{"url":"http://public2.vulnerablecode.io/api/packages/61709?format=json","purl":"pkg:maven/org.apache.tomcat/tomcat@5.0.0","type":"maven","namespace":"org.apache.tomcat","name":"tomcat","version":"5.0.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.0.31","latest_non_vulnerable_version":"11.0.18","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43176?format=json","vulnerability_id":"VCID-24v5-jpna-rqg9","summary":"Apache Tomcat Reveals Directories\nApache Tomcat 5 before 5.5.17 allows remote attackers to list directories via a semicolon (`;`) preceding a filename with a mapped extension, as demonstrated by URLs ending with `/;index.jsp` and `/;help.do`.","references":[{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/27902","reference_id":"","reference_type":"","scores":[],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/27902"},{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/34183","reference_id":"","reference_type":"","scores":[],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/34183"},{"reference_url":"https://github.com/apache/tomcat","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat"},{"reference_url":"https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://web.archive.org/web/20200517122628/http://www.securityfocus.com/archive/1/500396/100/0/threaded","reference_id":"","reference_type":"","scores":[],"url":"https://web.archive.org/web/20200517122628/http://www.securityfocus.com/archive/1/500396/100/0/threaded"},{"reference_url":"https://web.archive.org/web/20200517153851/http://www.securityfocus.com/archive/1/500412/100/0/threaded","reference_id":"","reference_type":"","scores":[],"url":"https://web.archive.org/web/20200517153851/http://www.securityfocus.com/archive/1/500412/100/0/threaded"},{"reference_url":"https://web.archive.org/web/20200525234537/http://securitytracker.com/id?1016576","reference_id":"","reference_type":"","scores":[],"url":"https://web.archive.org/web/20200525234537/http://securitytracker.com/id?1016576"},{"reference_url":"https://web.archive.org/web/20200526144006/http://www.securityfocus.com/archive/1/507729/100/0/threaded","reference_id":"","reference_type":"","scores":[],"url":"https://web.archive.org/web/20200526144006/http://www.securityfocus.com/archive/1/507729/100/0/threaded"},{"reference_url":"https://web.archive.org/web/20200526152646/http://www.securityfocus.com/archive/1/468048/100/0/threaded","reference_id":"","reference_type":"","scores":[],"url":"https://web.archive.org/web/20200526152646/http://www.securityfocus.com/archive/1/468048/100/0/threaded"},{"reference_url":"https://web.archive.org/web/20200526165235/http://www.securityfocus.com/bid/19106","reference_id":"","reference_type":"","scores":[],"url":"https://web.archive.org/web/20200526165235/http://www.securityfocus.com/bid/19106"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2006-3835","reference_id":"CVE-2006-3835","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2006-3835"},{"reference_url":"https://github.com/advisories/GHSA-wfj7-mhr5-pcwq","reference_id":"GHSA-wfj7-mhr5-pcwq","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-wfj7-mhr5-pcwq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61772?format=json","purl":"pkg:maven/org.apache.tomcat/tomcat@5.5.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cqz2-4njt-g3da"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@5.5.17"}],"aliases":["CVE-2006-3835","GHSA-wfj7-mhr5-pcwq"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-24v5-jpna-rqg9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43131?format=json","vulnerability_id":"VCID-2af1-rv9j-jugv","summary":"Cross-site scripting in Apache Tomcat\nCross-site scripting (XSS) vulnerability in the calendar application example in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.15 allows remote attackers to inject arbitrary web script or HTML via the time parameter to cal2.jsp and possibly unspecified other vectors.  NOTE: this may be related to CVE-2006-0254.1.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2007:0326","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2007:0326"},{"reference_url":"https://access.redhat.com/errata/RHSA-2007:0340","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2007:0340"},{"reference_url":"https://access.redhat.com/errata/RHSA-2008:0261","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2008:0261"},{"reference_url":"https://access.redhat.com/errata/RHSA-2008:0524","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2008:0524"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=238131","reference_id":"","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=238131"},{"reference_url":"https://github.com/apache/tomcat","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat"},{"reference_url":"https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://access.redhat.com/security/cve/CVE-2006-7196","reference_id