Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-g998-xymt-fudu
Vulnerability ID VCID-g998-xymt-fudu
Aliases CVE-2009-2901
GHSA-hjfh-7c4v-7q8h
Summary The autodeployment process in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20, when autoDeploy is enabled, deploys appBase files that remain from a failed undeploy, which might allow remote attackers to bypass intended authentication requirements via HTTP requests.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-264 Permissions, Privileges, and Access Controls
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-287 Improper Authentication
System Score Found at
generic_textual MODERATE http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html
generic_textual MODERATE http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html
generic_textual MODERATE http://lists.opensuse.org/opensuse-updates/2012-12/msg00090.html
generic_textual MODERATE http://lists.opensuse.org/opensuse-updates/2013-01/msg00037.html
generic_textual MODERATE http://marc.info/?l=bugtraq&m=127420533226623&w=2
generic_textual MODERATE http://marc.info/?l=bugtraq&m=133469267822771&w=2
generic_textual MODERATE http://marc.info/?l=bugtraq&m=139344343412337&w=2
epss 0.06552 https://api.first.org/data/v1/epss?cve=CVE-2009-2901
epss 0.06552 https://api.first.org/data/v1/epss?cve=CVE-2009-2901
epss 0.06552 https://api.first.org/data/v1/epss?cve=CVE-2009-2901
epss 0.06552 https://api.first.org/data/v1/epss?cve=CVE-2009-2901
epss 0.06552 https://api.first.org/data/v1/epss?cve=CVE-2009-2901
epss 0.06552 https://api.first.org/data/v1/epss?cve=CVE-2009-2901
epss 0.06552 https://api.first.org/data/v1/epss?cve=CVE-2009-2901
epss 0.06552 https://api.first.org/data/v1/epss?cve=CVE-2009-2901
apache_tomcat Low https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2901
generic_textual MODERATE https://exchange.xforce.ibmcloud.com/vulnerabilities/55856
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-hjfh-7c4v-7q8h
generic_textual MODERATE https://github.com/apache/tomcat
generic_textual MODERATE https://github.com/apache/tomcat55/commit/0299cb724ea71f304d54adfcdb950f59b01fb421
generic_textual MODERATE https://github.com/apache/tomcat/commit/3e1010b1a2f648581fac3d68afbf18f2979f6bf6
generic_textual MODERATE https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2009-2901
generic_textual MODERATE http://support.apple.com/kb/HT4077
generic_textual MODERATE http://svn.apache.org/viewvc?rev=892815&view=rev
generic_textual MODERATE http://svn.apache.org/viewvc?rev=902650&view=rev
generic_textual MODERATE http://tomcat.apache.org/security-5.html
generic_textual MODERATE http://tomcat.apache.org/security-6.html
generic_textual MODERATE http://ubuntu.com/usn/usn-899-1
generic_textual MODERATE http://www.vmware.com/security/advisories/VMSA-2011-0003.html
Reference id Reference type URL
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html
http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html
http://lists.opensuse.org/opensuse-updates/2012-12/msg00090.html
http://lists.opensuse.org/opensuse-updates/2013-01/msg00037.html
http://marc.info/?l=bugtraq&m=127420533226623&w=2
http://marc.info/?l=bugtraq&m=133469267822771&w=2
http://marc.info/?l=bugtraq&m=139344343412337&w=2
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-2901.json
https://api.first.org/data/v1/epss?cve=CVE-2009-2901
https://exchange.xforce.ibmcloud.com/vulnerabilities/55856
https://github.com/apache/tomcat
https://github.com/apache/tomcat55/commit/0299cb724ea71f304d54adfcdb950f59b01fb421
https://github.com/apache/tomcat/commit/3e1010b1a2f648581fac3d68afbf18f2979f6bf6
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E
https://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
https://svn.apache.org/viewvc?view=rev&rev=892815
https://svn.apache.org/viewvc?view=rev&rev=902650
http://support.apple.com/kb/HT4077
http://svn.apache.org/viewvc?rev=892815&view=rev
http://svn.apache.org/viewvc?rev=902650&view=rev
http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-6.html
http://ubuntu.com/usn/usn-899-1
http://www.vmware.com/security/advisories/VMSA-2011-0003.html
559742 https://bugzilla.redhat.com/show_bug.cgi?id=559742
CVE-2009-2901 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2901
CVE-2009-2901 https://nvd.nist.gov/vuln/detail/CVE-2009-2901
GHSA-hjfh-7c4v-7q8h https://github.com/advisories/GHSA-hjfh-7c4v-7q8h
GLSA-201206-24 https://security.gentoo.org/glsa/201206-24
USN-899-1 https://usn.ubuntu.com/899-1/
No exploits are available.
Exploit Prediction Scoring System (EPSS)
Percentile 0.91088
EPSS Score 0.06552
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:38:17.333892+00:00 Apache Tomcat Importer Import https://tomcat.apache.org/security-6.html 38.0.0