VulnerableCode Package Details - pkg:rpm/redhat/apache-commons-collections-eap6@3.2.1-18.redhat

Search for packages

Vulnerability	Summary	Fixed by
VCID-1d24-sy5z-jfhh Aliases: CVE-2013-5704	HTTP trailers could be used to replace HTTP headers late during request processing, potentially undoing or otherwise confusing modules that examined or modified request headers earlier. This fix adds the "MergeTrailers" directive to restore legacy behavior.	There are no reported fixed by versions.
VCID-32uq-r1e7-3ub4 Aliases: CVE-2015-7501 GHSA-fjq5-5j5f-mvxh	InvokerTransformer code execution during deserialization This package allows code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.	There are no reported fixed by versions.
VCID-4mkw-7haq-pkgn Aliases: CVE-2014-0230 GHSA-pxcx-cxq8-4mmw	Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts.	There are no reported fixed by versions.
VCID-drq1-cttn-jfaw Aliases: CVE-2015-5304	EAP: missing authorization check for Monitor/Deployer/Auditor role when shutting down server	There are no reported fixed by versions.
VCID-fnxp-n271-mfd8 Aliases: CVE-2014-3581	A NULL pointer deference was found in mod_cache. A malicious HTTP server could cause a crash in a caching forward proxy configuration. This crash would only be a denial of service if using a threaded MPM.	There are no reported fixed by versions.
VCID-k4kb-21tp-4kc8 Aliases: CVE-2015-3183	An HTTP request smuggling attack was possible due to a bug in parsing of chunked requests. A malicious client could force the server to misinterpret the request length, allowing cache poisoning or credential hijacking if an intermediary proxy is in use.	There are no reported fixed by versions.
VCID-p6ch-pc73-b3ck Aliases: CVE-2015-5174 GHSA-6qr6-x7jm-x2q6	Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-1d24-sy5z-jfhh
Aliases:
CVE-2013-5704

HTTP trailers could be used to replace HTTP headers late during request processing, potentially undoing or otherwise confusing modules that examined or modified request headers earlier. This fix adds the "MergeTrailers" directive to restore legacy behavior.