":"CVE-2006-7196","reference_type":"","scores":[],"url":"https://access.redhat.com/security/cve/CVE-2006-7196"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2006-7196","reference_id":"CVE-2006-7196","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2006-7196"},{"reference_url":"https://github.com/advisories/GHSA-pm78-wxxf-fw98","reference_id":"GHSA-pm78-wxxf-fw98","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-pm78-wxxf-fw98"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61736?format=json","purl":"pkg:maven/org.apache.tomcat/tomcat@5.0.31","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@5.0.31"},{"url":"http://public2.vulnerablecode.io/api/packages/61737?format=json","purl":"pkg:maven/org.apache.tomcat/tomcat@5.5.16","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@5.5.16"}],"aliases":["CVE-2006-7196","GHSA-pm78-wxxf-fw98"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2af1-rv9j-jugv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43901?format=json","vulnerability_id":"VCID-4t2h-jjhm-y7fq","summary":"Apache Tomcat Allows Remote Attackers to Spoof AJP Requests\nCertain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request.","references":[{"reference_url":"http://marc.info/?l=bugtraq&m=132215163318824&w=2","reference_id":"","reference_type":"","scores":[],"url":"http://marc.info/?l=bugtraq&m=132215163318824&w=2"},{"reference_url":"http://marc.info/?l=bugtraq&m=133469267822771&w=2","reference_id":"","reference_type":"","scores":[],"url":"http://marc.info/?l=bugtraq&m=133469267822771&w=2"},{"reference_url":"http://marc.info/?l=bugtraq&m=136485229118404&w=2","reference_id":"","reference_type":"","scores":[],"url":"http://marc.info/?l=bugtraq&m=136485229118404&w=2"},{"reference_url":"http://marc.info/?l=bugtraq&m=139344343412337&w=2","reference_id":"","reference_type":"","scores":[],"url":"http://marc.info/?l=bugtraq&m=139344343412337&w=2"},{"reference_url":"http://securityreason.com/securityalert/8362","reference_id":"","reference_type":"","scores":[],"url":"http://securityreason.com/securityalert/8362"},{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/69472","reference_id":"","reference_type":"","scores":[],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/69472"},{"reference_url":"https://issues.apache.org/bugzilla/show_bug.cgi?id=51698","reference_id":"","reference_type":"","scores":[],"url":"https://issues.apache.org/bugzilla/show_bug.cgi?id=51698"},{"reference_url":"https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14933","reference_id":"","reference_type":"","scores":[],"url":"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14933"},{"reference_url":"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19465","reference_id":"","reference_type":"","scores":[],"url":"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19465"},{"reference_url":"http://www.debian.org/security/2012/dsa-2401","reference_id":"","reference_type":"","scores":[],"url":"http://www.debian.org/security/2012/dsa-2401"},{"reference_url":"http://www.mandriva.com/security/advisories?name=MDVSA-2011:156","reference_id":"","reference_type":"","scores":[],"url":"http://www.mandriva.com/security/advisories?name=MDVSA-2011:156"},{"reference_url":"http://www.securityfocus.com/archive/1/519466/100/0/threaded","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/archive/1/519466/100/0/threaded"},{"reference_url":"http://www.securityfocus.com/bid/49353","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/49353"},{"reference_url":"http://www.securitytracker.com/id?1025993","reference_id":"","reference_type":"","scores":[],"url":"http://www.securitytracker.com/id?1025993"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2011-3190","reference_id":"CVE-2011-3190","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2011-3190"},{"reference_url":"https://github.com/advisories/GHSA-c38m-v4m2-524v","reference_id":"GHSA-c38m-v4m2-524v","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-c38m-v4m2-524v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63019?format=json","purl":"pkg:maven/org.apache.tomcat/tomcat@5.5.34","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@5.5.34"},{"url":"http://public2.vulnerablecode.io/api/packages/61974?format=json","purl":"pkg:maven/org.apache.tomcat/tomcat@6.0.34","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.34"},{"url":"http://public2.vulnerablecode.io/api/packages/63088?format=json","purl":"pkg:maven/org.apache.tomcat/tomcat@7.0.21","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.21"}],"aliases":["CVE-2011-3190","GHSA-c38m-v4m2-524v"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4t2h-jjhm-y7fq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/2223?format=json","vulnerability_id":"VCID-atus-ryef-17h1","summary":"Mozilla developers added support in the Network Security Services\nmodule for preventing a type of man-in-the-middle attack against TLS\nusing forced renegotiation.Note that to benefit from the fix, Firefox 3.6 and\nFirefox 3.5 users will need to set\ntheir security.ssl.require_safe_negotiation preference to\ntrue.  Firefox 3 does not contain the fix for this issue.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4929","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4929"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566"},{"reference_url":"https://nginx.org/download/patch.cve-2009-3555.txt","reference_id":"","reference_type":"","scores":[],"url":"https://nginx.org/download/patch.cve-2009-3555.txt"},{"reference_url":"https://nginx.org/download/patch.cve-2009-3555.txt.asc","reference_id":"","reference_type":"","scores":[],"url":"https://nginx.org/download/patch.cve-2009-3555.txt.asc"},{"reference_url":"https://tomcat.apache.org/security-7.html","reference_id":"","reference_type":"","scores":[],"url":"https://tomcat.apache.org/security-7.html"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555","reference_id":"CVE-2009-3555","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2009-3555","reference_id":"CVE-2009-3555","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2009-3555"},{"reference_url":"https://github.com/advisories/GHSA-f7w7-6pjc-wwm6","reference_id":"GHSA-f7w7-6pjc-wwm6","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-f7w7-6pjc-wwm6"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2010-22","reference_id":"mfsa2010-22","reference_type":"","scores":[{"value":"low","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2010-22"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61889?format=json","purl":"pkg:maven/org.apache.tomcat/tomcat@5.5.33","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4t2h-jjhm-y7fq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@5.5.33"},{"url":"http://public2.vulnerablecode.io/api/packages/61887?format=json","purl":"pkg:maven/org.apache.tomcat/tomcat@6.0.32","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.32"},{"url":"http://public2.vulnerablecode.io/api/packages/61888?format=json","purl":"pkg:maven/org.apache.tomcat/tomcat@7.0.10","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.10"}],"aliases":["CVE-2009-3555","GHSA-f7w7-6pjc-wwm6","VU#120541"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-atus-ryef-17h1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43152?format=json","vulnerability_id":"VCID-cqz2-4njt-g3da","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nCross-site scripting (XSS) vulnerability in implicit-objects.jsp in Apache Tomcat 5.0.0 through 5.0.30 and 5.5.0 through 5.5.17 allows remote attackers to inject arbitrary web script or HTML via certain header values.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2007:0326","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2007:0326"},{"reference_url":"https://access.redhat.com/errata/RHSA-2007:0327","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2007:0327"},{"reference_url":"https://access.redhat.com/errata/RHSA-2007:0328","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2007:0328"},{"reference_url":"https://access.redhat.com/errata/RHSA-2007:0340","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2007:0340"},{"reference_url":"https://access.redhat.com/errata/RHSA-2008:0261","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2008:0261"},{"reference_url":"https://access.redhat.com/errata/RHSA-2008:0524","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2008:0524"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=237081","reference_id":"","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=237081"},{"reference_url":"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10514","reference_id":"","reference_type":"","scores":[],"url":"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10514"},{"reference_url":"http://support.avaya.com/elmodocs2/security/ASA-2007-206.htm","reference_id":"","reference_type":"","scores":[],"url":"http://support.avaya.com/elmodocs2/security/ASA-2007-206.htm"},{"reference_url":"https://web.archive.org/web/20080515114843/http://www.securityfocus.com/bid/28481","reference_id":"","reference_type":"","scores":[],"url":"https://web.archive.org/web/20080515114843/http://www.securityfocus.com/bid/28481"},{"reference_url":"https://web.archive.org/web/20171015140308/http://www.securityfocus.com/archive/1/500396/100/0/threaded","reference_id":"","reference_type":"","scores":[],"url":"https://web.archive.org/web/20171015140308/http://www.securityfocus.com/archive/1/500396/100/0/threaded"},{"reference_url":"https://web.archive.org/web/20171015140313/http://www.securityfocus.com/archive/1/500412/100/0/threaded","reference_id":"","reference_type":"","scores":[],"url":"https://web.archive.org/web/20171015140313/http://www.securityfocus.com/archive/1/500412/100/0/threaded"},{"reference_url":"https://web.archive.org/web/20201021082255/http://www.