Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/61688?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/61688?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.0", "type": "maven", "namespace": "org.apache.tomcat", "name": "tomcat", "version": "6.0.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "6.0.17", "latest_non_vulnerable_version": "11.0.18", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43822?format=api", "vulnerability_id": "VCID-2kjh-4r2g-rqe6", "summary": "Improper Access Control\nThe Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.", "references": [ { "reference_url": "http://marc.info/?l=bugtraq&m=145974991225029&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=145974991225029&w=2" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2015-1621.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2015-1621.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2015-1622.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2015-1622.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2016-0492.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2016-0492.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2016-2046.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2016-2046.html" }, { "reference_url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964", "reference_id": "", "reference_type": "", "scores": [], "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964" }, { "reference_url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1644018", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1644018" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1645642", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1645642" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://tomcat.apache.org/security-7.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-7.html" }, { "reference_url": "http://tomcat.apache.org/security-8.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-8.html" }, { "reference_url": "http://www.debian.org/security/2015/dsa-3428", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2015/dsa-3428" }, { "reference_url": "http://www.debian.org/security/2016/dsa-3447", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2016/dsa-3447" }, { "reference_url": "http://www.debian.org/security/2016/dsa-3530", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2016/dsa-3530" }, { "reference_url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" }, { "reference_url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html" }, { "reference_url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html" }, { "reference_url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html" }, { "reference_url": "http://www.ubuntu.com/usn/USN-2654-1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.ubuntu.com/usn/USN-2654-1" }, { "reference_url": "http://www.ubuntu.com/usn/USN-2655-1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.ubuntu.com/usn/USN-2655-1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2014-7810", "reference_id": "CVE-2014-7810", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-7810" }, { "reference_url": "https://github.com/advisories/GHSA-4c43-cwvx-9crh", "reference_id": "GHSA-4c43-cwvx-9crh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4c43-cwvx-9crh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62956?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.44", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-n4zk-mdyw-3fcz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.44" }, { "url": "http://public2.vulnerablecode.io/api/packages/62957?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@7.0.58", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.58" }, { "url": "http://public2.vulnerablecode.io/api/packages/62958?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@8.0.16", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@8.0.16" } ], "aliases": [ "CVE-2014-7810", "GHSA-4c43-cwvx-9crh" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2kjh-4r2g-rqe6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44064?format=api", "vulnerability_id": "VCID-46sr-9kr3-1ubw", "summary": "Improper Authentication\nThe HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check realm values, which might allow remote attackers to bypass intended access restrictions by leveraging the availability of a protection space with weaker authentication or authorization requirements, a different vulnerability than CVE-2011-1184.", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html" }, { "reference_url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0074.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0074.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0075.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0075.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0076.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0076.html" }, { "reference_url": "http://secunia.com/advisories/57126", "reference_id": "", "reference_type": "", "scores": [], "url": "http://secunia.com/advisories/57126" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "http://svn.apache.org/viewvc?view=rev&rev=1087655", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=rev&rev=1087655" }, { "reference_url": "http://svn.apache.org/viewvc?view=rev&rev=1158180", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=rev&rev=1158180" }, { "reference_url": "http://svn.apache.org/viewvc?view=rev&rev=1159309", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=rev&rev=1159309" }, { "reference_url": "http://tomcat.apache.org/security-5.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-5.html" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://tomcat.apache.org/security-7.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-7.html" }, { "reference_url": "http://www.debian.org/security/2012/dsa-2401", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2012/dsa-2401" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2011-5063", "reference_id": "CVE-2011-5063", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-5063" }, { "reference_url": "https://github.com/advisories/GHSA-hffm-fqv4-w27r", "reference_id": "GHSA-hffm-fqv4-w27r", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hffm-fqv4-w27r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63020?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4t2h-jjhm-y7fq" }, { "vulnerability": "VCID-ft1c-mand-mkcb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.33" }, { "url": "http://public2.vulnerablecode.io/api/packages/62994?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@7.0.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1e8h-uhj4-akhz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.12" } ], "aliases": [ "CVE-2011-5063", "GHSA-hffm-fqv4-w27r" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-46sr-9kr3-1ubw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43901?format=api", "vulnerability_id": "VCID-4t2h-jjhm-y7fq", "summary": "Apache Tomcat Allows Remote Attackers to Spoof AJP Requests\nCertain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request.", "references": [ { "reference_url": "http://marc.info/?l=bugtraq&m=132215163318824&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=132215163318824&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=133469267822771&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=133469267822771&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=136485229118404&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=136485229118404&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2" }, { "reference_url": "http://securityreason.com/securityalert/8362", "reference_id": "", "reference_type": "", "scores": [], "url": "http://securityreason.com/securityalert/8362" }, { "reference_url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/69472", "reference_id": "", "reference_type": "", "scores": [], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/69472" }, { "reference_url": "https://issues.apache.org/bugzilla/show_bug.cgi?id=51698", "reference_id": "", "reference_type": "", "scores": [], "url": "https://issues.apache.org/bugzilla/show_bug.cgi?id=51698" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14933", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14933" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19465", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19465" }, { "reference_url": "http://www.debian.org/security/2012/dsa-2401", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2012/dsa-2401" }, { "reference_url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:156", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:156" }, { "reference_url": "http://www.securityfocus.com/archive/1/519466/100/0/threaded", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/archive/1/519466/100/0/threaded" }, { "reference_url": "http://www.securityfocus.com/bid/49353", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/49353" }, { "reference_url": "http://www.securitytracker.com/id?1025993", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securitytracker.com/id?1025993" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2011-3190", "reference_id": "CVE-2011-3190", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-3190" }, { "reference_url": "https://github.com/advisories/GHSA-c38m-v4m2-524v", "reference_id": "GHSA-c38m-v4m2-524v", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-c38m-v4m2-524v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61974?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.34", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.34" }, { "url": "http://public2.vulnerablecode.io/api/packages/63088?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@7.0.21", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.21" } ], "aliases": [ "CVE-2011-3190", "GHSA-c38m-v4m2-524v" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4t2h-jjhm-y7fq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44045?format=api", "vulnerability_id": "VCID-5m85-3zyu-7qak", "summary": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')\nThe session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00082.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00082.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html" }, { "reference_url": "http://marc.info/?l=bugtraq&m=145974991225029&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=145974991225029&w=2" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2016-2045.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2016-2045.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2016-2599.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2016-2599.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2016-2807.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2016-2807.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2016-2808.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2016-2808.html" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2016:1087", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2016:1087" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2016:1088", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2016:1088" }, { "reference_url": "http://seclists.org/bugtraq/2016/Feb/145", "reference_id": "", "reference_type": "", "scores": [], "url": "http://seclists.org/bugtraq/2016/Feb/145" }, { "reference_url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964", "reference_id": "", "reference_type": "", "scores": [], "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964" }, { "reference_url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442", "reference_id": "", "reference_type": "", "scores": [], "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442" }, { "reference_url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626", "reference_id": "", "reference_type": "", "scores": [], "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626" }, { "reference_url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://security.gentoo.org/glsa/201705-09", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/201705-09" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20180531-0001/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20180531-0001/" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1725263", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1725263" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1725914", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1725914" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1726196", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1726196" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1726203", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1726203" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1726923", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1726923" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1727034", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1727034" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1727166", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1727166" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1727182", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1727182" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://tomcat.apache.org/security-7.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-7.html" }, { "reference_url": "http://tomcat.apache.org/security-8.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-8.html" }, { "reference_url": "http://tomcat.apache.org/security-9.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-9.html" }, { "reference_url": "http://www.debian.org/security/2016/dsa-3530", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2016/dsa-3530" }, { "reference_url": "http://www.debian.org/security/2016/dsa-3552", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2016/dsa-3552" }, { "reference_url": "http://www.debian.org/security/2016/dsa-3609", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2016/dsa-3609" }, { "reference_url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" }, { "reference_url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html" }, { "reference_url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" }, { "reference_url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html" }, { "reference_url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html" }, { "reference_url": "http://www.ubuntu.com/usn/USN-3024-1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.ubuntu.com/usn/USN-3024-1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0714", "reference_id": "CVE-2016-0714", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0714" }, { "reference_url": "https://github.com/advisories/GHSA-mv42-px54-87jw", "reference_id": "GHSA-mv42-px54-87jw", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-mv42-px54-87jw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62432?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.46", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.46" }, { "url": "http://public2.vulnerablecode.io/api/packages/62852?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@7.0.70", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-s37s-p75k-27e6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.70" }, { "url": "http://public2.vulnerablecode.io/api/packages/63165?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@8.0.32", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@8.0.32" }, { "url": "http://public2.vulnerablecode.io/api/packages/62886?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@9.0.0.M2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-j1m6-79yt-f7h5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.0.M2" } ], "aliases": [ "CVE-2016-0714", "GHSA-mv42-px54-87jw" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5m85-3zyu-7qak" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43845?format=api", "vulnerability_id": "VCID-6uuq-2a39-yubx", "summary": "Uncontrolled Resource Consumption in Apache Tomcat\nApache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts.", "references": [ { "reference_url": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/201505.mbox/%3C554949D1.8030904%40apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/201505.mbox/%3C554949D1.8030904%40apache.org%3E" }, { "reference_url": "http://marc.info/?l=bugtraq&m=144498216801440&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=144498216801440&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=145974991225029&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=145974991225029&w=2" }, { "reference_url": "http://openwall.com/lists/oss-security/2015/04/10/1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://openwall.com/lists/oss-security/2015/04/10/1" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2015-1622.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2015-1622.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2016-0595.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2016-0595.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2016-0596.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2016-0596.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2016-0597.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2016-0597.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2016-0598.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2016-0598.html" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2015:2659", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2015:2659" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2015:2660", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2015:2660" }, { "reference_url": "https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013", "reference_id": "", "reference_type": "", "scores": [], "url": "https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013" }, { "reference_url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964", "reference_id": "", "reference_type": "", "scores": [], "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964" }, { "reference_url": "https://issues.jboss.org/browse/JWS-219", "reference_id": "", "reference_type": "", "scores": [], "url": "https://issues.jboss.org/browse/JWS-219" }, { "reference_url": "https://issues.jboss.org/browse/JWS-220", "reference_id": "", "reference_type": "", "scores": [], "url": "https://issues.jboss.org/browse/JWS-220" }, { "reference_url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1603770", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1603770" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1603775", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1603775" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1603779", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1603779" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://tomcat.apache.org/security-7.