Fixed in Apache Tomcat 6.0.30

Low: Cross-site scripting CVE-2011-0013

The HTML Manager interface displayed web application provided data, such as display names, without filtering. A malicious web application could trigger script execution by an administrative user when viewing the manager pages.

This was fixed in revision 1057270.

This was identified by the Tomcat security team on 12 Nov 2010 and made public on 5 Feb 2011.

Affects: 6.0.0-6.0.29

Moderate: Cross-site scripting CVE-2010-4172

The Manager application used the user provided parameters sort and orderBy directly without filtering thereby permitting cross-site scripting.

This was fixed in revision 1037779.

This was first reported to the Tomcat security team on 15 Nov 2010 and made public on 22 Nov 2010.

Affects: 6.0.12-6.0.29

Low: SecurityManager file permission bypass CVE-2010-3718

When running under a SecurityManager, access to the file system is limited but web applications are granted read/write permissions to the work directory. This directory is used for a variety of temporary files such as the intermediate files generated when compiling JSPs to Servlets. The location of the work directory is specified by a ServletContect attribute that is meant to be read-only to web applications. However, due to a coding error, the read-only setting was not applied. Therefore, a malicious web application may modify the attribute before Tomcat applies the file permissions. This can be used to grant read/write permissions to any area on the file system which a malicious web application may then take advantage of. This vulnerability is only applicable when hosting web applications from untrusted sources such as shared hosting environments.

This was fixed in revision 1022560.

This was discovered by the Tomcat security team on 12 Oct 2010 and made public on 5 Feb 2011.

Affects: 6.0.0-6.0.29