securityfocus.com/archive/1/485938/100/0/threaded","reference_id":"","reference_type":"","scores":[],"url":"https://web.archive.org/web/20201021082255/http://www.securityfocus.com/archive/1/485938/100/0/threaded"},{"reference_url":"https://web.archive.org/web/20230518052431/http://lists.vmware.com/pipermail/security-announce/2008/000003.html","reference_id":"","reference_type":"","scores":[],"url":"https://web.archive.org/web/20230518052431/http://lists.vmware.com/pipermail/security-announce/2008/000003.html"},{"reference_url":"http://tomcat.apache.org/security-5.html","reference_id":"","reference_type":"","scores":[],"url":"http://tomcat.apache.org/security-5.html"},{"reference_url":"http://www.redhat.com/support/errata/RHSA-2007-0327.html","reference_id":"","reference_type":"","scores":[],"url":"http://www.redhat.com/support/errata/RHSA-2007-0327.html"},{"reference_url":"http://www.redhat.com/support/errata/RHSA-2008-0261.html","reference_id":"","reference_type":"","scores":[],"url":"http://www.redhat.com/support/errata/RHSA-2008-0261.html"},{"reference_url":"https://access.redhat.com/security/cve/CVE-2006-7195","reference_id":"CVE-2006-7195","reference_type":"","scores":[],"url":"https://access.redhat.com/security/cve/CVE-2006-7195"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2006-7195","reference_id":"CVE-2006-7195","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2006-7195"},{"reference_url":"https://github.com/advisories/GHSA-p57v-p3fx-qgwm","reference_id":"GHSA-p57v-p3fx-qgwm","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-p57v-p3fx-qgwm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61773?format=json","purl":"pkg:maven/org.apache.tomcat/tomcat@5.5.18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@5.5.18"}],"aliases":["CVE-2006-7195","GHSA-p57v-p3fx-qgwm"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cqz2-4njt-g3da"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43223?format=json","vulnerability_id":"VCID-crhe-rt8j-wycu","summary":"Exposure of Sensitive Information to an Unauthorized Actor\nApache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter.","references":[{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2009-0580","reference_id":"CVE-2009-0580","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2009-0580"},{"reference_url":"https://github.com/advisories/GHSA-w227-xcfx-3pj8","reference_id":"GHSA-w227-xcfx-3pj8","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-w227-xcfx-3pj8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61837?format=json","purl":"pkg:maven/org.apache.tomcat/tomcat@5.5.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9j31-459b-4qbm"},{"vulnerability":"VCID-eawm-8v9w-yfap"},{"vulnerability":"VCID-y9yv-u4jh-mqew"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@5.5.28"},{"url":"http://public2.vulnerablecode.io/api/packages/61897?format=json","purl":"pkg:maven/org.apache.tomcat/tomcat@6.0.19","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.19"}],"aliases":["CVE-2009-0580","GHSA-w227-xcfx-3pj8"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-crhe-rt8j-wycu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43146?format=json","vulnerability_id":"VCID-kxc3-vz2c-wqca","summary":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')\nAbsolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.","references":[{"reference_url":"http://geronimo.apache.org/2007/10/18/potential-vulnerability-in-apache-tomcat-webdav-servlet.html","reference_id":"","reference_type":"","scores":[],"url":"http://geronimo.apache.org/2007/10/18/potential-vulnerability-in-apache-tomcat-webdav-servlet.html"},{"reference_url":"http://issues.apache.org/jira/browse/GERONIMO-3549","reference_id":"","reference_type":"","scores":[],"url":"http://issues.apache.org/jira/browse/GERONIMO-3549"},{"reference_url":"http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html","reference_id":"","reference_type":"","scores":[],"url":"http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html"},{"reference_url":"http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html","reference_id":"","reference_type":"","scores":[],"url":"http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html","reference_id":"","reference_type":"","scores":[],"url":"http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html","reference_id":"","reference_type":"","scores":[],"url":"http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"},{"reference_url":"http://mail-archives.apache.org/mod_mbox/tomcat-users/200710.mbox/%3C47135C2D.1000705@apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"http://mail-archives.apache.org/mod_mbox/tomcat-users/200710.mbox/%3C47135C2D.1000705@apache.org%3E"},{"reference_url":"http://marc.info/?l=bugtraq&m=139344343412337&w=2","reference_id":"","reference_type":"","scores":[],"url":"http://marc.info/?l=bugtraq&m=139344343412337&w=2"},{"reference_url":"http://marc.info/?l=full-disclosure&m=119239530508382","reference_id":"","reference_type":"","scores":[],"url":"http://marc.info/?l=full-disclosure&m=119239530508382"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2008-0630.html","reference_id":"","reference_type":"","scores":[],"url":"http://rhn.redhat.com/errata/RHSA-2008-0630.html"},{"reference_url":"http://security.gentoo.org/glsa/glsa-200804-10.xml","reference_id":"","reference_type":"","scores":[],"url":"http://security.gentoo.org/glsa/glsa-200804-10.xml"},{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/37243","reference_id":"","reference_type":"","scores":[],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/37243"},{"reference_url":"https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"http://support.apple.com/kb/HT2163","reference_id":"","reference_type":"","scores":[],"url":"http://support.apple.com/kb/HT2163"},{"reference_url":"http://support.apple.com/kb/HT3216","reference_id":"","reference_type":"","scores":[],"url":"http://support.apple.com/kb/HT3216"},{"reference_url":"https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html"},{"reference_url":"http://tomcat.apache.org/security-4.html","reference_id":"","reference_type":"","scores":[],"url":"http://tomcat.apache.org/security-4.html"},{"reference_url":"http://tomcat.apache.org/security-5.html","reference_id":"","reference_type":"","scores":[],"url":"http://tomcat.apache.org/security-5.html"},{"reference_url":"http://tomcat.apache.org/security-6.html","reference_id":"","reference_type":"","scores":[],"url":"http://tomcat.apache.org/security-6.html"},{"reference_url":"http://www.debian.org/security/2008/dsa-1447","reference_id":"","reference_type":"","scores":[],"url":"http://www.debian.org/security/2008/dsa-1447"},{"reference_url":"http://www.debian.org/security/2008/dsa-1453","reference_id":"","reference_type":"","scores":[],"url":"http://www.debian.org/security/2008/dsa-1453"},{"reference_url":"http://www.redhat.com/support/errata/RHSA-2008-0042.html","reference_id":"","reference_type":"","scores":[],"url":"http://www.redhat.com/support/errata/RHSA-2008-0042.html"},{"reference_url":"http://www.redhat.com/support/errata/RHSA-2008-0195.html","reference_id":"","reference_type":"","scores":[],"url":"http://www.redhat.com/support/errata/RHSA-2008-0195.html"},{"reference_url":"http://www.redhat.com/support/errata/RHSA-2008-0261.html","reference_id":"","reference_type":"","scores":[],"url":"http://www.redhat.com/support/errata/RHSA-2008-0261.html"},{"reference_url":"http://www.redhat.com/support/errata/RHSA-2008-0862.html","reference_id":"","reference_type":"","scores":[],"url":"http://www.redhat.com/support/errata/RHSA-2008-0862.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2007-5461","reference_id":"CVE-2007-5461","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2007-5461"},{"reference_url":"https://github.com/advisories/GHSA-v5p2-vg3c-pmrr","reference_id":"GHSA-v5p2-vg3c-pmrr","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-v5p2-vg3c-pmrr"}],"fixed_packages":[],"aliases":["CVE-2007-5461","GHSA-v5p2-vg3c-pmrr"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kxc3-vz2c-wqca"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43112?format=json","vulnerability_id":"VCID-qz87-x4zb-rud7","summary":"Exposure of Sensitive Information to an Unauthorized Actor\nApache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 treats single quotes (\"'\") as delimiters in cookies, which might cause sensitive information such as session IDs to be leaked and allow remote attackers to conduct session hijacking attacks.","references":[{"reference_url":"http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx","reference_id":"","reference_type":"","scores":[],"url":"http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx"},{"reference_url":"http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html","reference_id":"","reference_type":"","scores":[],"url":"http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html","reference_id":"","reference_type":"","scores":[],"url":"http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html","reference_id":"","reference_type":"","scores":[],"url":"http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"},{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/36006","reference_id":"","reference_type":"","scores":[],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/36006"},{"reference_url":"https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"http://support.apple.com/kb/HT2163","reference_id":"","reference_type":"","scores":[],"url":"http://support.apple.com/kb/HT2163"},{"reference_url":"https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html"},{"reference_url":"http://tomcat.apache.org/security-6.html","reference_id":"","reference_type":"","scores":[],"url":"http://tomcat.apache.org/security-6.html"},{"reference_url":"http://www.debian.org/security/2008/dsa-1447","reference_id":"","reference_type":"","scores":[],"url":"http://www.debian.org/security/2008/dsa-1447"},{"reference_url":"http://www.debian.org/security/2008/dsa-1453","reference_id":"","reference_type":"","scores":[],"url":"http://www.debian.org/security/2008/dsa-1453"},{"reference_url":"http://www.redhat.com/support/errata/RHSA-2007-0871.html","reference_id":"","reference_type":"","scores":[],"url":"http://www.redhat.com/support/errata/RHSA-2007-0871.html"},{"reference_url":"http://www.redhat.com/support/errata/RHSA-2007-0950.html","reference_id":"","reference_type":"","scores":[],"url":"http://www.redhat.com/support/errata/RHSA-2007-0950.html"},{"reference_url":"http://www.redhat.com/support/errata/RHSA-2008-0195.html","reference_id":"","reference_type":"","scores":[],"url":"http://www.redhat.com/support/errata/RHSA-2008-0195.html"},{"reference_url":"http://www.redhat.com/support/errata/RHSA-2008-0261.html","reference_id":"","reference_type":"","scores":[],"url":"http://www.redhat.com/support/errata/RHSA-2008-0261.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2007-3382","reference_id":"CVE-2007-3382","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2007-3382"},{"reference_url":"https://github.com/advisories/GHSA-qff8-g48j-pwpw","reference_id":"GHSA-qff8-g48j-pwpw","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-qff8-g48j-pwpw"}],"fixed_packages":[],"aliases":["CVE-2007-3382","GHSA-qff8-g48j-pwpw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qz87-x4zb-rud7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43172?format=json","vulnerability_id":"VCID-w8uj-zy2r-fyca","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nMultiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary web script or HTML via the portion of the URI after the ';' character, as demonstrated by a URI containing a \"snp/snoop.jsp;\" sequence.","references":[{"reference_url":"http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html","reference_id":"","reference_type":"","scores":[],"url":"http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00008.html","reference_id":"","reference_type":"","scores":[],"url":"http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00008.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html","reference_id":"","reference_type":"","scores":[],"url":"http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2008-0630.html","reference_id":"","reference_type":"","scores":[],"url":"http://rhn.redhat.com/errata/RHSA-2008-0630.html"},{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/34869","reference_id":"","reference_type":"","scores":[],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/34869"},{"reference_url":"https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"http://support.apple.com/kb/HT2163","reference_id":"","reference_type":"","scores":[],"url":"http://support.apple.com/kb/HT2163"},{"reference_url":"http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540","reference_id":"","reference_type":"","scores":[],"url":"http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540"},{"reference_url":"https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html"},{"reference_url":"http://tomcat.apache.org/security-4.html","reference_id":"","reference_type":"","scores":[],"url":"http://tomcat.apache.org/security-4.html"},{"reference_url":"http://tomcat.apache.org/security-5.html","reference_id":"","reference_type":"","scores":[],"url":"http://tomcat.apache.org/security-5.html"},{"reference_url":"http://tomcat.apache.org/security-6.html","reference_id":"","reference_type":"","scores":[],"url":"http://tomcat.apache.org/security-6.html"},{"reference_url":"http://www.redhat.com/support/errata/RHSA-2007-0569.html","reference_id":"","reference_type":"","scores":[],"url":"http://www.redhat.com/support/errata/RHSA-2007-0569.html"},{"reference_url":"http://www.redhat.com/support/errata/RHSA-2008-0261.html","reference_id":"","reference_type":"","scores":[],"url":"http://www.redhat.com/support/errata/RHSA-2008-0261.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2007-2449","reference_id":"CVE-2007-2449","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2007-2449"},{"reference_url":"https://github.com/advisories/GHSA-hc39-rjwp-qffq","reference_id":"GHSA-hc39-rjwp-qffq","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-hc39-rjwp-qffq"}],"fixed_packages":[],"aliases":["CVE-2007-2449","GHSA-hc39-rjwp-qffq"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w8uj-zy2r-fyca"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43149?format=json","vulnerability_id":"VCID-zam7-79x3-ekg3","summary":"Improper Neutralization\nJakarta Tomcat 5.0.19 (Coyote/1.1) and Tomcat 4.1.24 (Coyote/1.0) allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a \"Transfer-Encoding: chunked\" header and a Content-Length header, which causes Tomcat to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka \"HTTP Request Smuggling.