Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/62994?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/62994?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@7.0.12", "type": "maven", "namespace": "org.apache.tomcat", "name": "tomcat", "version": "7.0.12", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "7.0.14", "latest_non_vulnerable_version": "11.0.18", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43849?format=api", "vulnerability_id": "VCID-1e8h-uhj4-akhz", "summary": "Access restriction bypass in Apache Tomcat\nApache Tomcat 7.0.12 and 7.0.13 processes the first request to a servlet without following security constraints that have been configured through annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088, CVE-2011-1183, and CVE-2011-1419.", "references": [ { "reference_url": "http://mail-archives.apache.org/mod_mbox/www-announce/201105.mbox/%3C4DD26E30.2060103%40apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201105.mbox/%3C4DD26E30.2060103%40apache.org%3E" }, { "reference_url": "http://mail-archives.apache.org/mod_mbox/www-announce/201105.mbox/%3C4DD26E30.2060103@apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201105.mbox/%3C4DD26E30.2060103@apache.org%3E" }, { "reference_url": "http://securityreason.com/securityalert/8256", "reference_id": "", "reference_type": "", "scores": [], "url": "http://securityreason.com/securityalert/8256" }, { "reference_url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67515", "reference_id": "", "reference_type": "", "scores": [], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67515" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1100832", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1100832" }, { "reference_url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.14_%28released_12_May_2011%29", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.14_%28released_12_May_2011%29" }, { "reference_url": "http://www.securityfocus.com/archive/1/518032/100/0/threaded", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/archive/1/518032/100/0/threaded" }, { "reference_url": "http://www.securityfocus.com/bid/47886", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/47886" }, { "reference_url": "http://www.vupen.com/english/advisories/2011/1255", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.vupen.com/english/advisories/2011/1255" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1582", "reference_id": "CVE-2011-1582", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1582" }, { "reference_url": "https://github.com/advisories/GHSA-3xpj-jgv5-q4vv", "reference_id": "GHSA-3xpj-jgv5-q4vv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3xpj-jgv5-q4vv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62995?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@7.0.14", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.14" } ], "aliases": [ "CVE-2011-1582", "GHSA-3xpj-jgv5-q4vv" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1e8h-uhj4-akhz" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44064?format=api", "vulnerability_id": "VCID-46sr-9kr3-1ubw", "summary": "Improper Authentication\nThe HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check realm values, which might allow remote attackers to bypass intended access restrictions by leveraging the availability of a protection space with weaker authentication or authorization requirements, a different vulnerability than CVE-2011-1184.", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html" }, { "reference_url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0074.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0074.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0075.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0075.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0076.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0076.html" }, { "reference_url": "http://secunia.com/advisories/57126", "reference_id": "", "reference_type": "", "scores": [], "url": "http://secunia.com/advisories/57126" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "http://svn.apache.org/viewvc?view=rev&rev=1087655", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=rev&rev=1087655" }, { "reference_url": "http://svn.apache.org/viewvc?view=rev&rev=1158180", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=rev&rev=1158180" }, { "reference_url": "http://svn.apache.org/viewvc?view=rev&rev=1159309", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=rev&rev=1159309" }, { "reference_url": "http://tomcat.apache.org/security-5.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-5.html" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://tomcat.apache.org/security-7.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-7.html" }, { "reference_url": "http://www.debian.org/security/2012/dsa-2401", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2012/dsa-2401" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2011-5063", "reference_id": "CVE-2011-5063", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-5063" }, { "reference_url": "https://github.com/advisories/GHSA-hffm-fqv4-w27r", "reference_id": "GHSA-hffm-fqv4-w27r", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hffm-fqv4-w27r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63019?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@5.5.34", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@5.5.34" }, { "url": "http://public2.vulnerablecode.io/api/packages/63020?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4t2h-jjhm-y7fq" }, { "vulnerability": "VCID-ft1c-mand-mkcb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.33" }, { "url": "http://public2.vulnerablecode.io/api/packages/62994?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@7.0.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1e8h-uhj4-akhz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.12" } ], "aliases": [ "CVE-2011-5063", "GHSA-hffm-fqv4-w27r" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-46sr-9kr3-1ubw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43888?format=api", "vulnerability_id": "VCID-74c7-a56p-kufz", "summary": "Use of Hard-coded Cryptographic Key in Apache Tomcat\nDigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184.", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html" }, { "reference_url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0074.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0074.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0075.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0075.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0076.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0076.html" }, { "reference_url": "http://secunia.com/advisories/57126", "reference_id": "", "reference_type": "", "scores": [], "url": "http://secunia.com/advisories/57126" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "http://svn.apache.org/viewvc?view=rev&rev=1087655", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=rev&rev=1087655" }, { "reference_url": "http://svn.apache.org/viewvc?view=rev&rev=1158180", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=rev&rev=1158180" }, { "reference_url": "http://svn.apache.org/viewvc?view=rev&rev=1159309", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=rev&rev=1159309" }, { "reference_url": "http://tomcat.apache.org/security-5.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-5.html" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://tomcat.apache.org/security-7.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-7.html" }, { "reference_url": "http://www.debian.org/security/2012/dsa-2401", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2012/dsa-2401" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2011-5064", "reference_id": "CVE-2011-5064", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-5064" }, { "reference_url": "https://github.com/advisories/GHSA-6cr4-7c7p-p3xv", "reference_id": "GHSA-6cr4-7c7p-p3xv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6cr4-7c7p-p3xv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63019?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@5.5.34", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@5.5.34" }, { "url": "http://public2.vulnerablecode.io/api/packages/63020?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4t2h-jjhm-y7fq" }, { "vulnerability": "VCID-ft1c-mand-mkcb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.33" }, { "url": "http://public2.vulnerablecode.io/api/packages/62994?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@7.0.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1e8h-uhj4-akhz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.12" } ], "aliases": [ "CVE-2011-5064", "GHSA-6cr4-7c7p-p3xv" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-74c7-a56p-kufz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44037?format=api", "vulnerability_id": "VCID-89e9-m968-vfhe", "summary": "Authentication Bypass in Apache Tomcat\nThe HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values.", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html" }, { "reference_url": "http://marc.info/?l=bugtraq&m=133469267822771&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=133469267822771&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=136485229118404&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=136485229118404&w=2" }, { "reference_url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0074.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0074.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0075.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0075.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0076.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0076.html" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19169", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19169" }, { "reference_url": "http://svn.apache.org/viewvc?view=rev&rev=1087655", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=rev&rev=1087655" }, { "reference_url": "http://svn.apache.org/viewvc?view=rev&rev=1158180", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=rev&rev=1158180" }, { "reference_url": "http://svn.apache.org/viewvc?view=rev&rev=1159309", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=rev&rev=1159309" }, { "reference_url": "http://tomcat.apache.org/security-5.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-5.html" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://tomcat.apache.org/security-7.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-7.html" }, { "reference_url": "http://www.debian.org/security/2012/dsa-2401", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2012/dsa-2401" }, { "reference_url": "http://www.redhat.com/support/errata/RHSA-2011-1845.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.redhat.com/support/errata/RHSA-2011-1845.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1184", "reference_id": "CVE-2011-1184", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1184" }, { "reference_url": "https://github.com/advisories/GHSA-q9xf-jwr4-v445", "reference_id": "GHSA-q9xf-jwr4-v445", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-q9xf-jwr4-v445" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63019?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@5.5.34", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@5.5.34" }, { "url": "http://public2.vulnerablecode.io/api/packages/63020?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4t2h-jjhm-y7fq" }, { "vulnerability": "VCID-ft1c-mand-mkcb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.33" }, { "url": "http://public2.vulnerablecode.io/api/packages/62994?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@7.0.