Fixed in Apache Tomcat 5.5.28

Important: Information Disclosure CVE-2008-5515

When using a RequestDispatcher obtained from the Request, the target path was normalised before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory.

This was fixed in revisions 782757 and 783291.

This was first reported to the Tomcat security team on 11 Dec 2008 and made public on 8 Jun 2009.

Affects: 5.5.0-5.5.27

Important: Denial of Service CVE-2009-0033

If Tomcat receives a request with invalid headers via the Java AJP connector, it does not return an error and instead closes the AJP connection. In case this connector is member of a mod_jk load balancing worker, this member will be put into an error state and will be blocked from use for approximately one minute. Thus the behaviour can be used for a denial of service attack using a carefully crafted request.

This was fixed in revision 781362.

This was first reported to the Tomcat security team on 26 Jan 2009 and made public on 3 Jun 2009.

Affects: 5.5.0-5.5.27

Low: Information disclosure CVE-2009-0580

Due to insufficient error checking in some authentication classes, Tomcat allows for the enumeration (brute force testing) of user names by supplying illegally URL encoded passwords. The attack is possible if FORM based authentication (j_security_check) is used with the MemoryRealm. Note that in early versions, the DataSourceRealm and JDBCRealm were also affected.

This was fixed in revision 781379.

This was first reported to the Tomcat security team on 25 Feb 2009 and made public on 3 Jun 2009.

Affects: 5.5.0-5.5.27 (Memory Realm), 5.5.0-5.5.5 (DataSource and JDBC Realms)

Low: Cross-site scripting CVE-2009-0781

The calendar application in the examples web application contains an XSS flaw due to invalid HTML which renders the XSS filtering protection ineffective.

This was fixed in revision 750928.

This was first reported to the Tomcat security team on 5 Mar 2009 and made public on 6 Mar 2009.

Affects: 5.5.0-5.5.27

Low: Information disclosure CVE-2009-0783

Bugs 29936 and 45933 allowed a web application to replace the XML parser used by Tomcat to process web.xml, context.xml and tld files. In limited circumstances these bugs may allow a rogue web application to view and/or alter the web.xml, context.xml and tld files of other web applications deployed on the Tomcat instance.

This was fixed in revisions 681156 and 781542.

This was first reported to the Tomcat security team on 2 Mar 2009 and made public on 4 Jun 2009.

Affects: 5.5.0-5.5.27