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-7.html" }, { "reference_url": "http://tomcat.apache.org/security-8.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-8.html" }, { "reference_url": "http://www.debian.org/security/2016/dsa-3447", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2016/dsa-3447" }, { "reference_url": "http://www.debian.org/security/2016/dsa-3530", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2016/dsa-3530" }, { "reference_url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" }, { "reference_url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html" }, { "reference_url": "http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html" }, { "reference_url": "http://www.ubuntu.com/usn/USN-2654-1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.ubuntu.com/usn/USN-2654-1" }, { "reference_url": "http://www.ubuntu.com/usn/USN-2655-1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.ubuntu.com/usn/USN-2655-1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0230", "reference_id": "CVE-2014-0230", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0230" }, { "reference_url": "https://github.com/advisories/GHSA-pxcx-cxq8-4mmw", "reference_id": "GHSA-pxcx-cxq8-4mmw", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-pxcx-cxq8-4mmw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62956?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.44", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-n4zk-mdyw-3fcz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.44" }, { "url": "http://public2.vulnerablecode.io/api/packages/62932?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@7.0.55", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.55" }, { "url": "http://public2.vulnerablecode.io/api/packages/62933?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@8.0.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@8.0.9" } ], "aliases": [ "CVE-2014-0230", "GHSA-pxcx-cxq8-4mmw" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6uuq-2a39-yubx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43888?format=api", "vulnerability_id": "VCID-74c7-a56p-kufz", "summary": "Use of Hard-coded Cryptographic Key in Apache Tomcat\nDigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184.", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html" }, { "reference_url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0074.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0074.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0075.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0075.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0076.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0076.html" }, { "reference_url": "http://secunia.com/advisories/57126", "reference_id": "", "reference_type": "", "scores": [], "url": "http://secunia.com/advisories/57126" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "http://svn.apache.org/viewvc?view=rev&rev=1087655", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=rev&rev=1087655" }, { "reference_url": "http://svn.apache.org/viewvc?view=rev&rev=1158180", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=rev&rev=1158180" }, { "reference_url": "http://svn.apache.org/viewvc?view=rev&rev=1159309", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=rev&rev=1159309" }, { "reference_url": "http://tomcat.apache.org/security-5.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-5.html" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://tomcat.apache.org/security-7.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-7.html" }, { "reference_url": "http://www.debian.org/security/2012/dsa-2401", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2012/dsa-2401" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2011-5064", "reference_id": "CVE-2011-5064", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-5064" }, { "reference_url": "https://github.com/advisories/GHSA-6cr4-7c7p-p3xv", "reference_id": "GHSA-6cr4-7c7p-p3xv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6cr4-7c7p-p3xv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63020?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4t2h-jjhm-y7fq" }, { "vulnerability": "VCID-ft1c-mand-mkcb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.33" }, { "url": "http://public2.vulnerablecode.io/api/packages/62994?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@7.0.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1e8h-uhj4-akhz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.12" } ], "aliases": [ "CVE-2011-5064", "GHSA-6cr4-7c7p-p3xv" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-74c7-a56p-kufz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43910?format=api", "vulnerability_id": "VCID-7787-4bwm-efgq", "summary": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')\nApache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.", "references": [ { "reference_url": "http://jvn.jp/en/jp/JVN63832775/index.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://jvn.jp/en/jp/JVN63832775/index.html" }, { "reference_url": "http://marc.info/?l=bugtraq&m=127420533226623&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=127420533226623&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=129070310906557&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=129070310906557&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=136485229118404&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=136485229118404&w=2" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10422", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10422" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19452", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19452" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6445", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6445" }, { "reference_url": "http://support.apple.com/kb/HT4077", "reference_id": "", "reference_type": "", "scores": [], "url": "http://support.apple.com/kb/HT4077" }, { "reference_url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html" }, { "reference_url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html" }, { "reference_url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html" }, { "reference_url": "http://tomcat.apache.org/security-4.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-4.html" }, { "reference_url": "http://tomcat.apache.org/security-5.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-5.html" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://www.debian.org/security/2011/dsa-2207", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2011/dsa-2207" }, { "reference_url": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5515", "reference_id": "CVE-2008-5515", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5515" }, { "reference_url": "https://github.com/advisories/GHSA-9737-qmgc-hfr9", "reference_id": "GHSA-9737-qmgc-hfr9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-9737-qmgc-hfr9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61838?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9j31-459b-4qbm" }, { "vulnerability": "VCID-eawm-8v9w-yfap" }, { "vulnerability": "VCID-y9yv-u4jh-mqew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.20" } ], "aliases": [ "CVE-2008-5515", "GHSA-9737-qmgc-hfr9" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7787-4bwm-efgq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44037?format=api", "vulnerability_id": "VCID-89e9-m968-vfhe", "summary": "Authentication Bypass in Apache Tomcat\nThe HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values.", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html" }, { "reference_url": "http://marc.info/?l=bugtraq&m=133469267822771&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=133469267822771&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=136485229118404&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=136485229118404&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0074.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0074.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0075.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0075.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0076.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0076.html" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19169", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19169" }, { "reference_url": "http://svn.apache.org/viewvc?view=rev&rev=1087655", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=rev&rev=1087655" }, { "reference_url": "http://svn.apache.org/viewvc?view=rev&rev=1158180", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=rev&rev=1158180" }, { "reference_url": "http://svn.apache.org/viewvc?view=rev&rev=1159309", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=rev&rev=1159309" }, { "reference_url": "http://tomcat.apache.org/security-5.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-5.html" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://tomcat.apache.org/security-7.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-7.html" }, { "reference_url": "http://www.debian.org/security/2012/dsa-2401", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2012/dsa-2401" }, { "reference_url": "http://www.redhat.com/support/errata/RHSA-2011-1845.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.redhat.com/support/errata/RHSA-2011-1845.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1184", "reference_id": "CVE-2011-1184", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1184" }, { "reference_url": "https://github.com/advisories/GHSA-q9xf-jwr4-v445", "reference_id": "GHSA-q9xf-jwr4-v445", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-q9xf-jwr4-v445" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63020?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4t2h-jjhm-y7fq" }, { "vulnerability": "VCID-ft1c-mand-mkcb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.33" }, { "url": "http://public2.vulnerablecode.io/api/packages/62994?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@7.0.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1e8h-uhj4-akhz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.12" } ], "aliases": [ "CVE-2011-1184", "GHSA-q9xf-jwr4-v445" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-89e9-m968-vfhe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43865?format=api", "vulnerability_id": "VCID-9hm5-e4dw-6ffe", "summary": "Improper Authentication in Apache Tomcat\nThe HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check qop values, which might allow remote attackers to bypass intended integrity-protection requirements via a qop=auth value, a different vulnerability than CVE-2011-1184.", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html" }, { "reference_url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0074.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0074.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0075.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0075.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0076.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0076.html" }, { "reference_url": "http://secunia.com/advisories/57126", "reference_id": "", "reference_type": "", "scores": [], "url": "http://secunia.com/advisories/57126" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "http://svn.apache.org/viewvc?view=rev&rev=1087655", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=rev&rev=1087655" }, { "reference_url": "http://svn.apache.org/viewvc?view=rev&rev=1158180", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=rev&rev=1158180" }, { "reference_url": "http://svn.apache.org/viewvc?view=rev&rev=1159309", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=rev&rev=1159309" }, { "reference_url": "http://tomcat.apache.org/security-5.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-5.html" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://tomcat.apache.org/security-7.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-7.html" }, { "reference_url": "http://www.debian.org/security/2012/dsa-2401", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2012/dsa-2401" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2011-5062", "reference_id": "CVE-2011-5062", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-5062" }, { "reference_url": "https://github.com/advisories/GHSA-4f7h-9j2x-cmr4", "reference_id": "GHSA-4f7h-9j2x-cmr4", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4f7h-9j2x-cmr4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63020?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4t2h-jjhm-y7fq" }, { "vulnerability": "VCID-ft1c-mand-mkcb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.33" }, { "url": "http://public2.vulnerablecode.io/api/packages/62994?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@7.0.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1e8h-uhj4-akhz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.12" } ], "aliases": [ "CVE-2011-5062", "GHSA-4f7h-9j2x-cmr4" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9hm5-e4dw-6ffe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43196?format=api", "vulnerability_id": "VCID-9j31-459b-4qbm", "summary": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')\nDirectory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to delete work-directory files via directory traversal sequences in a WAR filename, as demonstrated by the ...war filename.", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00090.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00090.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-updates/2013-01/msg00037.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-updates/2013-01/msg00037.html" }, { "reference_url": "http://marc.info/?l=bugtraq&m=127420533226623&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=127420533226623&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=133469267822771&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=133469267822771&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=136485229118404&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=136485229118404&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2" }, { "reference_url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/55857", "reference_id": "", "reference_type": "", "scores": [], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/55857" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19431", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19431" }, { "reference_url": "http://support.apple.com/kb/HT4077", "reference_id": "", "reference_type": "", "scores": [], "url": "http://support.apple.com/kb/HT4077" }, { "reference_url": "http://svn.apache.org/viewvc?rev=892815&view=rev", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?rev=892815&view=rev" }, { "reference_url": "http://svn.apache.org/viewvc?rev=902650&view=rev", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?rev=902650&view=rev" }, { "reference_url": "http://tomcat.apache.org/security-5.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-5.html" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://ubuntu.com/usn/usn-899-1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://ubuntu.com/usn/usn-899-1" }, { "reference_url": "http://www.debian.org/security/2011/dsa-2207", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2011/dsa-2207" }, { "reference_url": "http://www.vmware.com/security/advisories/VMSA-2011-0003.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.vmware.com/security/advisories/VMSA-2011-0003.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2009-2902", "reference_id": "CVE-2009-2902", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-2902" }, { "reference_url": "https://github.com/advisories/GHSA-8wch-9gcg-v2pr", "reference_id": "GHSA-8wch-9gcg-v2pr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-8wch-9gcg-v2pr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61840?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.24", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.24" } ], "aliases": [ "CVE-2009-2902", "GHSA-8wch-9gcg-v2pr" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9j31-459b-4qbm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44015?format=api", "vulnerability_id": "VCID-aar2-398x-p3d8", "summary": "Improper Input Validation\nApache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.19, when sendfile is enabled for the HTTP APR or HTTP NIO connector, does not validate certain request attributes, which allows local users to bypass intended file access restrictions or cause a denial of service (infinite loop or JVM crash) by leveraging an untrusted web application.", "references": [ { "reference_url": "http://marc.info/?l=bugtraq&m=132215163318824&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=132215163318824&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=133469267822771&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=133469267822771&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=136485229118404&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=136485229118404&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0074.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0074.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0075.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0075.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0076.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0076.html" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=720948", "reference_id": "", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=720948" }, { "reference_url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/68541", "reference_id": "", "reference_type": "", "scores": [], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/68541" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1145383", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1145383" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1145571", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1145571" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1145694", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1145694" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1146005", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1146005" }, { "reference_url": "http://tomcat.apache.org/security-5.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-5.html" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://tomcat.apache.org/security-7.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-7.html" }, { "reference_url": "http://www.debian.org/security/2012/dsa-2401", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2012/dsa-2401" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2011-2526", "reference_id": "CVE-2011-2526", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-2526" }, { "reference_url": "https://github.com/advisories/GHSA-9ggm-7897-x4mg", "reference_id": "GHSA-9ggm-7897-x4mg", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-9ggm-7897-x4mg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63020?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4t2h-jjhm-y7fq" }, { "vulnerability": "VCID-ft1c-mand-mkcb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.33" }, { "url": "http://public2.vulnerablecode.io/api/packages/63279?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@7.0.19", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.19" } ], "aliases": [ "CVE-2011-2526", "GHSA-9ggm-7897-x4mg" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-aar2-398x-p3d8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/2223?format=api", "vulnerability_id": "VCID-atus-ryef-17h1", "summary": "Mozilla developers added support in the Network Security Services\nmodule for preventing a type of man-in-the-middle attack against TLS\nusing forced renegotiation.Note that to benefit from the fix, Firefox 3.6 and\nFirefox 3.5 users will need to set\ntheir security.ssl.require_safe_negotiation preference to\ntrue. Firefox 3 does not contain the fix for this issue.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4929", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4929" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566" }, { "reference_url": "https://nginx.org/download/patch.cve-2009-3555.txt", "reference_id": "", "reference_type": "", "scores": [], "url": "https://nginx.org/download/patch.cve-2009-3555.txt" }, { "reference_url": "https://nginx.org/download/patch.cve-2009-3555.txt.asc", "reference_id": "", "reference_type": "", "scores": [], "url": "https://nginx.org/download/patch.cve-2009-3555.txt.asc" }, { "reference_url": "https://tomcat.apache.org/security-7.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://tomcat.apache.org/security-7.html" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555", "reference_id": "CVE-2009-3555", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3555", "reference_id": "CVE-2009-3555", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3555" }, { "reference_url": "https://github.com/advisories/GHSA-f7w7-6pjc-wwm6", "reference_id": "GHSA-f7w7-6pjc-wwm6", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-f7w7-6pjc-wwm6" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2010-22", "reference_id": "mfsa2010-22", "reference_type": "", "scores": [ { "value": "low", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2010-22" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61887?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.32", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.32" }, { "url": "http://public2.vulnerablecode.io/api/packages/61888?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@7.0.10", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.10" } ], "aliases": [ "CVE-2009-3555", "GHSA-f7w7-6pjc-wwm6", "VU#120541" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-atus-ryef-17h1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38760?format=api", "vulnerability_id": "VCID-axzz-cadr-b7fv", "summary": "Information Exposure\nWhen a `SecurityManager` is configured, a web application's ability to read system properties should be controlled by the `SecurityManager`. In Apache Tomcat, the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.", "references": [ { "reference_url": "http://rhn.redhat.com/errata/RHSA-2017-0457.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2017-0457.html" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:0455", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:0455" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:0456", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:0456" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:2247", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:2247" }, { "reference_url": "https://lists.apache.org/thread.html/09d2f2c65ac4ff5da42f15dc2b0f78b655e50f1a42e8a9784134a9eb@%3Cannounce.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/09d2f2c65ac4ff5da42f15dc2b0f78b655e50f1a42e8a9784134a9eb@%3Cannounce.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20180605-0001/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20180605-0001/" }, { "reference_url": "https://usn.ubuntu.com/4557-1/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/4557-1/" }, { "reference_url": "https://www.oracle.com/security-alerts/cpuoct2021.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "reference_url": "http://www.debian.org/security/2016/dsa-3720", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2016/dsa-3720" }, { "reference_url": "http://www.securityfocus.com/bid/93943", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/93943" }, { "reference_url": "http://www.securitytracker.com/id/1037143", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securitytracker.com/id/1037143" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6794", "reference_id": "CVE-2016-6794", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6794" }, { "reference_url": "https://github.com/advisories/GHSA-2rvf-329f-p99g", "reference_id": "GHSA-2rvf-329f-p99g", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2rvf-329f-p99g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62097?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.47", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.47" }, { "url": "http://public2.vulnerablecode.io/api/packages/62098?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@7.0.72", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.72" }, { "url": "http://public2.vulnerablecode.io/api/packages/62099?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@8.0.37", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@8.0.37" }, { "url": "http://public2.vulnerablecode.io/api/packages/56259?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@8.5.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8xdc-3kn9-b3e6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@8.5.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/62100?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@9.0.0.M10", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.0.M10" } ], "aliases": [ "CVE-2016-6794", "GHSA-2rvf-329f-p99g" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-axzz-cadr-b7fv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43223?format=api", "vulnerability_id": "VCID-crhe-rt8j-wycu", "summary": "Exposure of Sensitive Information to an Unauthorized Actor\nApache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter.", "references": [ { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2009-0580", "reference_id": "CVE-2009-0580", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-0580" }, { "reference_url": "https://github.com/advisories/GHSA-w227-xcfx-3pj8", "reference_id": "GHSA-w227-xcfx-3pj8", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-w227-xcfx-3pj8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61897?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.19", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.19" } ], "aliases": [ "CVE-2009-0580", "GHSA-w227-xcfx-3pj8" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-crhe-rt8j-wycu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43236?format=api", "vulnerability_id": "VCID-eawm-8v9w-yfap", "summary": "Improper Authentication in Apache Tomcat\nThe autodeployment process in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20, when autoDeploy is enabled, deploys appBase files that remain from a failed undeploy, which might allow remote attackers to bypass intended authentication requirements via HTTP requests.", "references": [ { "reference_url": "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00090.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00090.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-updates/2013-01/msg00037.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-updates/2013-01/msg00037.html" }, { "reference_url": "http://marc.info/?l=bugtraq&m=127420533226623&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=127420533226623&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=133469267822771&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=133469267822771&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2" }, { "reference_url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/55856", "reference_id": "", "reference_type": "", "scores": [], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/55856" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "http://support.apple.com/kb/HT4077", "reference_id": "", "reference_type": "", "scores": [], "url": "http://support.apple.com/kb/HT4077" }, { "reference_url": "http://svn.apache.org/viewvc?rev=892815&view=rev", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?rev=892815&view=rev" }, { "reference_url": "http://svn.apache.org/viewvc?rev=902650&view=rev", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?rev=902650&view=rev" }, { "reference_url": "http://tomcat.apache.org/security-5.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-5.html" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://ubuntu.com/usn/usn-899-1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://ubuntu.com/usn/usn-899-1" }, { "reference_url": "http://www.vmware.com/security/advisories/VMSA-2011-0003.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.vmware.com/security/advisories/VMSA-2011-0003.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2009-2901", "reference_id": "CVE-2009-2901", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-2901" }, { "reference_url": "https://github.com/advisories/GHSA-hjfh-7c4v-7q8h", "reference_id": "GHSA-hjfh-7c4v-7q8h", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hjfh-7c4v-7q8h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61840?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.24", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.24" } ], "aliases": [ "CVE-2009-2901", "GHSA-hjfh-7c4v-7q8h" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-eawm-8v9w-yfap" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43200?format=api", "vulnerability_id": "VCID-eygg-nt7y-qubh", "summary": "Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat\nApache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application.", "references": [ { "reference_url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/51195", "reference_id": "", "reference_type": "", "scores": [], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/51195" }, { "reference_url": "https://issues.apache.org/bugzilla/show_bug.cgi?id=29936", "reference_id": "", "reference_type": "", "scores": [], "url": "https://issues.apache.org/bugzilla/show_bug.cgi?id=29936" }, { "reference_url": "https://issues.apache.org/bugzilla/show_bug.cgi?id=45933", "reference_id": "", "reference_type": "", "scores": [], "url": "https://issues.apache.org/bugzilla/show_bug.cgi?id=45933" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10716", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10716" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18913", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18913" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6450", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6450" }, { "reference_url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html" }, { "reference_url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html" }, { "reference_url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2009-0783", "reference_id": "CVE-2009-0783", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-0783" }, { "reference_url": "https://github.com/advisories/GHSA-hhjg-g8xq-hhr3", "reference_id": "GHSA-hhjg-g8xq-hhr3", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hhjg-g8xq-hhr3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61838?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9j31-459b-4qbm" }, { "vulnerability": "VCID-eawm-8v9w-yfap" }, { "vulnerability": "VCID-y9yv-u4jh-mqew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.20" } ], "aliases": [ "CVE-2009-0783", "GHSA-hhjg-g8xq-hhr3" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-eygg-nt7y-qubh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44019?format=api", "vulnerability_id": "VCID-f4ka-47dk-zffs", "summary": "Apache Tomcat Vulnerable to Denial of Service (DoS) via Improper Handling of chunk extensions\nApache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30 does not properly handle chunk extensions in chunked transfer coding, which allows remote attackers to cause a denial of service by streaming data.", "references": [ { "reference_url": "https://github.com/apache/tomcat", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/tomcat" }, { "reference_url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2012-3544", "reference_id": "CVE-2012-3544", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-3544" }, { "reference_url": "https://github.com/advisories/GHSA-qfxv-3ppc-7qg5", "reference_id": "GHSA-qfxv-3ppc-7qg5", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-qfxv-3ppc-7qg5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63284?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.37", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.37" }, { "url": "http://public2.vulnerablecode.io/api/packages/63285?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@7.0.30", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.30" } ], "aliases": [ "CVE-2012-3544", "GHSA-qfxv-3ppc-7qg5" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f4ka-47dk-zffs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43273?format=api", "vulnerability_id": "VCID-fu9h-e3jx-abe2", "summary": "Denial of Service in Apache Tomcat\nApache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.34, and 7.x before 7.0.23 uses an inefficient approach for handling parameters, which allows remote attackers to cause a denial of service (CPU consumption) via a request that contains many parameters and parameter values, a different vulnerability than CVE-2011-4858.", "references": [ { "reference_url": "http://marc.info/?l=bugtraq&m=132871655717248&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=132871655717248&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=133294394108746&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=133294394108746&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=136485229118404&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=136485229118404&w=2" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0074.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0074.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0075.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0075.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0076.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0076.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-1331.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-1331.html" }, { "reference_url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72425", "reference_id": "", "reference_type": "", "scores": [], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72425" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16925", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16925" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18934", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18934" }, { "reference_url": "http://tomcat.apache.org/security-5.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-5.html" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://tomcat.apache.org/security-7.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-7.html" }, { "reference_url": "http://www.debian.org/security/2012/dsa-2401", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2012/dsa-2401" }, { "reference_url": "http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0022", "reference_id": "CVE-2012-0022", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0022" }, { "reference_url": "https://github.com/advisories/GHSA-8h2q-qm9x-55jc", "reference_id": "GHSA-8h2q-qm9x-55jc", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-8h2q-qm9x-55jc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61974?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.34", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.34" }, { "url": "http://public2.vulnerablecode.io/api/packages/56512?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@7.0.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wmb3-3j7y-due7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.23" } ], "aliases": [ "CVE-2012-0022", "GHSA-8h2q-qm9x-55jc" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fu9h-e3jx-abe2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43990?format=api", "vulnerability_id": "VCID-fuxz-fqw3-ufa9", "summary": "Apache Tomcat has cookies without HTTPOnly flag in Set-Cookie header\nThe default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie.", "references": [ { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608286", "reference_id": "", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608286" }, { "reference_url": "https://launchpad.net/bugs/cve/CVE-2010-4312", "reference_id": "CVE-2010-4312", "reference_type": "", "scores": [], "url": "https://launchpad.net/bugs/cve/CVE-2010-4312" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2010-4312", "reference_id": "CVE-2010-4312", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-4312" }, { "reference_url": "https://security-tracker.debian.org/tracker/CVE-2010-4312", "reference_id": "CVE-2010-4312", "reference_type": "", "scores": [], "url": "https://security-tracker.debian.org/tracker/CVE-2010-4312" }, { "reference_url": "https://ubuntu.com/security/CVE-2010-4312", "reference_id": "CVE-2010-4312", "reference_type": "", "scores": [], "url": "https://ubuntu.com/security/CVE-2010-4312" }, { "reference_url": "https://github.com/advisories/GHSA-pvjh-7h8q-q56r", "reference_id": "GHSA-pvjh-7h8q-q56r", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-pvjh-7h8q-q56r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63157?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.35", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.35" } ], "aliases": [ "CVE-2010-4312", "GHSA-pvjh-7h8q-q56r" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fuxz-fqw3-ufa9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43214?format=api", "vulnerability_id": "VCID-hmqa-jhuf-hfe2", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nCross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to \"invalid HTML.\"", "references": [ { "reference_url": "http://marc.info/?l=bugtraq&m=127420533226623&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=127420533226623&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=129070310906557&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=129070310906557&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=133469267822771&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=133469267822771&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=136485229118404&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=136485229118404&w=2" }, { "reference_url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/49213", "reference_id": "", "reference_type": "", "scores": [], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/49213" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11041", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11041" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19345", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19345" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6564", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6564" }, { "reference_url": "http://support.apple.com/kb/HT4077", "reference_id": "", "reference_type": "", "scores": [], "url": "http://support.apple.com/kb/HT4077" }, { "reference_url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html" }, { "reference_url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html" }, { "reference_url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html" }, { "reference_url": "http://tomcat.apache.org/security-4.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-4.html" }, { "reference_url": "http://tomcat.apache.org/security-5.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-5.html" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://www.debian.org/security/2011/dsa-2207", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2011/dsa-2207" }, { "reference_url": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2009-0781", "reference_id": "CVE-2009-0781", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-0781" }, { "reference_url": "https://github.com/advisories/GHSA-j788-fx57-99wp", "reference_id": "GHSA-j788-fx57-99wp", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-j788-fx57-99wp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61838?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9j31-459b-4qbm" }, { "vulnerability": "VCID-eawm-8v9w-yfap" }, { "vulnerability": "VCID-y9yv-u4jh-mqew" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.20" } ], "aliases": [ "CVE-2009-0781", "GHSA-j788-fx57-99wp" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hmqa-jhuf-hfe2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38546?format=api", "vulnerability_id": "VCID-hqzu-shyu-j3hp", "summary": "Information Exposure\nWhen \"send file\" is used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.", "references": [ { "reference_url": "https://access.redhat.com/errata/RHSA-2017:1801", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:1801" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:1802", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:1802" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:2493", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:2493" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:2494", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:2494" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:3080", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:3080" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:3081", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:3081" }, { "reference_url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03730en_us", "reference_id": "", "reference_type": "", "scores": [], "url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03730en_us" }, { "reference_url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/5796678c5a773c6f3ff57c178ac247d85ceca0dee9190ba48171451a@%3Cusers.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/5796678c5a773c6f3ff57c178ac247d85ceca0dee9190ba48171451a@%3Cusers.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://security.gentoo.org/glsa/201705-09", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/201705-09" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20180614-0001/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20180614-0001/" }, { "reference_url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "reference_url": "http://www.arubanetworks.com/assets/alert/HPESBHF03730.txt", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.arubanetworks.com/assets/alert/HPESBHF03730.txt" }, { "reference_url": "http://www.debian.org/security/2017/dsa-3842", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2017/dsa-3842" }, { "reference_url": "http://www.debian.org/security/2017/dsa-3843", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2017/dsa-3843" }, { "reference_url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html" }, { "reference_url": "http://www.securitytracker.com/id/1038218", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securitytracker.com/id/1038218" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5647", "reference_id": "CVE-2017-5647", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5647" }, { "reference_url": "https://github.com/advisories/GHSA-3gv7-3h64-78cm", "reference_id": "GHSA-3gv7-3h64-78cm", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3gv7-3h64-78cm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63145?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.53", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.53" }, { "url": "http://public2.vulnerablecode.io/api/packages/62849?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@8.0.42", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@8.0.42" }, { "url": "http://public2.vulnerablecode.io/api/packages/62425?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@8.5.13", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@8.5.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/62426?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@9.0.0.M19", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.0.M19" } ], "aliases": [ "CVE-2017-5647", "GHSA-3gv7-3h64-78cm" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hqzu-shyu-j3hp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44026?format=api", "vulnerability_id": "VCID-jw6e-g8z9-43ej", "summary": "Exposure of Sensitive Information to an Unauthorized Actor\nApache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.17, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file.", "references": [ { "reference_url": "http://marc.info/?l=bugtraq&m=132215163318824&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=132215163318824&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=133469267822771&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=133469267822771&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=136485229118404&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=136485229118404&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=717013", "reference_id": "", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=717013" }, { "reference_url": "http://securitytracker.com/id?1025712", "reference_id": "", "reference_type": "", "scores": [], "url": "http://securitytracker.com/id?1025712" }, { "reference_url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/68238", "reference_id": "", "reference_type": "", "scores": [], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/68238" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14931", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14931" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19532", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19532" }, { "reference_url": "http://support.apple.com/kb/HT5130", "reference_id": "", "reference_type": "", "scores": [], "url": "http://support.apple.com/kb/HT5130" }, { "reference_url": "http://tomcat.apache.org/security-5.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-5.html" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://tomcat.apache.org/security-7.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-7.html" }, { "reference_url": "http://www.debian.org/security/2012/dsa-2401", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2012/dsa-2401" }, { "reference_url": "http://www.redhat.com/support/errata/RHSA-2011-1845.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.redhat.com/support/errata/RHSA-2011-1845.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2011-2204", "reference_id": "CVE-2011-2204", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-2204" }, { "reference_url": "https://github.com/advisories/GHSA-c57p-3v2g-w9rg", "reference_id": "GHSA-c57p-3v2g-w9rg", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-c57p-3v2g-w9rg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63020?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4t2h-jjhm-y7fq" }, { "vulnerability": "VCID-ft1c-mand-mkcb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.33" }, { "url": "http://public2.vulnerablecode.io/api/packages/63279?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@7.0.19", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.19" } ], "aliases": [ "CVE-2011-2204", "GHSA-c57p-3v2g-w9rg" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jw6e-g8z9-43ej" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43146?format=api", "vulnerability_id": "VCID-kxc3-vz2c-wqca", "summary": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')\nAbsolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.", "references": [ { "reference_url": "http://geronimo.apache.org/2007/10/18/potential-vulnerability-in-apache-tomcat-webdav-servlet.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://geronimo.apache.org/2007/10/18/potential-vulnerability-in-apache-tomcat-webdav-servlet.html" }, { "reference_url": "http://issues.apache.org/jira/browse/GERONIMO-3549", "reference_id": "", "reference_type": "", "scores": [], "url": "http://issues.apache.org/jira/browse/GERONIMO-3549" }, { "reference_url": "http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html" }, { "reference_url": "http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html" }, { "reference_url": "http://mail-archives.apache.org/mod_mbox/tomcat-users/200710.mbox/%3C47135C2D.1000705@apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "http://mail-archives.apache.org/mod_mbox/tomcat-users/200710.mbox/%3C47135C2D.1000705@apache.org%3E" }, { "reference_url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2" }, { "reference_url": "http://marc.info/?l=full-disclosure&m=119239530508382", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=full-disclosure&m=119239530508382" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2008-0630.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2008-0630.html" }, { "reference_url": "http://security.gentoo.org/glsa/glsa-200804-10.xml", "reference_id": "", "reference_type": "", "scores": [], "url": "http://security.gentoo.org/glsa/glsa-200804-10.xml" }, { "reference_url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/37243", "reference_id": "", "reference_type": "", "scores": [], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/37243" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "http://support.apple.com/kb/HT2163", "reference_id": "", "reference_type": "", "scores": [], "url": "http://support.apple.com/kb/HT2163" }, { "reference_url": "http://support.apple.com/kb/HT3216", "reference_id": "", "reference_type": "", "scores": [], "url": "http://support.apple.com/kb/HT3216" }, { "reference_url": "https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html" }, { "reference_url": "http://tomcat.apache.org/security-4.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-4.html" }, { "reference_url": "http://tomcat.apache.org/security-5.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-5.html" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://www.debian.org/security/2008/dsa-1447", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2008/dsa-1447" }, { "reference_url": "http://www.debian.org/security/2008/dsa-1453", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2008/dsa-1453" }, { "reference_url": "http://www.redhat.com/support/errata/RHSA-2008-0042.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.redhat.com/support/errata/RHSA-2008-0042.html" }, { "reference_url": "http://www.redhat.com/support/errata/RHSA-2008-0195.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.redhat.com/support/errata/RHSA-2008-0195.html" }, { "reference_url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html" }, { "reference_url": "http://www.redhat.com/support/errata/RHSA-2008-0862.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.redhat.com/support/errata/RHSA-2008-0862.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2007-5461", "reference_id": "CVE-2007-5461", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-5461" }, { "reference_url": "https://github.com/advisories/GHSA-v5p2-vg3c-pmrr", "reference_id": "GHSA-v5p2-vg3c-pmrr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-v5p2-vg3c-pmrr" } ], "fixed_packages": [], "aliases": [ "CVE-2007-5461", "GHSA-v5p2-vg3c-pmrr" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kxc3-vz2c-wqca" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43964?format=api", "vulnerability_id": "VCID-n4zk-mdyw-3fcz", "summary": "Exposure of Sensitive Information to an Unauthorized Actor\nApache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00082.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00082.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html" }, { "reference_url": "http://marc.info/?l=bugtraq&m=145974991225029&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=145974991225029&w=2" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2016-2045.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2016-2045.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2016-2599.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2016-2599.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2016-2807.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2016-2807.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2016-2808.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2016-2808.html" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2016:1087", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2016:1087" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2016:1088", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2016:1088" }, { "reference_url": "http://seclists.org/bugtraq/2016/Feb/144", "reference_id": "", "reference_type": "", "scores": [], "url": "http://seclists.org/bugtraq/2016/Feb/144" }, { "reference_url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964", "reference_id": "", "reference_type": "", "scores": [], "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964" }, { "reference_url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442", "reference_id": "", "reference_type": "", "scores": [], "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442" }, { "reference_url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626", "reference_id": "", "reference_type": "", "scores": [], "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626" }, { "reference_url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://security.gentoo.org/glsa/201705-09", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/201705-09" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20180531-0001/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20180531-0001/" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1722799", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1722799" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1722800", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1722800" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1722801", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1722801" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1722802", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1722802" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://tomcat.apache.org/security-7.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-7.html" }, { "reference_url": "http://tomcat.apache.org/security-8.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-8.html" }, { "reference_url": "http://tomcat.apache.org/security-9.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-9.html" }, { "reference_url": "http://www.debian.org/security/2016/dsa-3530", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2016/dsa-3530" }, { "reference_url": "http://www.debian.org/security/2016/dsa-3552", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2016/dsa-3552" }, { "reference_url": "http://www.debian.org/security/2016/dsa-3609", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2016/dsa-3609" }, { "reference_url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" }, { "reference_url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html" }, { "reference_url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" }, { "reference_url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html" }, { "reference_url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html" }, { "reference_url": "http://www.ubuntu.com/usn/USN-3024-1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.ubuntu.com/usn/USN-3024-1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0706", "reference_id": "CVE-2016-0706", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0706" }, { "reference_url": "https://github.com/advisories/GHSA-6vx3-hr43-cfrh", "reference_id": "GHSA-6vx3-hr43-cfrh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6vx3-hr43-cfrh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62427?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.45", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-s37s-p75k-27e6" }, { "vulnerability": "VCID-tcmv-6ftg-fqen" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.45" }, { "url": "http://public2.vulnerablecode.io/api/packages/62885?