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1e8h-uhj4-akhz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.12" } ], "aliases": [ "CVE-2011-1184", "GHSA-q9xf-jwr4-v445" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-89e9-m968-vfhe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43865?format=api", "vulnerability_id": "VCID-9hm5-e4dw-6ffe", "summary": "Improper Authentication in Apache Tomcat\nThe HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check qop values, which might allow remote attackers to bypass intended integrity-protection requirements via a qop=auth value, a different vulnerability than CVE-2011-1184.", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html" }, { "reference_url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=139344343412337&w=2" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0074.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0074.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0075.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0075.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2012-0076.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2012-0076.html" }, { "reference_url": "http://secunia.com/advisories/57126", "reference_id": "", "reference_type": "", "scores": [], "url": "http://secunia.com/advisories/57126" }, { "reference_url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "http://svn.apache.org/viewvc?view=rev&rev=1087655", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=rev&rev=1087655" }, { "reference_url": "http://svn.apache.org/viewvc?view=rev&rev=1158180", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=rev&rev=1158180" }, { "reference_url": "http://svn.apache.org/viewvc?view=rev&rev=1159309", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=rev&rev=1159309" }, { "reference_url": "http://tomcat.apache.org/security-5.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-5.html" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://tomcat.apache.org/security-7.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-7.html" }, { "reference_url": "http://www.debian.org/security/2012/dsa-2401", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2012/dsa-2401" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2011-5062", "reference_id": "CVE-2011-5062", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-5062" }, { "reference_url": "https://github.com/advisories/GHSA-4f7h-9j2x-cmr4", "reference_id": "GHSA-4f7h-9j2x-cmr4", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4f7h-9j2x-cmr4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63019?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@5.5.34", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@5.5.34" }, { "url": "http://public2.vulnerablecode.io/api/packages/63020?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@6.0.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4t2h-jjhm-y7fq" }, { "vulnerability": "VCID-ft1c-mand-mkcb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.33" }, { "url": "http://public2.vulnerablecode.io/api/packages/62994?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@7.0.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1e8h-uhj4-akhz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.12" } ], "aliases": [ "CVE-2011-5062", "GHSA-4f7h-9j2x-cmr4" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9hm5-e4dw-6ffe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44023?format=api", "vulnerability_id": "VCID-smj1-gnyx-nyc6", "summary": "Access controll bypass in Apache Tomcat\nApache Tomcat 7.0.11, when web.xml has no login configuration, does not follow security constraints, which allows remote attackers to bypass intended access restrictions via HTTP requests to a meta-data complete web application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1088 and CVE-2011-1419.", "references": [ { "reference_url": "http://seclists.org/fulldisclosure/2011/Apr/96", "reference_id": "", "reference_type": "", "scores": [], "url": "http://seclists.org/fulldisclosure/2011/Apr/96" }, { "reference_url": "http://securityreason.com/securityalert/8187", "reference_id": "", "reference_type": "", "scores": [], "url": "http://securityreason.com/securityalert/8187" }, { "reference_url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/66675", "reference_id": "", "reference_type": "", "scores": [], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/66675" }, { "reference_url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12701", "reference_id": "", "reference_type": "", "scores": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12701" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1087643", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1087643" }, { "reference_url": "http://tomcat.apache.org/security-7.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-7.html" }, { "reference_url": "http://www.securityfocus.com/archive/1/517362/100/0/threaded", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/archive/1/517362/100/0/threaded" }, { "reference_url": "http://www.securityfocus.com/bid/47196", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/47196" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1183", "reference_id": "CVE-2011-1183", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1183" }, { "reference_url": "https://github.com/advisories/GHSA-p26v-97vp-jcx6", "reference_id": "GHSA-p26v-97vp-jcx6", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-p26v-97vp-jcx6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62994?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@7.0.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1e8h-uhj4-akhz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.12" } ], "aliases": [ "CVE-2011-1183", "GHSA-p26v-97vp-jcx6" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-smj1-gnyx-nyc6" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.12" }