\"","references":[{"reference_url":"http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx","reference_id":"","reference_type":"","scores":[],"url":"http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx"},{"reference_url":"http://docs.info.apple.com/article.html?artnum=306172","reference_id":"","reference_type":"","scores":[],"url":"http://docs.info.apple.com/article.html?artnum=306172"},{"reference_url":"http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html","reference_id":"","reference_type":"","scores":[],"url":"http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html","reference_id":"","reference_type":"","scores":[],"url":"http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html"},{"reference_url":"http://lists.vmware.com/pipermail/security-announce/2008/000003.html","reference_id":"","reference_type":"","scores":[],"url":"http://lists.vmware.com/pipermail/security-announce/2008/000003.html"},{"reference_url":"http://seclists.org/lists/bugtraq/2005/Jun/0025.html","reference_id":"","reference_type":"","scores":[],"url":"http://seclists.org/lists/bugtraq/2005/Jun/0025.html"},{"reference_url":"http://securitytracker.com/id?1014365","reference_id":"","reference_type":"","scores":[],"url":"http://securitytracker.com/id?1014365"},{"reference_url":"https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10499","reference_id":"","reference_type":"","scores":[],"url":"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10499"},{"reference_url":"http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1","reference_id":"","reference_type":"","scores":[],"url":"http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1"},{"reference_url":"http://support.avaya.com/elmodocs2/security/ASA-2007-206.htm","reference_id":"","reference_type":"","scores":[],"url":"http://support.avaya.com/elmodocs2/security/ASA-2007-206.htm"},{"reference_url":"http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540","reference_id":"","reference_type":"","scores":[],"url":"http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540"},{"reference_url":"http://tomcat.apache.org/security-4.html","reference_id":"","reference_type":"","scores":[],"url":"http://tomcat.apache.org/security-4.html"},{"reference_url":"http://tomcat.apache.org/security-5.html","reference_id":"","reference_type":"","scores":[],"url":"http://tomcat.apache.org/security-5.html"},{"reference_url":"http://tomcat.apache.org/security-6.html","reference_id":"","reference_type":"","scores":[],"url":"http://tomcat.apache.org/security-6.html"},{"reference_url":"http://www.fujitsu.com/global/support/software/security/products-f/interstage-200703e.html","reference_id":"","reference_type":"","scores":[],"url":"http://www.fujitsu.com/global/support/software/security/products-f/interstage-200703e.html"},{"reference_url":"http://www.redhat.com/support/errata/RHSA-2007-0327.html","reference_id":"","reference_type":"","scores":[],"url":"http://www.redhat.com/support/errata/RHSA-2007-0327.html"},{"reference_url":"http://www.redhat.com/support/errata/RHSA-2007-0360.html","reference_id":"","reference_type":"","scores":[],"url":"http://www.redhat.com/support/errata/RHSA-2007-0360.html"},{"reference_url":"http://www.redhat.com/support/errata/RHSA-2008-0261.html","reference_id":"","reference_type":"","scores":[],"url":"http://www.redhat.com/support/errata/RHSA-2008-0261.html"},{"reference_url":"http://www.securiteam.com/securityreviews/5GP0220G0U.html","reference_id":"","reference_type":"","scores":[],"url":"http://www.securiteam.com/securityreviews/5GP0220G0U.html"},{"reference_url":"http://www.securityfocus.com/archive/1/485938/100/0/threaded","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/archive/1/485938/100/0/threaded"},{"reference_url":"http://www.securityfocus.com/archive/1/500396/100/0/threaded","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/archive/1/500396/100/0/threaded"},{"reference_url":"http://www.securityfocus.com/archive/1/500412/100/0/threaded","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/archive/1/500412/100/0/threaded"},{"reference_url":"http://www.securityfocus.com/bid/13873","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/13873"},{"reference_url":"http://www.securityfocus.com/bid/25159","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/25159"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2005-2090","reference_id":"CVE-2005-2090","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2005-2090"},{"reference_url":"https://github.com/advisories/GHSA-f2gq-p6qv-ccw4","reference_id":"GHSA-f2gq-p6qv-ccw4","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-f2gq-p6qv-ccw4"}],"fixed_packages":[],"aliases":["CVE-2005-2090","GHSA-f2gq-p6qv-ccw4"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zam7-79x3-ekg3"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@5.0.0"}