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@8.0.31", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@8.0.31" }, { "url": "http://public2.vulnerablecode.io/api/packages/62886?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@9.0.0.M2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-j1m6-79yt-f7h5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.0.M2" } ], "aliases": [ "CVE-2016-0706", "GHSA-6vx3-hr43-cfrh" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n4zk-mdyw-3fcz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43810?format=api", "vulnerability_id": "VCID-pq53-6deg-abfx", "summary": "Improper Input Validation in Apache Tomcat\njava/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data after an error has occurred, which allows remote attackers to conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding.", "references": [ { "reference_url": "http://advisories.mageia.org/MGASA-2015-0081.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://advisories.mageia.org/MGASA-2015-0081.html" }, { "reference_url": "http://archives.neohapsis.com/archives/bugtraq/2015-02/0067.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://archives.neohapsis.com/archives/bugtraq/2015-02/0067.html" }, { "reference_url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-February/150282.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-February/150282.html" }, { "reference_url": "http://marc.info/?l=bugtraq&m=143393515412274&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=143393515412274&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=143403519711434&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=143403519711434&w=2" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2015-0983.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2015-0983.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2015-0991.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2015-0991.html" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1109196", "reference_id": "", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1109196" }, { "reference_url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://source.jboss.org/changelog/JBossWeb?cs=2455", "reference_id": "", "reference_type": "", "scores": [], "url": "https://source.jboss.org/changelog/JBossWeb?cs=2455" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1600984", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1600984" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://tomcat.apache.org/security-7.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-7.html" }, { "reference_url": "http://tomcat.apache.org/security-8.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-8.html" }, { "reference_url": "http://www.debian.org/security/2016/dsa-3447", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2016/dsa-3447" }, { "reference_url": "http://www.debian.org/security/2016/dsa-3530", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2016/dsa-3530" }, { "reference_url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html" }, { "reference_url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html" }, { "reference_url": "http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html" }, { "reference_url": "http://www.ubuntu.com/usn/USN-2654-1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.ubuntu.com/usn/USN-2654-1" }, { "reference_url": "http://www.ubuntu.com/usn/USN-2655-1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.ubuntu.com/usn/USN-2655-1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0227", "reference_id": "CVE-2014-0227", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0227" }, { "reference_url": "https://github.com/advisories/GHSA-42j3-498q-m6vp", "reference_id": "GHSA-42j3-498q-m6vp", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-42j3-498q-m6vp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62931?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.42", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.42" }, { "url": "http://public2.vulnerablecode.io/api/packages/62932?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@7.0.55", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.55" }, { "url": "http://public2.vulnerablecode.io/api/packages/62933?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@8.0.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@8.0.9" } ], "aliases": [ "CVE-2014-0227", "GHSA-42j3-498q-m6vp" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pq53-6deg-abfx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43211?format=api", "vulnerability_id": "VCID-pzkk-4e94-aqag", "summary": "Exposure of Sensitive Information to an Unauthorized Actor\nApache Tomcat 5.5.0 through 5.5.29 and 6.0.0 through 6.0.26 might allow remote attackers to discover the server's hostname or IP address by sending a request for a resource that requires (1) BASIC or (2) DIGEST authentication, and then reading the realm field in the WWW-Authenticate header in the reply.", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html" }, { "reference_url": "http://marc.info/?l=bugtraq&m=129070310906557&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=129070310906557&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=133469267822771&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=133469267822771&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=136485229118404&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=136485229118404&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19492", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19492" }, { "reference_url": "http://support.apple.com/kb/HT5002", "reference_id": "", "reference_type": "", "scores": [], "url": "http://support.apple.com/kb/HT5002" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=936540", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=936540" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=936541", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=936541" }, { "reference_url": "http://tomcat.apache.org/security-5.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-5.html" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://www.debian.org/security/2011/dsa-2207", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2011/dsa-2207" }, { "reference_url": "http://www.vmware.com/security/advisories/VMSA-2011-0003.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.vmware.com/security/advisories/VMSA-2011-0003.html" }, { "reference_url": "http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2010-1157", "reference_id": "CVE-2010-1157", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-1157" }, { "reference_url": "https://github.com/advisories/GHSA-w6q7-ww2x-7gm3", "reference_id": "GHSA-w6q7-ww2x-7gm3", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-w6q7-ww2x-7gm3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61874?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.28", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.28" } ], "aliases": [ "CVE-2010-1157", "GHSA-w6q7-ww2x-7gm3" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pzkk-4e94-aqag" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43112?format=api", "vulnerability_id": "VCID-qz87-x4zb-rud7", "summary": "Exposure of Sensitive Information to an Unauthorized Actor\nApache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 treats single quotes (\"'\") as delimiters in cookies, which might cause sensitive information such as session IDs to be leaked and allow remote attackers to conduct session hijacking attacks.", "references": [ { "reference_url": "http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx", "reference_id": "", "reference_type": "", "scores": [], "url": "http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx" }, { "reference_url": "http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html" }, { "reference_url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36006", "reference_id": "", "reference_type": "", "scores": [], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36006" }, { "reference_url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "http://support.apple.com/kb/HT2163", "reference_id": "", "reference_type": "", "scores": [], "url": "http://support.apple.com/kb/HT2163" }, { "reference_url": "https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://www.debian.org/security/2008/dsa-1447", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2008/dsa-1447" }, { "reference_url": "http://www.debian.org/security/2008/dsa-1453", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2008/dsa-1453" }, { "reference_url": "http://www.redhat.com/support/errata/RHSA-2007-0871.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.redhat.com/support/errata/RHSA-2007-0871.html" }, { "reference_url": "http://www.redhat.com/support/errata/RHSA-2007-0950.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.redhat.com/support/errata/RHSA-2007-0950.html" }, { "reference_url": "http://www.redhat.com/support/errata/RHSA-2008-0195.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.redhat.com/support/errata/RHSA-2008-0195.html" }, { "reference_url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2007-3382", "reference_id": "CVE-2007-3382", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-3382" }, { "reference_url": "https://github.com/advisories/GHSA-qff8-g48j-pwpw", "reference_id": "GHSA-qff8-g48j-pwpw", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-qff8-g48j-pwpw" } ], "fixed_packages": [], "aliases": [ "CVE-2007-3382", "GHSA-qff8-g48j-pwpw" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qz87-x4zb-rud7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43136?format=api", "vulnerability_id": "VCID-qzyq-d6qk-67ag", "summary": "Apache Tomcat Does Not Properly Handle Empty Requests\nApache Tomcat 5.5.11 through 5.5.25 and 6.0.0 through 6.0.15, when the native APR connector is used, does not properly handle an empty request to the SSL port, which allows remote attackers to trigger handling of \"a duplicate copy of one of the recent requests,\" as demonstrated by using netcat to send the empty request.", "references": [ { "reference_url": "http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html" }, { "reference_url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "http://support.apple.com/kb/HT3216", "reference_id": "", "reference_type": "", "scores": [], "url": "http://support.apple.com/kb/HT3216" }, { "reference_url": "https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00315.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00315.html" }, { "reference_url": "https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00460.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00460.html" }, { "reference_url": "http://tomcat.apache.org/security-5.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-5.html" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2007-6286", "reference_id": "CVE-2007-6286", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-6286" }, { "reference_url": "https://github.com/advisories/GHSA-qrj4-rmqg-4hcp", "reference_id": "GHSA-qrj4-rmqg-4hcp", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-qrj4-rmqg-4hcp" } ], "fixed_packages": [], "aliases": [ "CVE-2007-6286", "GHSA-qrj4-rmqg-4hcp" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qzyq-d6qk-67ag" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43225?format=api", "vulnerability_id": "VCID-rdr4-db3y-p3cz", "summary": "Improper Input Validation\nApache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the Java AJP connector and mod_jk load balancing are used, allows remote attackers to cause a denial of service (application outage) via a crafted request with invalid headers, related to temporary blocking of connectors that have encountered errors, as demonstrated by an error involving a malformed HTTP Host header.", "references": [ { "reference_url": "http://jvn.jp/en/jp/JVN87272440/index.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://jvn.jp/en/jp/JVN87272440/index.html" }, { "reference_url": "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html" }, { "reference_url": "http://marc.info/?l=bugtraq&m=127420533226623&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=127420533226623&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=129070310906557&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=129070310906557&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=133469267822771&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=133469267822771&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=136485229118404&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=136485229118404&w=2" }, { "reference_url": "http://securitytracker.com/id?1022331", "reference_id": "", "reference_type": "", "scores": [], "url": "http://securitytracker.com/id?1022331" }, { "reference_url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50928", "reference_id": "", "reference_type": "", "scores": [], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50928" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10231", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10231" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19110", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19110" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5739", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5739" }, { "reference_url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1" }, { "reference_url": "http://support.apple.com/kb/HT4077", "reference_id": "", "reference_type": "", "scores": [], "url": "http://support.apple.com/kb/HT4077" }, { "reference_url": "http://svn.apache.org/viewvc?rev=742915&view=rev", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?rev=742915&view=rev" }, { "reference_url": "http://svn.apache.org/viewvc?rev=781362&view=rev", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?rev=781362&view=rev" }, { "reference_url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html" }, { "reference_url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html" }, { "reference_url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html" }, { "reference_url": "http://tomcat.apache.org/security-4.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-4.html" }, { "reference_url": "http://tomcat.apache.org/security-5.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-5.html" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://www.debian.org/security/2011/dsa-2207", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2011/dsa-2207" }, { "reference_url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:136", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:136" }, { "reference_url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:138", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:138" }, { "reference_url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:176", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:176" }, { "reference_url": "http://www.securityfocus.com/archive/1/504044/100/0/threaded", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/archive/1/504044/100/0/threaded" }, { "reference_url": "http://www.securityfocus.com/archive/1/507985/100/0/threaded", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/archive/1/507985/100/0/threaded" }, { "reference_url": "http://www.securityfocus.com/bid/35193", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/35193" }, { "reference_url": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2009-0033", "reference_id": "CVE-2009-0033", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-0033" }, { "reference_url": "https://github.com/advisories/GHSA-5cw4-ggx9-36vg", "reference_id": "GHSA-5cw4-ggx9-36vg", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5cw4-ggx9-36vg" } ], "fixed_packages": [], "aliases": [ "CVE-2009-0033", "GHSA-5cw4-ggx9-36vg" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rdr4-db3y-p3cz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44179?format=api", "vulnerability_id": "VCID-redv-2x5y-8khx", "summary": "Cross-Site Request Forgery (CSRF)\norg/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism via a request that lacks a session identifier.", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00090.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00090.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-updates/2013-01/msg00037.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-updates/2013-01/msg00037.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-updates/2013-01/msg00051.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-updates/2013-01/msg00051.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-updates/2013-01/msg00080.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-updates/2013-01/msg00080.html" }, { "reference_url": "http://marc.info/?l=bugtraq&m=136612293908376&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=136612293908376&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2013-0267.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2013-0267.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2013-0268.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2013-0268.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2013-0647.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2013-0647.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2013-0648.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2013-0648.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2013-1853.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2013-1853.html" }, { "reference_url": "https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03748878", "reference_id": "", "reference_type": "", "scores": [], "url": "https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03748878" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18541", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18541" }, { "reference_url": "http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java?r1=1393088&r2=1393087&pathrev=1393088", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java?r1=1393088&r2=1393087&pathrev=1393088" }, { "reference_url": "http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?r1=1393088&r2=1393087&pathrev=1393088", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?r1=1393088&r2=1393087&pathrev=1393088" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1393088", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1393088" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://tomcat.apache.org/security-7.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-7.html" }, { "reference_url": "http://www.ubuntu.com/usn/USN-1685-1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.ubuntu.com/usn/USN-1685-1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2012-4431", "reference_id": "CVE-2012-4431", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-4431" }, { "reference_url": "https://github.com/advisories/GHSA-76vr-72mv-mf3q", "reference_id": "GHSA-76vr-72mv-mf3q", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-76vr-72mv-mf3q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63549?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.36", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.36" }, { "url": "http://public2.vulnerablecode.io/api/packages/63550?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@7.0.32", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.32" } ], "aliases": [ "CVE-2012-4431", "GHSA-76vr-72mv-mf3q" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-redv-2x5y-8khx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43772?format=api", "vulnerability_id": "VCID-s37s-p75k-27e6", "summary": "Apache Tomcat vulnerable to SecurityManager bypass\nA malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-3mjp-p938-4329", "reference_id": "GHSA-3mjp-p938-4329", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3mjp-p938-4329" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62432?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.46", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.46" }, { "url": "http://public2.vulnerablecode.io/api/packages/62853?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@7.0.71", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.71" }, { "url": "http://public2.vulnerablecode.io/api/packages/62099?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@8.0.37", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@8.0.37" }, { "url": "http://public2.vulnerablecode.io/api/packages/56259?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@8.5.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8xdc-3kn9-b3e6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@8.5.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/62100?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@9.0.0.M10", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.0.M10" } ], "aliases": [ "CVE-2016-6796", "GHSA-3mjp-p938-4329" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s37s-p75k-27e6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43100?format=api", "vulnerability_id": "VCID-t3ya-1w1r-h3dv", "summary": "Apache Tomcat Sensitive Information Disclosure\nApache Tomcat 6.0.0 through 6.0.15 processes parameters in the context of the wrong request when an exception occurs during parameter processing, which might allow remote attackers to obtain sensitive information, as demonstrated by disconnecting during this processing in order to trigger the exception.", "references": [ { "reference_url": "http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html" }, { "reference_url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2" }, { "reference_url": "http://security.gentoo.org/glsa/glsa-200804-10.xml", "reference_id": "", "reference_type": "", "scores": [], "url": "http://security.gentoo.org/glsa/glsa-200804-10.xml" }, { "reference_url": "http://support.apple.com/kb/HT3216", "reference_id": "", "reference_type": "", "scores": [], "url": "http://support.apple.com/kb/HT3216" }, { "reference_url": "https://web.archive.org/web/20080214133036/http://secunia.com/advisories/28915", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20080214133036/http://secunia.com/advisories/28915" }, { "reference_url": "https://web.archive.org/web/20080715062302/http://secunia.com/advisories/29711", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20080715062302/http://secunia.com/advisories/29711" }, { "reference_url": "https://web.archive.org/web/20080724052339/http://secunia.com/advisories/28834", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20080724052339/http://secunia.com/advisories/28834" }, { "reference_url": "https://web.archive.org/web/20081012021650/http://www.securityfocus.com/bid/27703", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20081012021650/http://www.securityfocus.com/bid/27703" }, { "reference_url": "https://web.archive.org/web/20081013050642/http://secunia.com/advisories/32222", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20081013050642/http://secunia.com/advisories/32222" }, { "reference_url": "https://web.archive.org/web/20081120062646/http://securityreason.com/securityalert/3638", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20081120062646/http://securityreason.com/securityalert/3638" }, { "reference_url": "https://web.archive.org/web/20081121133027/http://www.securityfocus.com/archive/1/487812/100/0/threaded", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20081121133027/http://www.securityfocus.com/archive/1/487812/100/0/threaded" }, { "reference_url": "https://web.archive.org/web/20091125140215/http://secunia.com/advisories/37460", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20091125140215/http://secunia.com/advisories/37460" }, { "reference_url": "https://web.archive.org/web/20120825080137/http://www.securityfocus.com/bid/31681", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20120825080137/http://www.securityfocus.com/bid/31681" }, { "reference_url": "https://web.archive.org/web/20140723000733/http://secunia.com/advisories/57126", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20140723000733/http://secunia.com/advisories/57126" }, { "reference_url": "https://web.archive.org/web/20150621204350/http://www.securityfocus.com/archive/1/507985/100/0/threaded", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20150621204350/http://www.securityfocus.com/archive/1/507985/100/0/threaded" }, { "reference_url": "https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00315.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00315.html" }, { "reference_url": "https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00460.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00460.html" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2008-0002", "reference_id": "CVE-2008-0002", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-0002" }, { "reference_url": "https://github.com/advisories/GHSA-5x5f-9r6q-q7mh", "reference_id": "GHSA-5x5f-9r6q-q7mh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5x5f-9r6q-q7mh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61689?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t4mh-zvhq-27du" }, { "vulnerability": "VCID-wg7f-pjmn-uudk" }, { "vulnerability": "VCID-y9hs-ymcm-3ucx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.16" } ], "aliases": [ "CVE-2008-0002", "GHSA-5x5f-9r6q-q7mh" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t3ya-1w1r-h3dv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43184?format=api", "vulnerability_id": "VCID-t4mh-zvhq-27du", "summary": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')\nApache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter.", "references": [ { "reference_url": "http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html" }, { "reference_url": "http://marc.info/?l=bugtraq&m=123376588623823&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=123376588623823&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2" }, { "reference_url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44156", "reference_id": "", "reference_type": "", "scores": [], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44156" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10577", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10577" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5876", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5876" }, { "reference_url": "http://support.apple.com/kb/HT3216", "reference_id": "", "reference_type": "", "scores": [], "url": "http://support.apple.com/kb/HT3216" }, { "reference_url": "http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm", "reference_id": "", "reference_type": "", "scores": [], "url": "http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm" }, { "reference_url": "https://web.archive.org/web/20080827150120/http://securityreason.com/securityalert/4099", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20080827150120/http://securityreason.com/securityalert/4099" }, { "reference_url": "https://web.archive.org/web/20090201124618/http://secunia.com/advisories/31381", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20090201124618/http://secunia.com/advisories/31381" }, { "reference_url": "https://web.archive.org/web/20090201124623/http://secunia.com/advisories/31639", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20090201124623/http://secunia.com/advisories/31639" }, { "reference_url": "https://web.archive.org/web/20090201124633/http://secunia.com/advisories/31891", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20090201124633/http://secunia.com/advisories/31891" }, { "reference_url": "https://web.archive.org/web/20090201124638/http://secunia.com/advisories/32120", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20090201124638/http://secunia.com/advisories/32120" }, { "reference_url": "https://web.archive.org/web/20090201124957/http://secunia.com/advisories/31982", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20090201124957/http://secunia.com/advisories/31982" }, { "reference_url": "https://web.archive.org/web/20090201125002/http://secunia.com/advisories/32266", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20090201125002/http://secunia.com/advisories/32266" }, { "reference_url": "https://web.archive.org/web/20090201141000/http://secunia.com/advisories/32222", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20090201141000/http://secunia.com/advisories/32222" }, { "reference_url": "https://web.archive.org/web/20090207111236/http://secunia.com/advisories/33797", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20090207111236/http://secunia.com/advisories/33797" }, { "reference_url": "https://web.archive.org/web/20090225175903/http://secunia.com/advisories/33999", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20090225175903/http://secunia.com/advisories/33999" }, { "reference_url": "https://web.archive.org/web/20090228074535/http://secunia.com/advisories/31379", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20090228074535/http://secunia.com/advisories/31379" }, { "reference_url": "https://web.archive.org/web/20090228074540/http://secunia.com/advisories/34013", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20090228074540/http://secunia.com/advisories/34013" }, { "reference_url": "https://web.archive.org/web/20090308065055/http://secunia.com/advisories/31865", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20090308065055/http://secunia.com/advisories/31865" }, { "reference_url": "https://web.archive.org/web/20090811003155/http://secunia.com/advisories/35393", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20090811003155/http://secunia.com/advisories/35393" }, { "reference_url": "https://web.archive.org/web/20090828023853/http://secunia.com/advisories/36249", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20090828023853/http://secunia.com/advisories/36249" }, { "reference_url": "https://web.archive.org/web/20100706231759/http://secunia.com/advisories/37460", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20100706231759/http://secunia.com/advisories/37460" }, { "reference_url": "https://web.archive.org/web/20110714083521/http://www.securitytracker.com/id?1020623", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20110714083521/http://www.securitytracker.com/id?1020623" }, { "reference_url": "https://web.archive.org/web/20110714174318/http://www.securityfocus.com/bid/30494", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20110714174318/http://www.securityfocus.com/bid/30494" }, { "reference_url": "https://web.archive.org/web/20120719164745/http://www.securityfocus.com/archive/1/495022/100/0/threaded", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20120719164745/http://www.securityfocus.com/archive/1/495022/100/0/threaded" }, { "reference_url": "https://web.archive.org/web/20120724210029/http://www.securityfocus.com/bid/31681", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20120724210029/http://www.securityfocus.com/bid/31681" }, { "reference_url": "https://web.archive.org/web/20140723000733/http://secunia.com/advisories/57126", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20140723000733/http://secunia.com/advisories/57126" }, { "reference_url": "https://web.archive.org/web/20150621204350/http://www.securityfocus.com/archive/1/507985/100/0/threaded", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20150621204350/http://www.securityfocus.com/archive/1/507985/100/0/threaded" }, { "reference_url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00712.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00712.html" }, { "reference_url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00859.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00859.html" }, { "reference_url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00889.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00889.html" }, { "reference_url": "http://tomcat.apache.org/security-4.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-4.html" }, { "reference_url": "http://tomcat.apache.org/security-5.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-5.html" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://www.fujitsu.com/global/support/software/security/products-f/interstage-200902e.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.fujitsu.com/global/support/software/security/products-f/interstage-200902e.html" }, { "reference_url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:188", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:188" }, { "reference_url": "http://www.redhat.com/support/errata/RHSA-2008-0648.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.redhat.com/support/errata/RHSA-2008-0648.html" }, { "reference_url": "http://www.redhat.com/support/errata/RHSA-2008-0862.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.redhat.com/support/errata/RHSA-2008-0862.html" }, { "reference_url": "http://www.redhat.com/support/errata/RHSA-2008-0864.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.redhat.com/support/errata/RHSA-2008-0864.html" }, { "reference_url": "http://www.vmware.com/security/advisories/VMSA-2009-0002.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.vmware.com/security/advisories/VMSA-2009-0002.html" }, { "reference_url": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2008-2370", "reference_id": "CVE-2008-2370", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-2370" }, { "reference_url": "https://github.com/advisories/GHSA-m8h8-6rvg-f4mg", "reference_id": "GHSA-m8h8-6rvg-f4mg", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-m8h8-6rvg-f4mg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61799?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.18", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hmqa-jhuf-hfe2" }, { "vulnerability": "VCID-rdr4-db3y-p3cz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.18" } ], "aliases": [ "CVE-2008-2370", "GHSA-m8h8-6rvg-f4mg" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t4mh-zvhq-27du" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38756?format=api", "vulnerability_id": "VCID-tcmv-6ftg-fqen", "summary": "Information Exposure Through Timing Discrepancy\nThe Realm implementations in Apache Tomcat does not process the supplied password if the supplied user name did not exist which makes it possible to use a timing attack to determine valid user names.", "references": [ { "reference_url": "http://rhn.redhat.com/errata/RHSA-2017-0457.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2017-0457.html" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:0455", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:0455" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:0456", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:0456" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:2247", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:2247" }, { "reference_url": "https://lists.apache.org/thread.html/1872f96bad43647832bdd84a408794cd06d9cbb557af63085ca10009@%3Cannounce.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/1872f96bad43647832bdd84a408794cd06d9cbb557af63085ca10009@%3Cannounce.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20180605-0001/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20180605-0001/" }, { "reference_url": "https://usn.ubuntu.com/4557-1/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/4557-1/" }, { "reference_url": "https://www.oracle.com//security-alerts/cpujul2021.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "reference_url": "https://www.oracle.com/security-alerts/cpuoct2021.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "reference_url": "http://www.debian.org/security/2016/dsa-3720", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2016/dsa-3720" }, { "reference_url": "http://www.securityfocus.com/bid/93939", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/93939" }, { "reference_url": "http://www.securitytracker.com/id/1037144", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securitytracker.com/id/1037144" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0762", "reference_id": "CVE-2016-0762", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0762" }, { "reference_url": "https://github.com/advisories/GHSA-wxcp-f2c8-x6xv", "reference_id": "GHSA-wxcp-f2c8-x6xv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-wxcp-f2c8-x6xv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62432?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.46", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.46" }, { "url": "http://public2.vulnerablecode.io/api/packages/62098?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@7.0.72", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.72" }, { "url": "http://public2.vulnerablecode.io/api/packages/62099?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@8.0.37", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@8.0.37" }, { "url": "http://public2.vulnerablecode.io/api/packages/56259?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@8.5.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8xdc-3kn9-b3e6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@8.5.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/62100?