Lucene search

K
tomcatApache TomcatTOMCAT:CD22C348F4620666ACC68ACA6AF1EB98
HistoryJul 09, 2010 - 12:00 a.m.

Fixed in Apache Tomcat 6.0.28

2010-07-0900:00:00
Apache Tomcat
tomcat.apache.org
26

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

AI Score

5.6

Confidence

High

EPSS

0.594

Percentile

97.8%

Important: Remote Denial Of Service and Information Disclosure Vulnerability CVE-2010-2227

Several flaws in the handling of the โ€˜Transfer-Encodingโ€™ header were found that prevented the recycling of a buffer. A remote attacker could trigger this flaw which would cause subsequent requests to fail and/or information to leak between requests. This flaw is mitigated if Tomcat is behind a reverse proxy (such as Apache httpd 2.2) as the proxy should reject the invalid transfer encoding header.

This was fixed in revision 958977.

This was first reported to the Tomcat security team on 14 Jun 2010 and made public on 9 Jul 2010.

Affects: 6.0.0-6.0.27

Note: The issue below was fixed in Apache Tomcat 6.0.27 but the release vote for the 6.0.27 release candidate did not pass. Therefore, although users must download 6.0.28 to obtain a version that includes a fix for this issue, version 6.0.27 is not included in the list of affected versions.

Low: Information disclosure in authentication headers CVE-2010-1157

The WWW-Authenticate HTTP header for BASIC and DIGEST authentication includes a realm name. If a <realm-name> element is specified for the application in web.xml it will be used. However, a <realm-name> is not specified then Tomcat will generate realm name using the code snippet request.getServerName() + โ€œ:โ€ + request.getServerPort(). In some circumstances this can expose the local host name or IP address of the machine running Tomcat.

This was fixed in revision 936540.

This was first reported to the Tomcat security team on 31 Dec 2009 and made public on 21 Apr 2010.

Affects: 6.0.0-6.0.26

Affected configurations

Vulners
Node
apachetomcatRange6.0.0โ‰ฅ
OR
apachetomcatRangeโ‰ค6.0.26
OR
apachetomcatRangeโ‰ค6.0.27
VendorProductVersionCPE
apachetomcat*cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

AI Score

5.6

Confidence

High

EPSS

0.594

Percentile

97.8%