7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.171 Low
EPSS
Percentile
96.0%
Note: These issues were fixed in Apache Tomcat 6.0.21 but the release votes for the 6.0.21, 6.0.22 and 6.0.23 release candidates did not pass. Therefore, although users must download 6.0.24 to obtain a version that includes fixes for these issues, versions 6.0.21 onwards are not included in the list of affected versions.
Low: Arbitrary file deletion and/or alteration on deploy CVE-2009-2693
When deploying WAR files, the WAR files were not checked for directory traversal attempts. This allows an attacker to create arbitrary content outside of the web root by including entries such as โฆ/โฆ/bin/catalina.sh in the WAR.
This was fixed in revision 892815.
This was first reported to the Tomcat security team on 30 Jul 2009 and made public on 1 Mar 2010.
Affects: 6.0.0-6.0.20
Low: Insecure partial deploy after failed undeploy CVE-2009-2901
By default, Tomcat automatically deploys any directories placed in a hostโs appBase. This behaviour is controlled by the autoDeploy attribute of a host which defaults to true. After a failed undeploy, the remaining files will be deployed as a result of the autodeployment process. Depending on circumstances, files normally protected by one or more security constraints may be deployed without those security constraints, making them accessible without authentication. This issue only affects Windows platforms.
This was fixed in revision 892815.
This was first reported to the Tomcat security team on 30 Jul 2009 and made public on 1 Mar 2010.
Affects: 6.0.0-6.0.20 (Windows only)
Low: Unexpected file deletion in work directory CVE-2009-2902
When deploying WAR files, the WAR file names were not checked for directory traversal attempts. For example, deploying and undeploying โฆwar allows an attacker to cause the deletion of the current contents of the hostโs work directory which may cause problems for currently running applications.
This was fixed in revision 892815.
This was first reported to the Tomcat security team on 30 Jul 2009 and made public on 1 Mar 2010.
Affects: 6.0.0-6.0.20
Low: Insecure default password CVE-2009-3548
The Windows installer defaults to a blank password for the administrative user. If this is not changed during the install process, then by default a user is created with the name admin, roles admin and manager and a blank password.
This was fixed in revision 881771.
This was first reported to the Tomcat security team on 26 Oct 2009 and made public on 9 Nov 2009.
Affects: 6.0.0-6.0.20
CPE | Name | Operator | Version |
---|---|---|---|
apache tomcat | ge | 6.0.0 | |
apache tomcat | le | 6.0.20 |