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@9.0.0.M10", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.0.M10" } ], "aliases": [ "CVE-2016-0762", "GHSA-wxcp-f2c8-x6xv" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tcmv-6ftg-fqen" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43987?format=api", "vulnerability_id": "VCID-vsta-e8jg-4qa8", "summary": "Apache Tomcat does not enforce the maxHttpHeaderSize limit\nApache Tomcat 7.0.0 through 7.0.6 and 6.0.0 through 6.0.30 does not enforce the maxHttpHeaderSize limit for requests involving the NIO HTTP connector, which allows remote attackers to cause a denial of service (OutOfMemoryError) via a crafted request.", "references": [ { "reference_url": "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html" }, { "reference_url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2" }, { "reference_url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/65162", "reference_id": "", "reference_type": "", "scores": [], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/65162" }, { "reference_url": "https://github.com/apache/tomcat/commit/008447095ce8c3a8f713093d5e618f3f06f94ea8", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/tomcat/commit/008447095ce8c3a8f713093d5e618f3f06f94ea8" }, { "reference_url": "https://support.apple.com/kb/HT5002", "reference_id": "", "reference_type": "", "scores": [], "url": "https://support.apple.com/kb/HT5002" }, { "reference_url": "http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5098550.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5098550.html" }, { "reference_url": "https://web.archive.org/web/20110801035315/http://secunia.com/advisories/45022", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20110801035315/http://secunia.com/advisories/45022" }, { "reference_url": "https://web.archive.org/web/20120120085637/http://securityreason.com/securityalert/8074", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20120120085637/http://securityreason.com/securityalert/8074" }, { "reference_url": "https://web.archive.org/web/20121024140440/http://secunia.com/advisories/43192", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20121024140440/http://secunia.com/advisories/43192" }, { "reference_url": "https://web.archive.org/web/20121212040149/http://www.securitytracker.com/id?1025027", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20121212040149/http://www.securitytracker.com/id?1025027" }, { "reference_url": "https://web.archive.org/web/20131227020011/http://www.securityfocus.com/bid/46164", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20131227020011/http://www.securityfocus.com/bid/46164" }, { "reference_url": "https://web.archive.org/web/20151017023138/http://secunia.com/advisories/57126", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20151017023138/http://secunia.com/advisories/57126" }, { "reference_url": "https://web.archive.org/web/20200517155748/http://www.securityfocus.com/archive/1/516214/100/0/threaded", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20200517155748/http://www.securityfocus.com/archive/1/516214/100/0/threaded" }, { "reference_url": "http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.32", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.32" }, { "reference_url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.8_(released_5_Feb_2011)", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.8_(released_5_Feb_2011)" }, { "reference_url": "http://www.debian.org/security/2011/dsa-2160", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2011/dsa-2160" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2011-0534", "reference_id": "CVE-2011-0534", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-0534" }, { "reference_url": "https://github.com/advisories/GHSA-43v2-6grp-9pp9", "reference_id": "GHSA-43v2-6grp-9pp9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-43v2-6grp-9pp9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61887?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.32", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.32" }, { "url": "http://public2.vulnerablecode.io/api/packages/63236?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@7.0.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.8" } ], "aliases": [ "CVE-2011-0534", "GHSA-43v2-6grp-9pp9" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vsta-e8jg-4qa8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43172?format=api", "vulnerability_id": "VCID-w8uj-zy2r-fyca", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nMultiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary web script or HTML via the portion of the URI after the ';' character, as demonstrated by a URI containing a \"snp/snoop.jsp;\" sequence.", "references": [ { "reference_url": "http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00008.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00008.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2008-0630.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2008-0630.html" }, { "reference_url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34869", "reference_id": "", "reference_type": "", "scores": [], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34869" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "http://support.apple.com/kb/HT2163", "reference_id": "", "reference_type": "", "scores": [], "url": "http://support.apple.com/kb/HT2163" }, { "reference_url": "http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540", "reference_id": "", "reference_type": "", "scores": [], "url": "http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540" }, { "reference_url": "https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html" }, { "reference_url": "http://tomcat.apache.org/security-4.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-4.html" }, { "reference_url": "http://tomcat.apache.org/security-5.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-5.html" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://www.redhat.com/support/errata/RHSA-2007-0569.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.redhat.com/support/errata/RHSA-2007-0569.html" }, { "reference_url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2007-2449", "reference_id": "CVE-2007-2449", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-2449" }, { "reference_url": "https://github.com/advisories/GHSA-hc39-rjwp-qffq", "reference_id": "GHSA-hc39-rjwp-qffq", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hc39-rjwp-qffq" } ], "fixed_packages": [], "aliases": [ "CVE-2007-2449", "GHSA-hc39-rjwp-qffq" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w8uj-zy2r-fyca" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43101?format=api", "vulnerability_id": "VCID-wg7f-pjmn-uudk", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nCross-site scripting (XSS) vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via a crafted string that is used in the message argument to the HttpServletResponse.sendError method.", "references": [ { "reference_url": "http://community.ca.com/blogs/casecurityresponseblog/archive/2009/06/15/ca20090615-02-ca-service-desk-tomcat-cross-site-scripting-vulnerability.aspx", "reference_id": "", "reference_type": "", "scores": [], "url": "http://community.ca.com/blogs/casecurityresponseblog/archive/2009/06/15/ca20090615-02-ca-service-desk-tomcat-cross-site-scripting-vulnerability.aspx" }, { "reference_url": "http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html" }, { "reference_url": "http://marc.info/?l=bugtraq&m=123376588623823&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=123376588623823&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2008:0648", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2008:0648" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2008:0862", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2008:0862" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2008:0864", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2008:0864" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2008:0877", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2008:0877" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2008:1007", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2008:1007" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2010:0602", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2010:0602" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=457597", "reference_id": "", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=457597" }, { "reference_url": "http://secunia.com/advisories/31379", "reference_id": "", "reference_type": "", "scores": [], "url": "http://secunia.com/advisories/31379" }, { "reference_url": "http://secunia.com/advisories/31381", "reference_id": "", "reference_type": "", "scores": [], "url": "http://secunia.com/advisories/31381" }, { "reference_url": "http://secunia.com/advisories/31639", "reference_id": "", "reference_type": "", "scores": [], "url": "http://secunia.com/advisories/31639" }, { "reference_url": "http://secunia.com/advisories/31865", "reference_id": "", "reference_type": "", "scores": [], "url": "http://secunia.com/advisories/31865" }, { "reference_url": "http://secunia.com/advisories/31891", "reference_id": "", "reference_type": "", "scores": [], "url": "http://secunia.com/advisories/31891" }, { "reference_url": "http://secunia.com/advisories/31982", "reference_id": "", "reference_type": "", "scores": [], "url": "http://secunia.com/advisories/31982" }, { "reference_url": "http://secunia.com/advisories/32120", "reference_id": "", "reference_type": "", "scores": [], "url": "http://secunia.com/advisories/32120" }, { "reference_url": "http://secunia.com/advisories/32222", "reference_id": "", "reference_type": "", "scores": [], "url": "http://secunia.com/advisories/32222" }, { "reference_url": "http://secunia.com/advisories/32266", "reference_id": "", "reference_type": "", "scores": [], "url": "http://secunia.com/advisories/32266" }, { "reference_url": "http://secunia.com/advisories/33797", "reference_id": "", "reference_type": "", "scores": [], "url": "http://secunia.com/advisories/33797" }, { "reference_url": "http://secunia.com/advisories/33999", "reference_id": "", "reference_type": "", "scores": [], "url": "http://secunia.com/advisories/33999" }, { "reference_url": "http://secunia.com/advisories/34013", "reference_id": "", "reference_type": "", "scores": [], "url": "http://secunia.com/advisories/34013" }, { "reference_url": "http://secunia.com/advisories/35474", "reference_id": "", "reference_type": "", "scores": [], "url": "http://secunia.com/advisories/35474" }, { "reference_url": "http://secunia.com/advisories/36108", "reference_id": "", "reference_type": "", "scores": [], "url": "http://secunia.com/advisories/36108" }, { "reference_url": "http://secunia.com/advisories/37460", "reference_id": "", "reference_type": "", "scores": [], "url": "http://secunia.com/advisories/37460" }, { "reference_url": "http://secunia.com/advisories/57126", "reference_id": "", "reference_type": "", "scores": [], "url": "http://secunia.com/advisories/57126" }, { "reference_url": "http://securityreason.com/securityalert/4098", "reference_id": "", "reference_type": "", "scores": [], "url": "http://securityreason.com/securityalert/4098" }, { "reference_url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44155", "reference_id": "", "reference_type": "", "scores": [], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44155" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11181", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11181" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5985", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5985" }, { "reference_url": "https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=209500", "reference_id": "", "reference_type": "", "scores": [], "url": "https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=209500" }, { "reference_url": "https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=214095", "reference_id": "", "reference_type": "", "scores": [], "url": "https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=214095" }, { "reference_url": "http://support.apple.com/kb/HT3216", "reference_id": "", "reference_type": "", "scores": [], "url": "http://support.apple.com/kb/HT3216" }, { "reference_url": "http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm", "reference_id": "", "reference_type": "", "scores": [], "url": "http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm" }, { "reference_url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00712.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00712.html" }, { "reference_url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00859.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00859.html" }, { "reference_url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00889.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00889.html" }, { "reference_url": "http://tomcat.apache.org/security-4.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-4.html" }, { "reference_url": "http://tomcat.apache.org/security-5.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-5.html" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:188", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:188" }, { "reference_url": "http://www.redhat.com/support/errata/RHSA-2008-0648.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.redhat.com/support/errata/RHSA-2008-0648.html" }, { "reference_url": "http://www.redhat.com/support/errata/RHSA-2008-0862.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.redhat.com/support/errata/RHSA-2008-0862.html" }, { "reference_url": "http://www.redhat.com/support/errata/RHSA-2008-0864.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.redhat.com/support/errata/RHSA-2008-0864.html" }, { "reference_url": "http://www.securityfocus.com/archive/1/495021/100/0/threaded", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/archive/1/495021/100/0/threaded" }, { "reference_url": "http://www.securityfocus.com/archive/1/504351/100/0/threaded", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/archive/1/504351/100/0/threaded" }, { "reference_url": "http://www.securityfocus.com/archive/1/505556/100/0/threaded", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/archive/1/505556/100/0/threaded" }, { "reference_url": "http://www.securityfocus.com/archive/1/507985/100/0/threaded", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/archive/1/507985/100/0/threaded" }, { "reference_url": "http://www.securityfocus.com/bid/30496", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/30496" }, { "reference_url": "http://www.securityfocus.com/bid/31681", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/31681" }, { "reference_url": "http://www.securitytracker.com/id?1020622", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securitytracker.com/id?1020622" }, { "reference_url": "http://www.vmware.com/security/advisories/VMSA-2009-0002.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.vmware.com/security/advisories/VMSA-2009-0002.html" }, { "reference_url": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html" }, { "reference_url": "http://www.vupen.com/english/advisories/2008/2305", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.vupen.com/english/advisories/2008/2305" }, { "reference_url": "http://www.vupen.com/english/advisories/2008/2780", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.vupen.com/english/advisories/2008/2780" }, { "reference_url": "http://www.vupen.com/english/advisories/2008/2823", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.vupen.com/english/advisories/2008/2823" }, { "reference_url": "http://www.vupen.com/english/advisories/2009/0320", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.vupen.com/english/advisories/2009/0320" }, { "reference_url": "http://www.vupen.com/english/advisories/2009/0503", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.vupen.com/english/advisories/2009/0503" }, { "reference_url": "http://www.vupen.com/english/advisories/2009/1609", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.vupen.com/english/advisories/2009/1609" }, { "reference_url": "http://www.vupen.com/english/advisories/2009/2194", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.vupen.com/english/advisories/2009/2194" }, { "reference_url": "http://www.vupen.com/english/advisories/2009/3316", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.vupen.com/english/advisories/2009/3316" }, { "reference_url": "https://access.redhat.com/security/cve/CVE-2008-1232", "reference_id": "CVE-2008-1232", "reference_type": "", "scores": [], "url": "https://access.redhat.com/security/cve/CVE-2008-1232" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2008-1232", "reference_id": "CVE-2008-1232", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-1232" }, { "reference_url": "https://github.com/advisories/GHSA-q74x-qqhr-f8rx", "reference_id": "GHSA-q74x-qqhr-f8rx", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-q74x-qqhr-f8rx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61695?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.17" } ], "aliases": [ "CVE-2008-1232", "GHSA-q74x-qqhr-f8rx" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wg7f-pjmn-uudk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43937?format=api", "vulnerability_id": "VCID-wtke-y2cx-x3et", "summary": "Improper Input Validation in Apache Tomcat\nApache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.", "references": [ { "reference_url": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/201112.mbox/%3c4EFB9800.5010106@apache.org%3e", "reference_id": "", "reference_type": "", "scores": [], "url": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/201112.mbox/%3c4EFB9800.5010106@apache.org%3e" }, { "reference_url": "http://marc.info/?l=bugtraq&m=132871655717248&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=132871655717248&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=133294394108746&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=133294394108746&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=136485229118404&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=136485229118404&w=2" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0074.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0074.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0075.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0075.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0076.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0076.html" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=750521", "reference_id": "", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=750521" }, { "reference_url": "https://github.com/FireFart/HashCollision-DOS-POC/blob/master/HashtablePOC.py", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/FireFart/HashCollision-DOS-POC/blob/master/HashtablePOC.py" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18886", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18886" }, { "reference_url": "http://tomcat.apache.org/tomcat-7.0-doc/changelog.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/tomcat-7.0-doc/changelog.html" }, { "reference_url": "http://www.debian.org/security/2012/dsa-2401", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2012/dsa-2401" }, { "reference_url": "http://www.kb.cert.org/vuls/id/903934", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.kb.cert.org/vuls/id/903934" }, { "reference_url": "http://www.nruns.com/_downloads/advisory28122011.pdf", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.nruns.com/_downloads/advisory28122011.pdf" }, { "reference_url": "http://www.ocert.org/advisories/ocert-2011-003.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.ocert.org/advisories/ocert-2011-003.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4858", "reference_id": "CVE-2011-4858", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4858" }, { "reference_url": "https://github.com/advisories/GHSA-wr3m-gw98-mc3j", "reference_id": "GHSA-wr3m-gw98-mc3j", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-wr3m-gw98-mc3j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63157?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.35", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.35" }, { "url": "http://public2.vulnerablecode.io/api/packages/56512?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@7.0.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wmb3-3j7y-due7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.23" } ], "aliases": [ "CVE-2011-4858", "GHSA-wr3m-gw98-mc3j" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wtke-y2cx-x3et" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43233?format=api", "vulnerability_id": "VCID-y9yv-u4jh-mqew", "summary": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')\nDirectory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in an entry in a WAR file, as demonstrated by a ../../bin/catalina.bat entry.", "references": [ { "reference_url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02241113", "reference_id": "", "reference_type": "", "scores": [], "url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02241113" }, { "reference_url": "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00090.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00090.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-updates/2013-01/msg00037.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-updates/2013-01/msg00037.html" }, { "reference_url": "http://marc.info/?l=bugtraq&m=127420533226623&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=127420533226623&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=133469267822771&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=133469267822771&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=136485229118404&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=136485229118404&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2" }, { "reference_url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/55855", "reference_id": "", "reference_type": "", "scores": [], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/55855" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19355", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19355" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7017", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7017" }, { "reference_url": "http://support.apple.com/kb/HT4077", "reference_id": "", "reference_type": "", "scores": [], "url": "http://support.apple.com/kb/HT4077" }, { "reference_url": "http://svn.apache.org/viewvc?rev=892815&view=rev", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?rev=892815&view=rev" }, { "reference_url": "http://svn.apache.org/viewvc?rev=902650&view=rev", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?rev=902650&view=rev" }, { "reference_url": "https://web.archive.org/web/20200229071135/http://www.securityfocus.com/bid/37944", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20200229071135/http://www.securityfocus.com/bid/37944" }, { "reference_url": "https://web.archive.org/web/20200516121700/http://www.securityfocus.com/archive/1/516397/100/0/threaded", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20200516121700/http://www.securityfocus.com/archive/1/516397/100/0/threaded" }, { "reference_url": "https://web.archive.org/web/20201206235536/http://www.securityfocus.com/archive/1/509148/100/0/threaded", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20201206235536/http://www.securityfocus.com/archive/1/509148/100/0/threaded" }, { "reference_url": "http://tomcat.apache.org/security-5.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-5.html" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://ubuntu.com/usn/usn-899-1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://ubuntu.com/usn/usn-899-1" }, { "reference_url": "http://www.debian.org/security/2011/dsa-2207", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2011/dsa-2207" }, { "reference_url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:176", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:176" }, { "reference_url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:177", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:177" }, { "reference_url": "http://www.redhat.com/support/errata/RHSA-2010-0119.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.redhat.com/support/errata/RHSA-2010-0119.html" }, { "reference_url": "http://www.redhat.com/support/errata/RHSA-2010-0580.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.redhat.com/support/errata/RHSA-2010-0580.html" }, { "reference_url": "http://www.redhat.com/support/errata/RHSA-2010-0582.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.redhat.com/support/errata/RHSA-2010-0582.html" }, { "reference_url": "http://www.vmware.com/security/advisories/VMSA-2011-0003.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.vmware.com/security/advisories/VMSA-2011-0003.html" }, { "reference_url": "http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2009-2693", "reference_id": "CVE-2009-2693", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-2693" }, { "reference_url": "https://github.com/advisories/GHSA-ggx9-4728-588r", "reference_id": "GHSA-ggx9-4728-588r", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-ggx9-4728-588r" } ], "fixed_packages": [], "aliases": [ "CVE-2009-2693", "GHSA-ggx9-4728-588r" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y9yv-u4jh-mqew" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43093?format=api", "vulnerability_id": "VCID-yswq-hnqg-sycs", "summary": "Apache Tomcat Cross-site scripting (XSS) vulnerability\nCross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to `host-manager/html/add`.", "references": [ { "reference_url": "https://access.redhat.com/errata/RHSA-2008:0648", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2008:0648" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2008:0862", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2008:0862" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2008:0864", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2008:0864" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2008:1007", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2008:1007" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=446393", "reference_id": "", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=446393" }, { "reference_url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42816", "reference_id": "", "reference_type": "", "scores": [], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42816" }, { "reference_url": "https://github.com/apache/tomcat", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/tomcat" }, { "reference_url": "https://github.com/apache/tomcat/commit/49c71fc59c1b8f8da77aea9eb53e61db168aebab", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/tomcat/commit/49c71fc59c1b8f8da77aea9eb53e61db168aebab" }, { "reference_url": "https://github.com/apache/tomcat/commit/5f00d434c8dc11bd49ce0b4b56fe889839056030", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/tomcat/commit/5f00d434c8dc11bd49ce0b4b56fe889839056030" }, { "reference_url": "https://github.com/apache/tomcat/commit/78ad0fcbe29c824f1f2e45a4e2716247b033250a", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/tomcat/commit/78ad0fcbe29c824f1f2e45a4e2716247b033250a" }, { "reference_url": "https://github.com/apache/tomcat/commit/ab6a6c41ac972c845717c9d639f0335865afab4d", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/tomcat/commit/ab6a6c41ac972c845717c9d639f0335865afab4d" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11534", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11534" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6009", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6009" }, { "reference_url": "https://web.archive.org/web/20200514224656/http://www.securityfocus.com/archive/1/507985/100/0/threaded", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20200514224656/http://www.securityfocus.com/archive/1/507985/100/0/threaded" }, { "reference_url": "https://web.archive.org/web/20201208011750/http://www.securityfocus.com/archive/1/492958/100/0/threaded", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20201208011750/http://www.securityfocus.com/archive/1/492958/100/0/threaded" }, { "reference_url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00712.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00712.html" }, { "reference_url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00859.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00859.html" }, { "reference_url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00889.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00889.html" }, { "reference_url": "https://access.redhat.com/security/cve/CVE-2008-1947", "reference_id": "CVE-2008-1947", "reference_type": "", "scores": [], "url": "https://access.redhat.com/security/cve/CVE-2008-1947" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2008-1947", "reference_id": "CVE-2008-1947", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-1947" }, { "reference_url": "https://github.com/advisories/GHSA-f98p-9pp6-7q6c", "reference_id": "GHSA-f98p-9pp6-7q6c", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-f98p-9pp6-7q6c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61799?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.18", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hmqa-jhuf-hfe2" }, { "vulnerability": "VCID-rdr4-db3y-p3cz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.18" } ], "aliases": [ "CVE-2008-1947", "GHSA-f98p-9pp6-7q6c" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yswq-hnqg-sycs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44036?format=api", "vulnerability_id": "VCID-yvcg-96dp-r7e6", "summary": "Improper Limitation of a Pathname to a Restricted Directory in Apache Tomcat\nApache Tomcat 7.0.0 through 7.0.3, 6.0.x, and 5.5.x, when running within a SecurityManager, does not make the ServletContext attribute read-only, which allows local web applications to read or write files outside of the intended working directory, as demonstrated using a directory traversal attack.", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html" }, { "reference_url": "http://marc.info/?l=bugtraq&m=130168502603566&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=130168502603566&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=132215163318824&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=132215163318824&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=136485229118404&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=136485229118404&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2" }, { "reference_url": "http://securityreason.com/securityalert/8072", "reference_id": "", "reference_type": "", "scores": [], "url": "http://securityreason.com/securityalert/8072" }, { "reference_url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/65159", "reference_id": "", "reference_type": "", "scores": [], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/65159" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12517", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12517" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13969", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13969" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19379", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19379" }, { "reference_url": "http://support.apple.com/kb/HT5002", "reference_id": "", "reference_type": "", "scores": [], "url": "http://support.apple.com/kb/HT5002" }, { "reference_url": "http://tomcat.apache.org/security-5.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-5.html" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://tomcat.apache.org/security-7.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-7.html" }, { "reference_url": "http://www.debian.org/security/2011/dsa-2160", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2011/dsa-2160" }, { "reference_url": "http://www.redhat.com/support/errata/RHSA-2011-0791.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.redhat.com/support/errata/RHSA-2011-0791.html" }, { "reference_url": "http://www.redhat.com/support/errata/RHSA-2011-0896.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.redhat.com/support/errata/RHSA-2011-0896.html" }, { "reference_url": "http://www.redhat.com/support/errata/RHSA-2011-0897.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.redhat.com/support/errata/RHSA-2011-0897.html" }, { "reference_url": "http://www.redhat.com/support/errata/RHSA-2011-1845.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.redhat.com/support/errata/RHSA-2011-1845.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3718", "reference_id": "CVE-2010-3718", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3718" }, { "reference_url": "https://github.com/advisories/GHSA-fj6c-prgj-gr3r", "reference_id": "GHSA-fj6c-prgj-gr3r", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-fj6c-prgj-gr3r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63316?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@7.0.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.4" } ], "aliases": [ "CVE-2010-3718", "GHSA-fj6c-prgj-gr3r" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yvcg-96dp-r7e6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43259?format=api", "vulnerability_id": "VCID-zm75-zwps-h3fv", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nMultiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag.", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html" }, { "reference_url": "http://marc.info/?l=bugtraq&m=130168502603566&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=130168502603566&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=132215163318824&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=132215163318824&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=136485229118404&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=136485229118404&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=675786", "reference_id": "", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=675786" }, { "reference_url": "http://securityreason.com/securityalert/8093", "reference_id": "", "reference_type": "", "scores": [], "url": "http://securityreason.com/securityalert/8093" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12878", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12878" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14945", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14945" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19269", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19269" }, { "reference_url": "http://support.apple.com/kb/HT5002", "reference_id": "", "reference_type": "", "scores": [], "url": "http://support.apple.com/kb/HT5002" }, { "reference_url": "http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5098550.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5098550.html" }, { "reference_url": "http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.32", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.32" }, { "reference_url": "http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.30", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.30" }, { "reference_url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.6_(released_14_Jan_2011)", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.6_(released_14_Jan_2011)" }, { "reference_url": "http://www.debian.org/security/2011/dsa-2160", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2011/dsa-2160" }, { "reference_url": "http://www.redhat.com/support/errata/RHSA-2011-0791.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.redhat.com/support/errata/RHSA-2011-0791.html" }, { "reference_url": "http://www.redhat.com/support/errata/RHSA-2011-0896.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.redhat.com/support/errata/RHSA-2011-0896.html" }, { "reference_url": "http://www.redhat.com/support/errata/RHSA-2011-0897.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.redhat.com/support/errata/RHSA-2011-0897.html" }, { "reference_url": "http://www.redhat.com/support/errata/RHSA-2011-1845.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.redhat.com/support/errata/RHSA-2011-1845.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2011-0013", "reference_id": "CVE-2011-0013", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-0013" }, { "reference_url": "https://github.com/advisories/GHSA-3p86-xgrq-m6p6", "reference_id": "GHSA-3p86-xgrq-m6p6", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3p86-xgrq-m6p6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61953?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-vsta-e8jg-4qa8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.30" }, { "url": "http://public2.vulnerablecode.io/api/packages/61954?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@7.0.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-vsta-e8jg-4qa8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.6" } ], "aliases": [ "CVE-2011-0013", "GHSA-3p86-xgrq-m6p6" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zm75-zwps-h3fv" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.0" }