5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.959 High
EPSS
Percentile
99.4%
Low: Information disclosure CVE-2008-3271
Bug 25835 can, in rare circumstances - this has only been reproduced using a debugger to force a particular processing sequence for two threads - allow a user from a non-permitted IP address to gain access to a context that is protected with a valve that extends RequestFilterValve. This includes the standard RemoteAddrValve and RemoteHostValve implementations.
Affects: 4.1.0-4.1.31
Important: Information disclosure CVE-2007-1858
The default SSL configuration permitted the use of insecure cipher suites including the anonymous cipher suite. The default configuration no longer permits the use of insecure cipher suites.
Affects: 4.1.28-4.1.31
Low: Cross-site scripting CVE-2006-7196
The calendar application included as part of the JSP examples is susceptible to a cross-site scripting attack as it does not escape user provided data before including it in the returned page.
Affects: 4.0.0-4.0.6, 4.1.0-4.1.31
Low: Directory listing CVE-2006-3835
This is expected behaviour when directory listings are enabled. The semicolon (;) is the separator for path parameters so inserting one before a file name changes the request into a request for a directory with a path parameter. If directory listings are enabled, a diretcory listing will be shown. In response to this and other directory listing issues, directory listings were changed to be disabled by default.
Affects: 4.0.0-4.0.6, 4.1.0-4.1.31
Low: Cross-site scripting CVE-2005-4838
Various JSPs included as part of the JSP examples and the Tomcat Manager are susceptible to a cross-site scripting attack as they do not escape user provided data before including it in the returned page.
Affects: 4.0.0-4.0.6, 4.1.0-4.1.31
Important: Denial of service CVE-2005-3510
The root cause is the relatively expensive calls required to generate the content for the directory listings. If directory listings are enabled, the number of files in each directory should be kepp to a minimum. In response to this issue, directory listings were changed to be disabled by default. Additionally, a patch has been proposed that would improve performance, particularly for large directories, by caching directory listings.
Affects: 4.0.0-4.0.6, 4.1.0-4.1.31
CPE | Name | Operator | Version |
---|---|---|---|
apache tomcat | ge | 4.0.0 | |
apache tomcat | le | 4.0.6 | |
apache tomcat | ge | 4.1.0 | |
apache tomcat | ge | 4.1.28 | |
apache tomcat | le | 4.1.31 |