VulnerableCode Package Details - pkg:rpm/redhat/jbossws-framework@2.0.1-1.GA

Search for packages

Vulnerability	Summary	Fixed by
VCID-4rcx-xfn5-7kdb Aliases: CVE-2009-0580 GHSA-w227-xcfx-3pj8	Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter.	There are no reported fixed by versions.
VCID-mnf8-t3ew-4fgb Aliases: CVE-2008-5515 GHSA-9737-qmgc-hfr9	Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.	There are no reported fixed by versions.
VCID-r84b-7ay9-ekcm Aliases: CVE-2009-0783 GHSA-hhjg-g8xq-hhr3	Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-4rcx-xfn5-7kdb
Aliases:
CVE-2009-0580
GHSA-w227-xcfx-3pj8

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter.

There are no reported fixed by versions.

VCID-mnf8-t3ew-4fgb
Aliases:
CVE-2008-5515
GHSA-9737-qmgc-hfr9

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.

There are no reported fixed by versions.

VCID-r84b-7ay9-ekcm
Aliases:
CVE-2009-0783
GHSA-hhjg-g8xq-hhr3

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T14:58:15.619923+00:00	RedHat Importer	Affected by	VCID-4rcx-xfn5-7kdb	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-0580.json	38.0.0
2026-04-01T14:58:13.669632+00:00	RedHat Importer	Affected by	VCID-r84b-7ay9-ekcm	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-0783.json	38.0.0
2026-04-01T14:58:12.149487+00:00	RedHat Importer	Affected by	VCID-mnf8-t3ew-4fgb	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2008-5515.json	38.0.0