Fixed in Apache Tomcat 4.1.32

Low: Information disclosure CVE-2008-3271

Bug 25835 can, in rare circumstances - this has only been reproduced using a debugger to force a particular processing sequence for two threads - allow a user from a non-permitted IP address to gain access to a context that is protected with a valve that extends RequestFilterValve. This includes the standard RemoteAddrValve and RemoteHostValve implementations.

Affects: 4.1.0-4.1.31

Important: Information disclosure CVE-2007-1858

The default SSL configuration permitted the use of insecure cipher suites including the anonymous cipher suite. The default configuration no longer permits the use of insecure cipher suites.

Affects: 4.1.28-4.1.31

Low: Cross-site scripting CVE-2006-7196

The calendar application included as part of the JSP examples is susceptible to a cross-site scripting attack as it does not escape user provided data before including it in the returned page.

Affects: 4.0.0-4.0.6, 4.1.0-4.1.31

Low: Directory listing CVE-2006-3835

This is expected behaviour when directory listings are enabled. The semicolon (;) is the separator for path parameters so inserting one before a file name changes the request into a request for a directory with a path parameter. If directory listings are enabled, a diretcory listing will be shown. In response to this and other directory listing issues, directory listings were changed to be disabled by default.

Affects: 4.0.0-4.0.6, 4.1.0-4.1.31

Low: Cross-site scripting CVE-2005-4838

Various JSPs included as part of the JSP examples and the Tomcat Manager are susceptible to a cross-site scripting attack as they do not escape user provided data before including it in the returned page.

Affects: 4.0.0-4.0.6, 4.1.0-4.1.31

Important: Denial of service CVE-2005-3510

The root cause is the relatively expensive calls required to generate the content for the directory listings. If directory listings are enabled, the number of files in each directory should be kepp to a minimum. In response to this issue, directory listings were changed to be disabled by default. Additionally, a patch has been proposed that would improve performance, particularly for large directories, by caching directory listings.

Affects: 4.0.0-4.0.6, 4.1.0-4.1.31