Computer Security
[EN] securityvulns.ru no-pyccku


Apache Tomcat security vulnerabilities
Published:10.05.2013
Source:
SecurityVulns ID:13080
Type:remote
Threat Level:
6/10
Description:DoS, session fixation, information leakage.
Affected:APACHE : Tomcat 6.0
 APACHE : Tomcat 7.0
CVE:CVE-2013-2071 (java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive request information intended for other applications in opportunistic circumstances via an application that records the requests that it processes.)
 CVE-2013-2067 (java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.)
 CVE-2012-3544 (Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30 does not properly handle chunk extensions in chunked transfer coding, which allows remote attackers to cause a denial of service by streaming data.)
Original documentdocumentAPACHE, CVE-2013-2071 Request mix-up if AsyncListener method throws RuntimeException (10.05.2013)
 documentAPACHE, [SECURITY] CVE-2013-2067 Session fixation with FORM authenticator (10.05.2013)
 documentAPACHE, [SECURITY] CVE-2012-3544 Chunked transfer encoding extension size is not limited (10.05.2013)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod