Computer Security
[EN] securityvulns.ru no-pyccku


Apache Tomcat multiple security vulnerabilities
updated since 01.08.2008
Published:28.01.2009
Source:
SecurityVulns ID:9193
Type:remote
Threat Level:
6/10
Description:Crossite scripting, information leak.
Affected:APACHE : Tomcat 4.1
 APACHE : Tomcat 5.5
 APACHE : Tomcat 6.0
 CA : Cohesion Application Configuration Manager 4.5
CVE:CVE-2008-2938 (Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.)
 CVE-2008-2370 (Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter.)
 CVE-2008-1232 (Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via a crafted string that is used in the message argument to the HttpServletResponse.sendError method.)
Original documentdocumentCA, CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities (Updated - v1.1) (28.01.2009)
 documentWilliam A. Rowe, Jr., Java Runtime UTF-8 Decoder Smuggling Vector (11.01.2009)
 documentAPACHE, [SECURITY] CVE-2008-2938 - Apache Tomcat information disclosure vulnerability - Update 2 (19.12.2008)
 documentAPACHE, [SECURITY] CVE-2008-2938 - Apache Tomcat information disclosure vulnerability - Updated (10.09.2008)
 documentemericboit_(at)_yahoo.fr, Apache Tomcat <= 6.0.18 UTF8 Directory Traversal Vulnerability (12.08.2008)
 documentAPACHE, [CVE-2008-1232] Apache Tomcat XSS vulnerability (01.08.2008)
 documentAPACHE, [CVE-2008-2370] Apache Tomcat information disclosure vulnerability (01.08.2008)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod