apache/tomcat: The latest CVE Vulnerabilities and Exploits for Penetration Test

Last Updated: 2023-05-04

Page content

apache/tomcat Vulnerability Summary

Vendor name: apache
Product name: tomcat
Total vulnerabilities: 201 (as 2023-05-04)

apache/tomcat Vulnerability List

CVE-2022-23181: The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache…

Published: 2022-01-27T13:15:00 Last Modified: 2022-02-02T17:04:00

Summary

The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.

Common Weakness Enumeration (CWE): CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

CWE Description: The software checks the state of a resource before using that resource, but the resource’s state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state.

Scores

Impact Score: 6.4
Exploitability Score: 3.4
CVSS: 4.4
CVSS Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P

Impact

Availability: PARTIAL
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: MEDIUM
Vector: LOCAL

Currently, there is no code for exploiting the CVE-2022-23181 vulnerability.

References

https://lists.apache.org/thread/l8x62p3k19yfcb208jo4zrb83k5mfwg9

CVE-2021-42340: The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11,…

Published: 2021-10-14T20:15:00 Last Modified: 2022-02-07T16:16:00

Summary

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

Common Weakness Enumeration (CWE): CWE-772: Missing Release of Resource after Effective Lifetime

CWE Description: The software does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact

Availability: PARTIAL
Confidentiality: NONE
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2021-42340 vulnerability.

References

CVE-2021-41079: Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly…

Published: 2021-09-16T15:15:00 Last Modified: 2021-12-01T14:19:00

Summary

Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.

Common Weakness Enumeration (CWE): CWE-20: Improper Input Validation

CWE Description: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Scores

Impact Score: 2.9
Exploitability Score: 8.6
CVSS: 4.3
CVSS Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P

Impact

Availability: PARTIAL
Confidentiality: NONE
Integrity: NONE

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2021-41079 vulnerability.

References

CVE-2021-30639: A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An…

Published: 2021-07-12T15:15:00 Last Modified: 2022-02-07T16:15:00

Summary

A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64.

Common Weakness Enumeration (CWE): CWE-755: Improper Handling of Exceptional Conditions

CWE Description: The software does not handle or incorrectly handles an exceptional condition.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact

Availability: PARTIAL
Confidentiality: NONE
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2021-30639 vulnerability.

References

CVE-2021-30640: A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using…

Published: 2021-07-12T15:15:00 Last Modified: 2022-02-07T16:15:00

Summary

A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.

Common Weakness Enumeration (CWE): CWE-287: Improper Authentication

CWE Description: When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

Scores

Impact Score: 4.9
Exploitability Score: 8.6
CVSS: 5.8
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2021-30640 vulnerability.

References

CVE-2021-33037: Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse…

Published: 2021-07-12T15:15:00 Last Modified: 2022-02-07T16:16:00

Summary

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

Common Weakness Enumeration (CWE): CWE-444: Inconsistent Interpretation of HTTP Requests (‘HTTP Request Smuggling’)

CWE Description: When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to “smuggle” a request to one device without the other device being aware of it.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Impact

Availability: NONE
Confidentiality: NONE
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2021-33037 vulnerability.

References

CVE-2021-25122: When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0,…

Published: 2021-03-01T12:15:00 Last Modified: 2022-02-07T16:15:00

Summary

When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A’s request.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2021-25122 vulnerability.

References

CVE-2021-25329: The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1…

Published: 2021-03-01T12:15:00 Last Modified: 2022-02-07T16:15:00

Summary

The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.

Scores

Impact Score: 6.4
Exploitability Score: 3.4
CVSS: 4.4
CVSS Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P

Impact

Availability: PARTIAL
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: MEDIUM
Vector: LOCAL

Currently, there is no code for exploiting the CVE-2021-25329 vulnerability.

References

CVE-2021-24122: When serving resources from a network location using the NTFS file system, Apache Tomcat versions…

Published: 2021-01-14T15:15:00 Last Modified: 2021-07-20T23:15:00

Summary

When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.

Common Weakness Enumeration (CWE): CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CWE Description: Separate mistakes or weaknesses could inadvertently make the sensitive information available to an attacker, such as in a detailed error message that can be read by an unauthorized party

Scores

Impact Score: 2.9
Exploitability Score: 8.6
CVSS: 4.3
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2021-24122 vulnerability.

References

CVE-2020-17527: While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9,…

Published: 2020-12-03T19:15:00 Last Modified: 2022-02-07T16:15:00

Summary

While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.

Common Weakness Enumeration (CWE): CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2020-17527 vulnerability.

References

CVE-2020-13943: If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or…

Published: 2020-10-12T14:15:00 Last Modified: 2021-06-14T18:15:00

Summary

If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.

Scores

Impact Score: 2.9
Exploitability Score: 8.0
CVSS: 4.0
CVSS Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: SINGLE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2020-13943 vulnerability.

References

CVE-2020-13935: The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to…

Published: 2020-07-14T15:15:00 Last Modified: 2022-02-07T16:15:00

Summary

The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.

Common Weakness Enumeration (CWE): CWE-835: Loop with Unreachable Exit Condition (‘Infinite Loop’)

CWE Description: The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact

Availability: PARTIAL
Confidentiality: NONE
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2020-13935 vulnerability.

References

CVE-2020-13934: An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to…

Published: 2020-07-14T15:15:00 Last Modified: 2022-02-07T16:15:00

Summary

An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.

Common Weakness Enumeration (CWE): CWE-401: Missing Release of Memory after Effective Lifetime

CWE Description: The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact

Availability: PARTIAL
Confidentiality: NONE
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2020-13934 vulnerability.

References

CVE-2020-8022: A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise…

Published: 2020-06-29T09:15:00 Last Modified: 2021-03-17T14:26:00

Summary

A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1.

Common Weakness Enumeration (CWE): CWE-276: Incorrect Default Permissions

CWE Description: During installation, installed file permissions are set to allow anyone to modify those files.

Scores

Impact Score: 10.0
Exploitability Score: 3.9
CVSS: 7.2
CVSS Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Impact

Availability: COMPLETE
Confidentiality: COMPLETE
Integrity: COMPLETE

Access

Authentication: NONE
Complexity: LOW
Vector: LOCAL

Currently, there is no code for exploiting the CVE-2020-8022 vulnerability.

References

CVE-2020-11996: A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5,…

Published: 2020-06-26T17:15:00 Last Modified: 2021-07-21T11:39:00

Summary

A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact

Availability: PARTIAL
Confidentiality: NONE
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2020-11996 vulnerability.

References

CVE-2020-9484: When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and…

Published: 2020-05-20T19:15:00 Last Modified: 2022-02-07T16:15:00

Summary

When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter=“null” (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.

Common Weakness Enumeration (CWE): CWE-502: Deserialization of Untrusted Data

CWE Description: The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

Scores

Impact Score: 6.4
Exploitability Score: 3.4
CVSS: 4.4
CVSS Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P

Impact

Availability: PARTIAL
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: MEDIUM
Vector: LOCAL

Currently, there is no code for exploiting the CVE-2020-9484 vulnerability.

References

CVE-2020-1938: When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections…

Published: 2020-02-24T22:15:00 Last Modified: 2021-07-21T11:39:00

Summary

When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.

Common Weakness Enumeration (CWE): CWE-269: Improper Privilege Management

CWE Description: The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Scores

Impact Score: 6.4
Exploitability Score: 10.0
CVSS: 7.5
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact

Availability: PARTIAL
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Exploits Database (Total Exploits Count: 2)

Code designed for conducting penetration testing on CVE-2020-1938 vulnerability.

References

CVE-2019-17569: The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99…

Published: 2020-02-24T22:15:00 Last Modified: 2021-01-20T15:15:00

Summary

The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

Common Weakness Enumeration (CWE): CWE-444: Inconsistent Interpretation of HTTP Requests (‘HTTP Request Smuggling’)

Scores

Impact Score: 4.9
Exploitability Score: 8.6
CVSS: 5.8
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2019-17569 vulnerability.

References

CVE-2020-1935: In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing…

Published: 2020-02-24T22:15:00 Last Modified: 2021-05-04T19:19:00

Summary

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

Common Weakness Enumeration (CWE): CWE-444: Inconsistent Interpretation of HTTP Requests (‘HTTP Request Smuggling’)

Scores

Impact Score: 4.9
Exploitability Score: 8.6
CVSS: 5.8
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2020-1935 vulnerability.

References

CVE-2019-12418: When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the…

Published: 2019-12-23T18:15:00 Last Modified: 2021-07-21T11:39:00

Summary

When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.

Scores

Impact Score: 6.4
Exploitability Score: 3.4
CVSS: 4.4
CVSS Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P

Impact

Availability: PARTIAL
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: MEDIUM
Vector: LOCAL

Currently, there is no code for exploiting the CVE-2019-12418 vulnerability.

References

CVE-2019-17563: When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0…

Published: 2019-12-23T17:15:00 Last Modified: 2021-01-20T15:15:00

Summary

When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.

Common Weakness Enumeration (CWE): CWE-384: Session Fixation

CWE Description: Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Scores

Impact Score: 6.4
Exploitability Score: 4.9
CVSS: 5.1
CVSS Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P

Impact

Availability: PARTIAL
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: HIGH
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2019-17563 vulnerability.

References

CVE-2019-10072: The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion…

Published: 2019-06-21T18:15:00 Last Modified: 2021-06-14T18:15:00

Summary

The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Common Weakness Enumeration (CWE): CWE-667: Improper Locking

CWE Description: The software does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact

Availability: PARTIAL
Confidentiality: NONE
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2019-10072 vulnerability.

References

CVE-2019-0221: The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to…

Published: 2019-05-28T22:29:00 Last Modified: 2021-07-13T17:15:00

Summary

The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.

Common Weakness Enumeration (CWE): CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

CWE Description: The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Scores

Impact Score: 2.9
Exploitability Score: 8.6
CVSS: 4.3
CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact

Availability: NONE
Confidentiality: NONE
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Exploits Database (Total Exploits Count: 1)

Code designed for conducting penetration testing on CVE-2019-0221 vulnerability.

Apache Tomcat 9.0.0.M1 - Cross-Site Scripting (XSS) by Central InfoSec at 2021-07-13

References

CVE-2019-0232: When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat…

Published: 2019-04-15T15:29:00 Last Modified: 2021-06-14T18:15:00

Summary

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange’s blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html ) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/) .

Common Weakness Enumeration (CWE): CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

CWE Description: The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Scores

Impact Score: 10.0
Exploitability Score: 8.6
CVSS: 9.3
CVSS Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Impact

Availability: COMPLETE
Confidentiality: COMPLETE
Integrity: COMPLETE

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Exploits Database (Total Exploits Count: 1)

Code designed for conducting penetration testing on CVE-2019-0232 vulnerability.

Apache Tomcat - CGIServlet enableCmdLineArguments Remote Code Execution (Metasploit) by Metasploit at 2019-07-03

References

CVE-2019-0199: The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted…

Published: 2019-04-10T15:29:00 Last Modified: 2019-05-28T21:29:00

Summary

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API’s blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Common Weakness Enumeration (CWE): CWE-400: Uncontrolled Resource Consumption

CWE Description: The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact

Availability: PARTIAL
Confidentiality: NONE
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2019-0199 vulnerability.

References

CVE-2018-11759: The Apache Web Server (httpd) specific code that normalised the requested path before matching it…

Published: 2018-10-31T20:29:00 Last Modified: 2019-04-15T16:31:00

Summary

The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical.

Common Weakness Enumeration (CWE): CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

CWE Description: The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2018-11759 vulnerability.

References

CVE-2018-11784: When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23…

Published: 2018-10-04T13:29:00 Last Modified: 2021-07-13T17:15:00

Summary

When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to ‘/foo/’ when the user requested ‘/foo’) a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.

Common Weakness Enumeration (CWE): CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)

CWE Description: A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

Scores

Impact Score: 2.9
Exploitability Score: 8.6
CVSS: 4.3
CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact

Availability: NONE
Confidentiality: NONE
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Exploits Database (Total Exploits Count: 1)

Code designed for conducting penetration testing on CVE-2018-11784 vulnerability.

Apache Tomcat 9.0.0.M1 - Open Redirect by Central InfoSec at 2021-07-13

References

CVE-2018-1336: An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an…

Published: 2018-08-02T14:29:00 Last Modified: 2020-04-15T21:15:00

Summary

An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.

Common Weakness Enumeration (CWE): CWE-835: Loop with Unreachable Exit Condition (‘Infinite Loop’)

CWE Description: The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact

Availability: PARTIAL
Confidentiality: NONE
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2018-1336 vulnerability.

References

CVE-2018-8037: If an async request was completed by the application at the same time as the container triggered…

Published: 2018-08-02T14:29:00 Last Modified: 2019-04-15T16:31:00

Summary

If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.

Common Weakness Enumeration (CWE): CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)

CWE Description: The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

Scores

Impact Score: 2.9
Exploitability Score: 8.6
CVSS: 4.3
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2018-8037 vulnerability.

References

CVE-2018-8034: The host name verification when using TLS with the WebSocket client was missing. It is now…

Published: 2018-08-01T18:29:00 Last Modified: 2019-05-14T17:29:00

Summary

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.

Common Weakness Enumeration (CWE): CWE-295: Improper Certificate Validation

CWE Description: The software does not validate, or incorrectly validates, a certificate.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2018-8034 vulnerability.

References

CVE-2018-8019: When using an OCSP responder Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 did not…

Published: 2018-07-31T13:29:00 Last Modified: 2020-02-03T12:15:00

Summary

When using an OCSP responder Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 did not correctly handle invalid responses. This allowed for revoked client certificates to be incorrectly identified. It was therefore possible for users to authenticate with revoked certificates when using mutual TLS. Users not using OCSP checks are not affected by this vulnerability.

Common Weakness Enumeration (CWE): CWE-295: Improper Certificate Validation

CWE Description: The software does not validate, or incorrectly validates, a certificate.

Scores

Impact Score: 2.9
Exploitability Score: 8.6
CVSS: 4.3
CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact

Availability: NONE
Confidentiality: NONE
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2018-8019 vulnerability.

References

CVE-2018-8020: Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 has a flaw that does not properly check…

Published: 2018-07-31T13:29:00 Last Modified: 2020-12-24T17:15:00

Summary

Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 has a flaw that does not properly check OCSP pre-produced responses, which are lists (multiple entries) of certificate statuses. Subsequently, revoked client certificates may not be properly identified, allowing for users to authenticate with revoked certificates to connections that require mutual TLS. Users not using OCSP checks are not affected by this vulnerability.

Common Weakness Enumeration (CWE): CWE-295: Improper Certificate Validation

CWE Description: The software does not validate, or incorrectly validates, a certificate.

Scores

Impact Score: 2.9
Exploitability Score: 8.6
CVSS: 4.3
CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact

Availability: NONE
Confidentiality: NONE
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2018-8020 vulnerability.

References

CVE-2018-8014: The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to…

Published: 2018-05-16T16:29:00 Last Modified: 2019-10-03T00:03:00

Summary

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable ‘supportsCredentials’ for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Common Weakness Enumeration (CWE): CWE-1188: Insecure Default Initialization of Resource

CWE Description: The software initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.

Scores

Impact Score: 6.4
Exploitability Score: 10.0
CVSS: 7.5
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact

Availability: PARTIAL
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2018-8014 vulnerability.

References

CVE-2018-1323: The IIS/ISAPI specific code in the Apache Tomcat JK ISAPI Connector 1.2.0 to 1.2.42 that…

Published: 2018-03-12T16:29:00 Last Modified: 2019-04-15T16:31:00

Summary

The IIS/ISAPI specific code in the Apache Tomcat JK ISAPI Connector 1.2.0 to 1.2.42 that normalised the requested path before matching it to the URI-worker map did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via IIS, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing Tomcat via the reverse proxy.

Common Weakness Enumeration (CWE): CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2018-1323 vulnerability.

References

CVE-2018-1304: The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly…

Published: 2018-02-28T20:29:00 Last Modified: 2019-10-03T00:03:00

Summary

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

Scores

Impact Score: 2.9
Exploitability Score: 8.6
CVSS: 4.3
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2018-1304 vulnerability.

References

CVE-2018-1305: Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0…

Published: 2018-02-23T23:29:00 Last Modified: 2019-10-03T00:03:00

Summary

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

Scores

Impact Score: 2.9
Exploitability Score: 8.0
CVSS: 4.0
CVSS Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: SINGLE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2018-1305 vulnerability.

References

CVE-2017-15706: As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16…

Published: 2018-01-31T14:29:00 Last Modified: 2019-04-15T16:31:00

Summary

As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. The update was not correct. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that the behaviour of the CGI servlet has remained unchanged in this regard. It is only the documentation of the behaviour that was wrong and has been corrected.

Common Weakness Enumeration (CWE): CWE-358: Improperly Implemented Security Check for Standard

CWE Description: The software does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Impact

Availability: NONE
Confidentiality: NONE
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2017-15706 vulnerability.

References

CVE-2017-15698: When parsing the AIA-Extension field of a client certificate, Apache Tomcat Native Connector…

Published: 2018-01-31T14:29:00 Last Modified: 2019-03-25T11:35:00

Summary

When parsing the AIA-Extension field of a client certificate, Apache Tomcat Native Connector 1.2.0 to 1.2.14 and 1.1.23 to 1.1.34 did not correctly handle fields longer than 127 bytes. The result of the parsing error was to skip the OCSP check. It was therefore possible for client certificates that should have been rejected (if the OCSP check had been made) to be accepted. Users not using OCSP checks are not affected by this vulnerability.

Common Weakness Enumeration (CWE): CWE-295: Improper Certificate Validation

CWE Description: The software does not validate, or incorrectly validates, a certificate.

Scores

Impact Score: 2.9
Exploitability Score: 8.6
CVSS: 4.3
CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact

Availability: NONE
Confidentiality: NONE
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2017-15698 vulnerability.

References

CVE-2017-12617: When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and…

Published: 2017-10-04T01:29:00 Last Modified: 2019-04-23T19:29:00

Summary

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Common Weakness Enumeration (CWE): CWE-434: Unrestricted Upload of File with Dangerous Type

CWE Description: This can be resultant from client-side enforcement (CWE-602); some products will include web script in web clients to check the filename, without verifying on the server side.

Scores

Impact Score: 6.4
Exploitability Score: 8.6
CVSS: 6.8
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Impact

Availability: PARTIAL
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Exploits Database (Total Exploits Count: 2)

Code designed for conducting penetration testing on CVE-2017-12617 vulnerability.

References

CVE-2017-12615: When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting…

Published: 2017-09-19T13:29:00 Last Modified: 2019-04-15T16:30:00

Summary

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Common Weakness Enumeration (CWE): CWE-434: Unrestricted Upload of File with Dangerous Type

CWE Description: This can be resultant from client-side enforcement (CWE-602); some products will include web script in web clients to check the filename, without verifying on the server side.

Scores

Impact Score: 6.4
Exploitability Score: 8.6
CVSS: 6.8
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Impact

Availability: PARTIAL
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Exploits Database (Total Exploits Count: 1)

Code designed for conducting penetration testing on CVE-2017-12615 vulnerability.

Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (1) by xxlegend at 2017-09-20

References

CVE-2017-12616: When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass…

Published: 2017-09-19T13:29:00 Last Modified: 2019-04-15T16:30:00

Summary

When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request.

Common Weakness Enumeration (CWE): CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2017-12616 vulnerability.

References

CVE-2016-6796: A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4,…

Published: 2017-08-11T02:29:00 Last Modified: 2021-10-20T11:15:00

Summary

A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.

Common Weakness Enumeration (CWE): CWE-254: 7PK - Security Features

CWE Description: Software security is not security software. Here we’re concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Impact

Availability: NONE
Confidentiality: NONE
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2016-6796 vulnerability.

References

CVE-2017-7674: The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and…

Published: 2017-08-11T02:29:00 Last Modified: 2019-04-15T16:31:00

Summary

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

Common Weakness Enumeration (CWE): CWE-345: Insufficient Verification of Data Authenticity

CWE Description: The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Scores

Impact Score: 2.9
Exploitability Score: 8.6
CVSS: 4.3
CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact

Availability: NONE
Confidentiality: NONE
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2017-7674 vulnerability.

References

CVE-2017-7675: The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8.5.0 to 8.5.15 bypassed a…

Published: 2017-08-11T02:29:00 Last Modified: 2019-06-12T17:29:00

Summary

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8.5.0 to 8.5.15 bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using a specially crafted URL.

Common Weakness Enumeration (CWE): CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2017-7675 vulnerability.

References

CVE-2016-6797: The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4,…

Published: 2017-08-10T22:29:00 Last Modified: 2021-10-20T11:15:00

Summary

The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.

Common Weakness Enumeration (CWE): CWE-284: Improper Access Control

CWE Description: The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2016-6797 vulnerability.

References

CVE-2016-6817: The HTTP/2 header parser in Apache Tomcat 9.0.0.M1 to 9.0.0.M11 and 8.5.0 to 8.5.6 entered an…

Published: 2017-08-10T22:29:00 Last Modified: 2019-04-15T16:30:00

Summary

The HTTP/2 header parser in Apache Tomcat 9.0.0.M1 to 9.0.0.M11 and 8.5.0 to 8.5.6 entered an infinite loop if a header was received that was larger than the available buffer. This made a denial of service attack possible.

Common Weakness Enumeration (CWE): CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE Description: The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact

Availability: PARTIAL
Confidentiality: NONE
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2016-6817 vulnerability.

References

CVE-2016-8745: A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat…

Published: 2017-08-10T22:29:00 Last Modified: 2019-04-15T16:30:00

Summary

A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions.

Common Weakness Enumeration (CWE): CWE-388: 7PK - Errors

CWE Description: This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, “Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with ‘API Abuse,’ there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle.”

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2016-8745 vulnerability.

References

CVE-2016-0762: The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4,…

Published: 2017-08-10T16:29:00 Last Modified: 2021-10-20T11:15:00

Summary

The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.

Common Weakness Enumeration (CWE): CWE-264: Permissions, Privileges, and Access Controls

CWE Description: Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Scores

Impact Score: 2.9
Exploitability Score: 8.6
CVSS: 4.3
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2016-0762 vulnerability.

References

CVE-2016-5018: In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and…

Published: 2017-08-10T16:29:00 Last Modified: 2021-10-20T11:15:00

Summary

In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.

Common Weakness Enumeration (CWE): CWE-254: 7PK - Security Features

CWE Description: Software security is not security software. Here we’re concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Impact

Availability: NONE
Confidentiality: NONE
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2016-5018 vulnerability.

References

CVE-2016-6794: When a SecurityManager is configured, a web application’s ability to read system properties…

Published: 2017-08-10T16:29:00 Last Modified: 2021-10-20T11:15:00

Summary

When a SecurityManager is configured, a web application’s ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.

Common Weakness Enumeration (CWE): CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2016-6794 vulnerability.

References

CVE-2017-5664: The error page mechanism of the Java Servlet Specification requires that, when an error occurs…

Published: 2017-06-06T14:29:00 Last Modified: 2019-10-03T00:03:00

Summary

The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method.

Common Weakness Enumeration (CWE): CWE-755: Improper Handling of Exceptional Conditions

CWE Description: The software does not handle or incorrectly handles an exceptional condition.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Impact

Availability: NONE
Confidentiality: NONE
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2017-5664 vulnerability.

References

CVE-2017-5650: In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY…

Published: 2017-04-17T16:59:00 Last Modified: 2019-10-03T00:03:00

Summary

In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads.

Common Weakness Enumeration (CWE): CWE-404: Improper Resource Shutdown or Release

CWE Description: Improper release or shutdown of resources can be resultant from improper error handling or insufficient resource tracking.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact

Availability: PARTIAL
Confidentiality: NONE
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2017-5650 vulnerability.

References

CVE-2017-5648: While investigating bug 60718, it was noticed that some calls to application listeners in Apache…

Published: 2017-04-17T16:59:00 Last Modified: 2020-07-20T21:15:00

Summary

While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.

Common Weakness Enumeration (CWE): CWE-668: Exposure of Resource to Wrong Sphere

CWE Description: The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Scores

Impact Score: 4.9
Exploitability Score: 10.0
CVSS: 6.4
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2017-5648 vulnerability.

References

CVE-2017-5647: A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to…

Published: 2017-04-17T16:59:00 Last Modified: 2019-04-15T16:31:00

Summary

A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.

Common Weakness Enumeration (CWE): CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2017-5647 vulnerability.

References

CVE-2017-5651: In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP…

Published: 2017-04-17T16:59:00 Last Modified: 2019-10-03T00:03:00

Summary

In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up.

Scores

Impact Score: 6.4
Exploitability Score: 10.0
CVSS: 7.5
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact

Availability: PARTIAL
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2017-5651 vulnerability.

References

CVE-2016-6808: Buffer overflow in Apache Tomcat Connectors (mod_jk) before 1.2.42.

Published: 2017-04-12T20:59:00 Last Modified: 2019-04-15T16:30:00

Summary

Buffer overflow in Apache Tomcat Connectors (mod_jk) before 1.2.42.

Common Weakness Enumeration (CWE): CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE Description: The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

Scores

Impact Score: 6.4
Exploitability Score: 10.0
CVSS: 7.5
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact

Availability: PARTIAL
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2016-6808 vulnerability.

References

CVE-2016-8735: Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before…

Published: 2017-04-06T21:59:00 Last Modified: 2020-10-05T22:15:00

Summary

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn’t updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

Common Weakness Enumeration (CWE): CWE-284: Improper Access Control

CWE Description: The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Scores

Impact Score: 6.4
Exploitability Score: 10.0
CVSS: 7.5
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact

Availability: PARTIAL
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2016-8735 vulnerability.

References

CVE-2016-9775: The postrm script in the tomcat6 package before 6.0.45+dfsg-1~deb7u3 on Debian wheezy, before…

Published: 2017-03-23T16:59:00 Last Modified: 2021-06-14T18:15:00

Summary

The postrm script in the tomcat6 package before 6.0.45+dfsg-1~deb7u3 on Debian wheezy, before 6.0.45+dfsg-1~deb8u1 on Debian jessie, before 6.0.35-1ubuntu3.9 on Ubuntu 12.04 LTS and on Ubuntu 14.04 LTS; the tomcat7 package before 7.0.28-4+deb7u7 on Debian wheezy, before 7.0.56-3+deb8u6 on Debian jessie, before 7.0.52-1ubuntu0.8 on Ubuntu 14.04 LTS, and on Ubuntu 12.04 LTS, 16.04 LTS, and 16.10; and the tomcat8 package before 8.0.14-1+deb8u5 on Debian jessie, before 8.0.32-1ubuntu1.3 on Ubuntu 16.04 LTS, before 8.0.37-1ubuntu0.1 on Ubuntu 16.10, and before 8.0.38-2ubuntu1 on Ubuntu 17.04 might allow local users with access to the tomcat account to gain root privileges via a setgid program in the Catalina directory, as demonstrated by /etc/tomcat8/Catalina/attack.

Common Weakness Enumeration (CWE): CWE-264: Permissions, Privileges, and Access Controls

CWE Description: Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Scores

Impact Score: 10.0
Exploitability Score: 3.9
CVSS: 7.2
CVSS Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Impact

Availability: COMPLETE
Confidentiality: COMPLETE
Integrity: COMPLETE

Access

Authentication: NONE
Complexity: LOW
Vector: LOCAL

Currently, there is no code for exploiting the CVE-2016-9775 vulnerability.

References

CVE-2016-9774: The postinst script in the tomcat6 package before 6.0.45+dfsg-1~deb7u4 on Debian wheezy, before…

Published: 2017-03-23T16:59:00 Last Modified: 2018-08-02T01:29:00

Summary

The postinst script in the tomcat6 package before 6.0.45+dfsg-1~deb7u4 on Debian wheezy, before 6.0.35-1ubuntu3.9 on Ubuntu 12.04 LTS and on Ubuntu 14.04 LTS; the tomcat7 package before 7.0.28-4+deb7u8 on Debian wheezy, before 7.0.56-3+deb8u6 on Debian jessie, before 7.0.52-1ubuntu0.8 on Ubuntu 14.04 LTS, and on Ubuntu 12.04 LTS, 16.04 LTS, and 16.10; and the tomcat8 package before 8.0.14-1+deb8u5 on Debian jessie, before 8.0.32-1ubuntu1.3 on Ubuntu 16.04 LTS, before 8.0.37-1ubuntu0.1 on Ubuntu 16.10, and before 8.0.38-2ubuntu1 on Ubuntu 17.04 might allow local users with access to the tomcat account to obtain sensitive information or gain root privileges via a symlink attack on the Catalina localhost directory.

Common Weakness Enumeration (CWE): CWE-59: Improper Link Resolution Before File Access (‘Link Following’)

CWE Description: The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Scores

Impact Score: 10.0
Exploitability Score: 3.9
CVSS: 7.2
CVSS Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Impact

Availability: COMPLETE
Confidentiality: COMPLETE
Integrity: COMPLETE

Access

Authentication: NONE
Complexity: LOW
Vector: LOCAL

Currently, there is no code for exploiting the CVE-2016-9774 vulnerability.

References

CVE-2016-6816: The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to…

Published: 2017-03-20T18:59:00 Last Modified: 2020-10-05T22:15:00

Summary

The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.

Common Weakness Enumeration (CWE): CWE-20: Improper Input Validation

CWE Description: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Scores

Impact Score: 6.4
Exploitability Score: 8.6
CVSS: 6.8
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Impact

Availability: PARTIAL
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Exploits Database (Total Exploits Count: 1)

Code designed for conducting penetration testing on CVE-2016-6816 vulnerability.

Apache Tomcat 6/7/8/9 - Information Disclosure by justpentest at 2017-04-04

References

CVE-2016-8747: An information disclosure issue was discovered in Apache Tomcat 8.5.7 to 8.5.9 and 9.0.0.M11 to…

Published: 2017-03-14T09:59:00 Last Modified: 2019-04-15T16:30:00

Summary

An information disclosure issue was discovered in Apache Tomcat 8.5.7 to 8.5.9 and 9.0.0.M11 to 9.0.0.M15 in reverse-proxy configurations. Http11InputBuffer.java allows remote attackers to read data that was intended to be associated with a different request.

Common Weakness Enumeration (CWE): CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2016-8747 vulnerability.

References

CVE-2016-5425: The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and…

Published: 2016-10-13T14:59:00 Last Modified: 2020-07-23T18:24:00

Summary

The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.

Common Weakness Enumeration (CWE): CWE-276: Incorrect Default Permissions

CWE Description: During installation, installed file permissions are set to allow anyone to modify those files.

Scores

Impact Score: 10.0
Exploitability Score: 3.9
CVSS: 7.2
CVSS Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Impact

Availability: COMPLETE
Confidentiality: COMPLETE
Integrity: COMPLETE

Access

Authentication: NONE
Complexity: LOW
Vector: LOCAL

Exploits Database (Total Exploits Count: 1)

Code designed for conducting penetration testing on CVE-2016-5425 vulnerability.

Apache Tomcat 8/7/6 (RedHat Based Distros) - Local Privilege Escalation by Dawid Golunski at 2016-10-10

References

CVE-2016-6325: The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and…

Published: 2016-10-13T14:59:00 Last Modified: 2018-01-05T02:31:00

Summary

The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.

Common Weakness Enumeration (CWE): CWE-264: Permissions, Privileges, and Access Controls

CWE Description: Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Scores

Impact Score: 10.0
Exploitability Score: 3.9
CVSS: 7.2
CVSS Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Impact

Availability: COMPLETE
Confidentiality: COMPLETE
Integrity: COMPLETE

Access

Authentication: NONE
Complexity: LOW
Vector: LOCAL

Currently, there is no code for exploiting the CVE-2016-6325 vulnerability.

References

CVE-2016-1240: The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before…

Published: 2016-10-03T15:59:00 Last Modified: 2018-10-09T19:59:00

Summary

The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and libtomcat6-java packages before 6.0.35-1ubuntu3.8 on Ubuntu 12.04 LTS, the tomcat7 and libtomcat7-java packages before 7.0.52-1ubuntu0.7 on Ubuntu 14.04 LTS, and tomcat8 and libtomcat8-java packages before 8.0.32-1ubuntu1.2 on Ubuntu 16.04 LTS allows local users with access to the tomcat account to gain root privileges via a symlink attack on the Catalina log file, as demonstrated by /var/log/tomcat7/catalina.out.

Common Weakness Enumeration (CWE): CWE-20: Improper Input Validation

CWE Description: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Scores

Impact Score: 10.0
Exploitability Score: 3.9
CVSS: 7.2
CVSS Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Impact

Availability: COMPLETE
Confidentiality: COMPLETE
Integrity: COMPLETE

Access

Authentication: NONE
Complexity: LOW
Vector: LOCAL

Exploits Database (Total Exploits Count: 1)

Code designed for conducting penetration testing on CVE-2016-1240 vulnerability.

Apache Tomcat 8/7/6 (Debian-Based Distros) - Local Privilege Escalation by Dawid Golunski at 2016-10-03

References

CVE-2016-5388: Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows…

Published: 2016-07-19T02:00:00 Last Modified: 2020-08-14T11:15:00

Summary

Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application’s outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an “httpoxy” issue. NOTE: the vendor states “A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388”; in other words, this is not a CVE ID for a vulnerability.

Common Weakness Enumeration (CWE): CWE-284: Improper Access Control

CWE Description: The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Scores

Impact Score: 6.4
Exploitability Score: 4.9
CVSS: 5.1
CVSS Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P

Impact

Availability: PARTIAL
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: HIGH
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2016-5388 vulnerability.

References

CVE-2016-3092: The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x…

Published: 2016-07-04T22:59:00 Last Modified: 2021-07-17T08:15:00

Summary

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.

Common Weakness Enumeration (CWE): CWE-20: Improper Input Validation

CWE Description: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Scores

Impact Score: 6.9
Exploitability Score: 10.0
CVSS: 7.8
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C

Impact

Availability: COMPLETE
Confidentiality: NONE
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2016-3092 vulnerability.

References

CVE-2016-0706: Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2…

Published: 2016-02-25T01:59:00 Last Modified: 2019-04-15T16:30:00

Summary

Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.

Common Weakness Enumeration (CWE): CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Scores

Impact Score: 2.9
Exploitability Score: 8.0
CVSS: 4.0
CVSS Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: SINGLE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2016-0706 vulnerability.

References

CVE-2016-0714: The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x…

Published: 2016-02-25T01:59:00 Last Modified: 2019-04-15T16:30:00

Summary

The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.

Common Weakness Enumeration (CWE): CWE-264: Permissions, Privileges, and Access Controls

CWE Description: Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Scores

Impact Score: 6.4
Exploitability Score: 8.0
CVSS: 6.5
CVSS Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

Impact

Availability: PARTIAL
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: SINGLE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2016-0714 vulnerability.

References

CVE-2016-0763: The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache…

Published: 2016-02-25T01:59:00 Last Modified: 2019-03-21T15:59:00

Summary

The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.

Common Weakness Enumeration (CWE): CWE-264: Permissions, Privileges, and Access Controls

CWE Description: Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Scores

Impact Score: 6.4
Exploitability Score: 8.0
CVSS: 6.5
CVSS Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

Impact

Availability: PARTIAL
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: SINGLE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2016-0763 vulnerability.

References

CVE-2015-5345: The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30,…

Published: 2016-02-25T01:59:00 Last Modified: 2019-04-15T16:30:00

Summary

The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character.

Common Weakness Enumeration (CWE): CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2015-5345 vulnerability.

References

CVE-2015-5351: The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before…

Published: 2016-02-25T01:59:00 Last Modified: 2018-07-19T01:29:00

Summary

The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.

Common Weakness Enumeration (CWE): CWE-352: Cross-Site Request Forgery (CSRF)

CWE Description: The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Scores

Impact Score: 6.4
Exploitability Score: 8.6
CVSS: 6.8
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Impact

Availability: PARTIAL
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2015-5351 vulnerability.

References

CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x…

Published: 2016-02-25T01:59:00 Last Modified: 2019-04-15T16:30:00

Summary

Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.

Common Weakness Enumeration (CWE): CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

Scores

Impact Score: 2.9
Exploitability Score: 8.0
CVSS: 4.0
CVSS Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: SINGLE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2015-5174 vulnerability.

References

CVE-2015-5346: Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x…

Published: 2016-02-25T01:59:00 Last Modified: 2018-07-19T01:29:00

Summary

Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.

Scores

Impact Score: 6.4
Exploitability Score: 8.6
CVSS: 6.8
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Impact

Availability: PARTIAL
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2015-5346 vulnerability.

References

CVE-2014-0230: Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle…

Published: 2015-06-07T23:59:00 Last Modified: 2019-04-15T16:30:00

Summary

Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts.

Common Weakness Enumeration (CWE): CWE-399: Resource Management Errors

CWE Description: This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Scores

Impact Score: 6.9
Exploitability Score: 10.0
CVSS: 7.8
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C

Impact

Availability: COMPLETE
Confidentiality: NONE
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2014-0230 vulnerability.

References

CVE-2014-7810: The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before…

Published: 2015-06-07T23:59:00 Last Modified: 2019-04-15T16:30:00

Summary

The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.

Common Weakness Enumeration (CWE): CWE-284: Improper Access Control

CWE Description: The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Impact

Availability: NONE
Confidentiality: NONE
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2014-7810 vulnerability.

References

CVE-2014-8111: Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount rules for subtrees of previous…

Published: 2015-04-21T17:59:00 Last Modified: 2019-04-15T16:30:00

Summary

Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount rules for subtrees of previous JkMount rules, which allows remote attackers to access otherwise restricted artifacts via unspecified vectors.

Common Weakness Enumeration (CWE): CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2014-8111 vulnerability.

References

CVE-2014-0227: java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42,…

Published: 2015-02-16T00:59:00 Last Modified: 2019-04-15T16:29:00

Summary

java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data after an error has occurred, which allows remote attackers to conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding.

Common Weakness Enumeration (CWE): CWE-19: Data Processing Errors

CWE Description: Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.

Scores

Impact Score: 4.9
Exploitability Score: 10.0
CVSS: 6.4
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:P

Impact

Availability: PARTIAL
Confidentiality: NONE
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2014-0227 vulnerability.

References

CVE-2013-4444: Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations…

Published: 2014-09-12T01:55:00 Last Modified: 2021-01-07T00:15:00

Summary

Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file.

Common Weakness Enumeration (CWE): CWE-94: Improper Control of Generation of Code (‘Code Injection’)

CWE Description: The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Scores

Impact Score: 6.4
Exploitability Score: 8.6
CVSS: 6.8
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Impact

Availability: PARTIAL
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2013-4444 vulnerability.

References

CVE-2014-0095: java/org/apache/coyote/ajp/AbstractAjpProcessor.java in Apache Tomcat 8.x before 8.0.4 allows…

Published: 2014-05-31T11:17:00 Last Modified: 2017-11-15T02:29:00

Summary

java/org/apache/coyote/ajp/AbstractAjpProcessor.java in Apache Tomcat 8.x before 8.0.4 allows remote attackers to cause a denial of service (thread consumption) by using a “Content-Length: 0” AJP request to trigger a hang in request processing.

Common Weakness Enumeration (CWE): CWE-20: Improper Input Validation

CWE Description: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact

Availability: PARTIAL
Confidentiality: NONE
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2014-0095 vulnerability.

References

CVE-2014-0075: Integer overflow in the parseChunkHeader function in…

Published: 2014-05-31T11:17:00 Last Modified: 2019-04-15T16:29:00

Summary

Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data.

Common Weakness Enumeration (CWE): CWE-189: Numeric Errors

CWE Description: Weaknesses in this category are related to improper calculation or conversion of numbers.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact

Availability: PARTIAL
Confidentiality: NONE
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2014-0075 vulnerability.

References

CVE-2014-0096: java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat…

Published: 2014-05-31T11:17:00 Last Modified: 2019-04-15T16:29:00

Summary

java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Common Weakness Enumeration (CWE): CWE-264: Permissions, Privileges, and Access Controls

CWE Description: Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Scores

Impact Score: 2.9
Exploitability Score: 8.6
CVSS: 4.3
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2014-0096 vulnerability.

References

CVE-2014-0099: Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40,…

Published: 2014-05-31T11:17:00 Last Modified: 2019-04-15T16:29:00

Summary

Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.

Common Weakness Enumeration (CWE): CWE-189: Numeric Errors

CWE Description: Weaknesses in this category are related to improper calculation or conversion of numbers.

Scores

Impact Score: 2.9
Exploitability Score: 8.6
CVSS: 4.3
CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact

Availability: NONE
Confidentiality: NONE
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2014-0099 vulnerability.

References

CVE-2014-0119: Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain…

Published: 2014-05-31T11:17:00 Last Modified: 2019-04-15T16:29:00

Summary

Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.

Common Weakness Enumeration (CWE): CWE-264: Permissions, Privileges, and Access Controls

CWE Description: Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Scores

Impact Score: 2.9
Exploitability Score: 8.6
CVSS: 4.3
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2014-0119 vulnerability.

References

CVE-2014-0050: MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss…

Published: 2014-04-01T06:27:00 Last Modified: 2021-07-17T08:15:00

Summary

MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop’s intended exit conditions.

Common Weakness Enumeration (CWE): CWE-264: Permissions, Privileges, and Access Controls

CWE Description: Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Scores

Impact Score: 6.4
Exploitability Score: 10.0
CVSS: 7.5
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact

Availability: PARTIAL
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Exploits Database (Total Exploits Count: 1)

Code designed for conducting penetration testing on CVE-2014-0050 vulnerability.

Apache Commons FileUpload and Apache Tomcat - Denial of Service by Trustwave's SpiderLabs at 2014-02-12

References

CVE-2014-0033: org/apache/catalina/connector/CoyoteAdapter.java in Apache Tomcat 6.0.33 through 6.0.37 does not…

Published: 2014-02-26T14:55:00 Last Modified: 2019-04-15T16:29:00

Summary

org/apache/catalina/connector/CoyoteAdapter.java in Apache Tomcat 6.0.33 through 6.0.37 does not consider the disableURLRewriting setting when handling a session ID in a URL, which allows remote attackers to conduct session fixation attacks via a crafted URL.

Common Weakness Enumeration (CWE): CWE-20: Improper Input Validation

CWE Description: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Scores

Impact Score: 2.9
Exploitability Score: 8.6
CVSS: 4.3
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2014-0033 vulnerability.

References

CVE-2013-4286: Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector…

Published: 2014-02-26T14:55:00 Last Modified: 2019-04-15T16:29:00

Summary

Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request’s length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a “Transfer-Encoding: chunked” header. NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090.

Common Weakness Enumeration (CWE): CWE-20: Improper Input Validation

CWE Description: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Scores

Impact Score: 4.9
Exploitability Score: 8.6
CVSS: 5.8
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2013-4286 vulnerability.

References

CVE-2013-4322: Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked…

Published: 2014-02-26T14:55:00 Last Modified: 2019-04-15T16:29:00

Summary

Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544.

Common Weakness Enumeration (CWE): CWE-20: Improper Input Validation

CWE Description: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Scores

Impact Score: 2.9
Exploitability Score: 8.6
CVSS: 4.3
CVSS Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P

Impact

Availability: PARTIAL
Confidentiality: NONE
Integrity: NONE

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2013-4322 vulnerability.

References

CVE-2013-4590: Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to…

Published: 2014-02-26T14:55:00 Last Modified: 2019-04-15T16:29:00

Summary

Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain “Tomcat internals” information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Common Weakness Enumeration (CWE): CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Scores

Impact Score: 2.9
Exploitability Score: 8.6
CVSS: 4.3
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2013-4590 vulnerability.

References

CVE-2013-0346: DISPUTED Apache Tomcat 7.x uses world-readable permissions for the log directory and its…

Published: 2014-02-15T14:57:00 Last Modified: 2014-02-18T19:40:00

Summary

** DISPUTED ** Apache Tomcat 7.x uses world-readable permissions for the log directory and its files, which might allow local users to obtain sensitive information by reading a file. NOTE: One Tomcat distributor has stated “The tomcat log directory does not contain any sensitive information.”

Common Weakness Enumeration (CWE): CWE-264: Permissions, Privileges, and Access Controls

CWE Description: Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Scores

Impact Score: 2.9
Exploitability Score: 3.9
CVSS: 2.1
CVSS Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: LOCAL

Currently, there is no code for exploiting the CVE-2013-0346 vulnerability.

References

CVE-2013-2185: DISPUTED The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as…

Published: 2014-01-19T18:02:00 Last Modified: 2016-11-01T16:35:00

Summary

** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.

Common Weakness Enumeration (CWE): CWE-20: Improper Input Validation

CWE Description: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Scores

Impact Score: 6.4
Exploitability Score: 10.0
CVSS: 7.5
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact

Availability: PARTIAL
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2013-2185 vulnerability.

References

CVE-2013-6357: DISPUTED Cross-site request forgery (CSRF) vulnerability in the Manager application in…

Published: 2013-11-13T15:55:00 Last Modified: 2013-11-14T17:45:00

Summary

** DISPUTED ** Cross-site request forgery (CSRF) vulnerability in the Manager application in Apache Tomcat 5.5.25 and earlier allows remote attackers to hijack the authentication of administrators for requests that manipulate application deployment via the POST method, as demonstrated by a /manager/html/undeploy?path= URI. NOTE: the vendor disputes the significance of this report, stating that “the Apache Tomcat Security team has not accepted any reports of CSRF attacks against the Manager application … as they require a reckless system administrator.”

Common Weakness Enumeration (CWE): CWE-352: Cross-Site Request Forgery (CSRF)

CWE Description: The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Scores

Impact Score: 6.4
Exploitability Score: 8.6
CVSS: 6.8
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Impact

Availability: PARTIAL
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Exploits Database (Total Exploits Count: 1)

Code designed for conducting penetration testing on CVE-2013-6357 vulnerability.

Apache Tomcat 5.5.25 - Cross-Site Request Forgery by Ivano Binetti at 2013-11-04

References

http://www.webapp-security.com/wp-content/uploads/2013/11/Apache-Tomcat-5.5.25-CSRF-Vulnerabilities.txt

CVE-2013-2067: java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature…

Published: 2013-06-01T14:21:00 Last Modified: 2019-04-15T16:29:00

Summary

java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.

Common Weakness Enumeration (CWE): CWE-287: Improper Authentication

CWE Description: When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

Scores

Impact Score: 6.4
Exploitability Score: 8.6
CVSS: 6.8
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Impact

Availability: PARTIAL
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2013-2067 vulnerability.

References

CVE-2013-2071: java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not…

Published: 2013-06-01T14:21:00 Last Modified: 2017-05-23T01:29:00

Summary

java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive request information intended for other applications in opportunistic circumstances via an application that records the requests that it processes.

Common Weakness Enumeration (CWE): CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Scores

Impact Score: 2.9
Exploitability Score: 4.9
CVSS: 2.6
CVSS Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: HIGH
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2013-2071 vulnerability.

References

CVE-2012-3544: Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30 does not properly handle chunk extensions…

Published: 2013-06-01T14:21:00 Last Modified: 2019-04-15T16:29:00

Summary

Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30 does not properly handle chunk extensions in chunked transfer coding, which allows remote attackers to cause a denial of service by streaming data.

Common Weakness Enumeration (CWE): CWE-20: Improper Input Validation

CWE Description: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact

Availability: PARTIAL
Confidentiality: NONE
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2012-3544 vulnerability.

References

CVE-2012-3546: org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before…

Published: 2012-12-19T11:55:00 Last Modified: 2017-09-19T01:35:00

Summary

org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote attackers to bypass security-constraint checks by leveraging a previous setUserPrincipal call and then placing /j_security_check at the end of a URI.

Common Weakness Enumeration (CWE): CWE-264: Permissions, Privileges, and Access Controls

CWE Description: Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Scores

Impact Score: 2.9
Exploitability Score: 8.6
CVSS: 4.3
CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact

Availability: NONE
Confidentiality: NONE
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2012-3546 vulnerability.

References

CVE-2012-4431: org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x…

Published: 2012-12-19T11:55:00 Last Modified: 2017-09-19T01:35:00

Summary

org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism via a request that lacks a session identifier.

Common Weakness Enumeration (CWE): CWE-264: Permissions, Privileges, and Access Controls

CWE Description: Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Scores

Impact Score: 2.9
Exploitability Score: 8.6
CVSS: 4.3
CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact

Availability: NONE
Confidentiality: NONE
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2012-4431 vulnerability.

References

CVE-2012-4534: org/apache/tomcat/util/net/NioEndpoint.java in Apache Tomcat 6.x before 6.0.36 and 7.x before…

Published: 2012-12-19T11:55:00 Last Modified: 2017-09-19T01:35:00

Summary

org/apache/tomcat/util/net/NioEndpoint.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28, when the NIO connector is used in conjunction with sendfile and HTTPS, allows remote attackers to cause a denial of service (infinite loop) by terminating the connection during the reading of a response.

Common Weakness Enumeration (CWE): CWE-399: Resource Management Errors

Scores

Impact Score: 2.9
Exploitability Score: 4.9
CVSS: 2.6
CVSS Vector: AV:N/AC:H/Au:N/C:N/I:N/A:P

Impact

Availability: PARTIAL
Confidentiality: NONE
Integrity: NONE

Access

Authentication: NONE
Complexity: HIGH
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2012-4534 vulnerability.

References

CVE-2012-5568: Apache Tomcat through 7.0.x allows remote attackers to cause a denial of service (daemon outage)…

Published: 2012-11-30T19:55:00 Last Modified: 2021-01-11T18:10:00

Summary

Apache Tomcat through 7.0.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact

Availability: PARTIAL
Confidentiality: NONE
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2012-5568 vulnerability.

References

CVE-2012-5885: The replay-countermeasure functionality in the HTTP Digest Access Authentication implementation…

Published: 2012-11-17T19:55:00 Last Modified: 2017-09-19T01:35:00

Summary

The replay-countermeasure functionality in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 tracks cnonce (aka client nonce) values instead of nonce (aka server nonce) and nc (aka nonce-count) values, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, a different vulnerability than CVE-2011-1184.

Common Weakness Enumeration (CWE): CWE-264: Permissions, Privileges, and Access Controls

CWE Description: Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2012-5885 vulnerability.

References

CVE-2012-5887: The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x…

Published: 2012-11-17T19:55:00 Last Modified: 2017-08-29T01:32:00

Summary

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 does not properly check for stale nonce values in conjunction with enforcement of proper credentials, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests.

Common Weakness Enumeration (CWE): CWE-287: Improper Authentication

CWE Description: When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Impact

Availability: NONE
Confidentiality: NONE
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2012-5887 vulnerability.

References

CVE-2012-5886: The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x…

Published: 2012-11-17T19:55:00 Last Modified: 2017-08-29T01:32:00

Summary

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches information about the authenticated user within the session state, which makes it easier for remote attackers to bypass authentication via vectors related to the session ID.

Common Weakness Enumeration (CWE): CWE-287: Improper Authentication

CWE Description: When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Impact

Availability: NONE
Confidentiality: NONE
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2012-5886 vulnerability.

References

CVE-2012-2733: java/org/apache/coyote/http11/InternalNioInputBuffer.java in the HTTP NIO connector in Apache…

Published: 2012-11-16T21:55:00 Last Modified: 2017-09-19T01:34:00

Summary

java/org/apache/coyote/http11/InternalNioInputBuffer.java in the HTTP NIO connector in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28 does not properly restrict the request-header size, which allows remote attackers to cause a denial of service (memory consumption) via a large amount of header data.

Common Weakness Enumeration (CWE): CWE-20: Improper Input Validation

CWE Description: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact

Availability: PARTIAL
Confidentiality: NONE
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2012-2733 vulnerability.

References

CVE-2012-0022: Apache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.34, and 7.x before 7.0.23 uses an inefficient…

Published: 2012-01-19T04:01:00 Last Modified: 2019-03-25T11:33:00

Summary

Apache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.34, and 7.x before 7.0.23 uses an inefficient approach for handling parameters, which allows remote attackers to cause a denial of service (CPU consumption) via a request that contains many parameters and parameter values, a different vulnerability than CVE-2011-4858.

Common Weakness Enumeration (CWE): CWE-189: Numeric Errors

CWE Description: Weaknesses in this category are related to improper calculation or conversion of numbers.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact

Availability: PARTIAL
Confidentiality: NONE
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2012-0022 vulnerability.

References

CVE-2011-3375: Apache Tomcat 6.0.30 through 6.0.33 and 7.x before 7.0.22 does not properly perform certain…

Published: 2012-01-19T04:01:00 Last Modified: 2012-02-16T04:16:00

Summary

Apache Tomcat 6.0.30 through 6.0.33 and 7.x before 7.0.22 does not properly perform certain caching and recycling operations involving request objects, which allows remote attackers to obtain unintended read access to IP address and HTTP header information in opportunistic circumstances by reading TCP data.

Common Weakness Enumeration (CWE): CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2011-3375 vulnerability.

References

CVE-2011-1184: The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x…

Published: 2012-01-14T21:55:00 Last Modified: 2019-03-25T11:33:00

Summary

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values.

Common Weakness Enumeration (CWE): CWE-264: Permissions, Privileges, and Access Controls

CWE Description: Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2011-1184 vulnerability.

References

CVE-2011-5063: The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x…

Published: 2012-01-14T21:55:00 Last Modified: 2019-03-25T11:33:00

Summary

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check realm values, which might allow remote attackers to bypass intended access restrictions by leveraging the availability of a protection space with weaker authentication or authorization requirements, a different vulnerability than CVE-2011-1184.

Common Weakness Enumeration (CWE): CWE-287: Improper Authentication

CWE Description: When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

Scores

Impact Score: 2.9
Exploitability Score: 8.6
CVSS: 4.3
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2011-5063 vulnerability.

References

CVE-2011-5062: The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x…

Published: 2012-01-14T21:55:00 Last Modified: 2019-03-25T11:33:00

Summary

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check qop values, which might allow remote attackers to bypass intended integrity-protection requirements via a qop=auth value, a different vulnerability than CVE-2011-1184.

Common Weakness Enumeration (CWE): CWE-264: Permissions, Privileges, and Access Controls

CWE Description: Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2011-5062 vulnerability.

References

CVE-2011-5064: DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat…

Published: 2012-01-14T21:55:00 Last Modified: 2019-03-25T11:33:00

Summary

DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184.

Common Weakness Enumeration (CWE): CWE-310: Cryptographic Issues

CWE Description: Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.

Scores

Impact Score: 2.9
Exploitability Score: 8.6
CVSS: 4.3
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Impact

Availability: NONE
Confidentiality: PARTIAL
Integrity: NONE

Access

Authentication: NONE
Complexity: MEDIUM
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2011-5064 vulnerability.

References

CVE-2011-4858: Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for…

Published: 2012-01-05T19:55:00 Last Modified: 2018-01-09T02:29:00

Summary

Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

Common Weakness Enumeration (CWE): CWE-399: Resource Management Errors

Scores

Impact Score: 2.9
Exploitability Score: 10.0
CVSS: 5.0
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact

Availability: PARTIAL
Confidentiality: NONE
Integrity: NONE

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Exploits Database (Total Exploits Count: 1)

Code designed for conducting penetration testing on CVE-2011-4858 vulnerability.

MyBulletinBoard (MyBB) 1.1.5 - 'CLIENT-IP' SQL Injection by rgod at 2006-07-15

References

CVE-2011-3376: org/apache/catalina/core/DefaultInstanceManager.java in Apache Tomcat 7.x before 7.0.22 does not…

Published: 2011-11-11T21:55:00 Last Modified: 2017-05-23T01:29:00

Summary

org/apache/catalina/core/DefaultInstanceManager.java in Apache Tomcat 7.x before 7.0.22 does not properly restrict ContainerServlets in the Manager application, which allows local users to gain privileges by using an untrusted web application to access the Manager application’s functionality.

Common Weakness Enumeration (CWE): CWE-264: Permissions, Privileges, and Access Controls

CWE Description: Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Scores

Impact Score: 6.4
Exploitability Score: 3.4
CVSS: 4.4
CVSS Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P

Impact

Availability: PARTIAL
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: MEDIUM
Vector: LOCAL

Currently, there is no code for exploiting the CVE-2011-3376 vulnerability.

References

CVE-2011-3190: Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0…

Published: 2011-08-31T23:55:00 Last Modified: 2019-03-25T11:33:00

Summary

Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request.

Common Weakness Enumeration (CWE): CWE-264: Permissions, Privileges, and Access Controls

CWE Description: Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Scores

Impact Score: 6.4
Exploitability Score: 10.0
CVSS: 7.5
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact

Availability: PARTIAL
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: LOW
Vector: NETWORK

Currently, there is no code for exploiting the CVE-2011-3190 vulnerability.

References

CVE-2011-2481: Apache Tomcat 7.0.x before 7.0.17 permits web applications to replace an XML parser used for…

Published: 2011-08-15T21:55:00 Last Modified: 2017-05-23T01:29:00

Summary

Apache Tomcat 7.0.x before 7.0.17 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application. NOTE: this vulnerability exists because of a CVE-2009-0783 regression.

Scores

Impact Score: 6.4
Exploitability Score: 3.9
CVSS: 4.6
CVSS Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P

Impact

Availability: PARTIAL
Confidentiality: PARTIAL
Integrity: PARTIAL

Access

Authentication: NONE
Complexity: LOW
Vector: LOCAL

Currently, there is no code for exploiting the CVE-2011-2481 vulnerability.

References

https://issues.apache.org/bugzilla/show_bug.cgi?id=51395