Search for packages
| purl | pkg:rpm/redhat/tomcat5@5.5.23-0jpp.22?arch=el5_7 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 3.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1v6c-f56v-hqh1
Aliases: CVE-2011-5062 GHSA-4f7h-9j2x-cmr4 |
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check qop values, which might allow remote attackers to bypass intended integrity-protection requirements via a qop=auth value, a different vulnerability than CVE-2011-1184. | There are no reported fixed by versions. |
|
VCID-8ebv-6941-jqdy
Aliases: CVE-2011-5063 GHSA-hffm-fqv4-w27r |
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check realm values, which might allow remote attackers to bypass intended access restrictions by leveraging the availability of a protection space with weaker authentication or authorization requirements, a different vulnerability than CVE-2011-1184. | There are no reported fixed by versions. |
|
VCID-d9ys-kxh6-nkgr
Aliases: CVE-2011-1184 GHSA-q9xf-jwr4-v445 |
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values. | There are no reported fixed by versions. |
|
VCID-dhun-hj5q-dfch
Aliases: CVE-2011-0013 GHSA-3p86-xgrq-m6p6 |
Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag. | There are no reported fixed by versions. |
|
VCID-egye-da2v-4ybh
Aliases: CVE-2011-5064 GHSA-6cr4-7c7p-p3xv |
Use of Hard-coded Cryptographic Key in Apache Tomcat DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184. | There are no reported fixed by versions. |
|
VCID-mctd-9zgv-5qgp
Aliases: CVE-2011-2204 GHSA-c57p-3v2g-w9rg |
Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.17, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file. | There are no reported fixed by versions. |
|
VCID-tfn5-6ckq-wyce
Aliases: CVE-2010-3718 GHSA-fj6c-prgj-gr3r |
Apache Tomcat 7.0.0 through 7.0.3, 6.0.x, and 5.5.x, when running within a SecurityManager, does not make the ServletContext attribute read-only, which allows local web applications to read or write files outside of the intended working directory, as demonstrated using a directory traversal attack. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||