRewriting was configured to true. Note that the session is only used for that single request.
This was fixed in revision 1558822.
This issue was identified by the Apache Tomcat security team on 1 December 2013 and made public on 25 February 2014.
Affects: 6.0.33 to 6.0.37
CPE | Name | Operator | Version |
---|---|---|---|
apache tomcat | ge | 6.0.0 | |
apache tomcat | ge | 6.0.33 | |
apache tomcat | le | 6.0.37 |