Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.apache.tomcat/tomcat@4.1.40

Type maven

Namespace org.apache.tomcat

Name tomcat

Version 4.1.40

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 5.0.31

Latest_non_vulnerable_version 11.0.18

Affected_by_vulnerabilities

url VCID-w632-npc7-h7hs

vulnerability_id VCID-w632-npc7-h7hs

summary

Exposure of Sensitive Information to an Unauthorized Actor
The HTTP/1.1 connector in Apache Tomcat 4.1.15 through 4.1.40 does not reject NULL bytes in a URL when allowLinking is configured, which allows remote attackers to read JSP source files and obtain sensitive information.

references

reference_url	https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E

reference_url	https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E

reference_url	https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E

reference_url	http://tomcat.apache.org/security-4.html
reference_id
reference_type
scores
url	http://tomcat.apache.org/security-4.html

reference_url	http://www.securityfocus.com/bid/28483
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/28483

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2005-4836
reference_id	CVE-2005-4836
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2005-4836

reference_url	https://github.com/advisories/GHSA-qrcx-p4rr-g48h
reference_id	GHSA-qrcx-p4rr-g48h
reference_type
scores
url	https://github.com/advisories/GHSA-qrcx-p4rr-g48h

fixed_packages

aliases CVE-2005-4836, GHSA-qrcx-p4rr-g48h

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-w632-npc7-h7hs

Fixing_vulnerabilities

url VCID-7787-4bwm-efgq

vulnerability_id VCID-7787-4bwm-efgq

summary

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.

references

reference_url	http://jvn.jp/en/jp/JVN63832775/index.html
reference_id
reference_type
scores
url	http://jvn.jp/en/jp/JVN63832775/index.html

reference_url	http://marc.info/?l=bugtraq&m=127420533226623&w=2
reference_id
reference_type
scores
url	http://marc.info/?l=bugtraq&m=127420533226623&w=2

reference_url	http://marc.info/?l=bugtraq&m=129070310906557&w=2
reference_id
reference_type
scores
url	http://marc.info/?l=bugtraq&m=129070310906557&w=2

reference_url	http://marc.info/?l=bugtraq&m=136485229118404&w=2
reference_id
reference_type
scores
url	http://marc.info/?l=bugtraq&m=136485229118404&w=2

reference_url	https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E

reference_url	https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E

reference_url	https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E

reference_url	https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E

reference_url	https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E

reference_url	https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E

reference_url	https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E

reference_url	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10422
reference_id
reference_type
scores
url	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10422

reference_url	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19452
reference_id
reference_type
scores
url	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19452

reference_url	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6445
reference_id
reference_type
scores
url	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6445

reference_url	http://support.apple.com/kb/HT4077
reference_id
reference_type
scores
url	http://support.apple.com/kb/HT4077

reference_url	https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html
reference_id
reference_type
scores
url	https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html

reference_url	https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html
reference_id
reference_type
scores
url	https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html

reference_url	https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html
reference_id
reference_type
scores
url	https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html

reference_url	http://tomcat.apache.org/security-4.html
reference_id
reference_type
scores
url	http://tomcat.apache.org/security-4.html

reference_url	http://tomcat.apache.org/security-5.html
reference_id
reference_type
scores
url	http://tomcat.apache.org/security-5.html

reference_url	http://tomcat.apache.org/security-6.html
reference_id
reference_type
scores
url	http://tomcat.apache.org/security-6.html

reference_url	http://www.debian.org/security/2011/dsa-2207
reference_id
reference_type
scores
url	http://www.debian.org/security/2011/dsa-2207

reference_url	http://www.vmware.com/security/advisories/VMSA-2009-0016.html
reference_id
reference_type
scores
url	http://www.vmware.com/security/advisories/VMSA-2009-0016.html

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2008-5515
reference_id	CVE-2008-5515
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2008-5515

reference_url	https://github.com/advisories/GHSA-9737-qmgc-hfr9
reference_id	GHSA-9737-qmgc-hfr9
reference_type
scores
url	https://github.com/advisories/GHSA-9737-qmgc-hfr9

fixed_packages

url pkg:maven/org.apache.tomcat/tomcat@4.1.40

purl pkg:maven/org.apache.tomcat/tomcat@4.1.40

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-w632-npc7-h7hs

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@4.1.40

url pkg:maven/org.apache.tomcat/tomcat@5.5.28

purl pkg:maven/org.apache.tomcat/tomcat@5.5.28

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9j31-459b-4qbm

vulnerability	VCID-eawm-8v9w-yfap

vulnerability	VCID-y9yv-u4jh-mqew

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@5.5.28

url pkg:maven/org.apache.tomcat/tomcat@6.0.20

purl pkg:maven/org.apache.tomcat/tomcat@6.0.20

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9j31-459b-4qbm

vulnerability	VCID-eawm-8v9w-yfap

vulnerability	VCID-y9yv-u4jh-mqew

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.20

aliases CVE-2008-5515, GHSA-9737-qmgc-hfr9

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7787-4bwm-efgq

url VCID-crhe-rt8j-wycu

vulnerability_id VCID-crhe-rt8j-wycu

summary

Exposure of Sensitive Information to an Unauthorized Actor
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter.

references

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2009-0580
reference_id	CVE-2009-0580
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2009-0580

reference_url	https://github.com/advisories/GHSA-w227-xcfx-3pj8
reference_id	GHSA-w227-xcfx-3pj8
reference_type
scores
url	https://github.com/advisories/GHSA-w227-xcfx-3pj8

fixed_packages

url pkg:maven/org.apache.tomcat/tomcat@4.1.40

purl pkg:maven/org.apache.tomcat/tomcat@4.1.40

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-w632-npc7-h7hs

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@4.1.40

url pkg:maven/org.apache.tomcat/tomcat@5.5.28

purl pkg:maven/org.apache.tomcat/tomcat@5.5.28

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9j31-459b-4qbm

vulnerability	VCID-eawm-8v9w-yfap

vulnerability	VCID-y9yv-u4jh-mqew

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@5.5.28

url	pkg:maven/org.apache.tomcat/tomcat@6.0.19
purl	pkg:maven/org.apache.tomcat/tomcat@6.0.19
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.19

aliases CVE-2009-0580, GHSA-w227-xcfx-3pj8

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-crhe-rt8j-wycu

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@4.1.40

Package Instance