CVSS: 7.1EPSS: 0%CPEs: 178EXPL: 1CVE-2016-6816 – Apache Tomcat 6/7/8/9 - Information Disclosure
https://notcve.org/view.php?id=CVE-2016-6816
The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own. El código en Apache Tomcat 9.0.0.M1 a 9.0.0.M11, 8.5.0 a 8.5.6, 8.0.0.RC1 a 8.0.38, 7.0.0 a 7.0.72 y 6.0.0 a 6.0.47 que analizó la línea de solicitud HTTP permitió caracteres no válidos. Esto podría ser explotado, junto con un proxy que también permitió los caracteres no válidos, pero con una interpretación diferente, para inyectar datos en la respuesta HTTP. • https://www.exploit-db.com/exploits/41783 http://rhn.redhat.com/errata/RHSA-2017-0244.html http://rhn.redhat.com/errata/RHSA-2017-0245.html http://rhn.redhat.com/errata/RHSA-2017-0246.html http://rhn.redhat.com/errata/RHSA-2017-0247.html http://rhn.redhat.com/errata/RHSA-2017-0250.html http://rhn.redhat.com/errata/RHSA-2017-0457.html http://rhn.redhat.com/errata/RHSA-2017-0527.html http://www.debian.org/security/2016/dsa-3738 http://www.oracle.com/ • CWE-20: Improper Input Validation CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 7.5EPSS: 0%CPEs: 138EXPL: 0CVE-2016-8745 – tomcat: information disclosure due to incorrect Processor sharing
https://notcve.org/view.php?id=CVE-2016-8745
A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions. • http://rhn.redhat.com/errata/RHSA-2017-0457.html http://rhn.redhat.com/errata/RHSA-2017-0527.html http://www.debian.org/security/2017/dsa-3754 http://www.debian.org/security/2017/dsa-3755 http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html http://www.securityfocus.com/bid/94828 http://www.securitytracker.com/id/1037432 https://access.redhat.com/errata/RHSA-2017:0455 https://a • CWE-388: 7PK - Errors •
CVSS: 7.8EPSS: 5%CPEs: 94EXPL: 0CVE-2016-3092 – tomcat: Usage of vulnerable FileUpload package can result in denial of service
https://notcve.org/view.php?id=CVE-2016-3092
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string. La clase MultipartStream en Apache Commons Fileupload en versiones anteriores a 1.3.2, tal como se utiliza en Apache Tomcat 7.x en versiones anteriores a 7.0.70, 8.x en versiones anteriores a 8.0.36, 8.5.x en versiones anteriores a 8.5.3 y 9.x en versiones anteriores a 9.0.0.M7 y otros productos, permite a atacantes remotos provocar una denegación de servicio (consumo de CPU) a través de una cadena de límite largo. A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. • http://jvn.jp/en/jp/JVN89379547/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2016-000121 http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html http://mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3E http://rhn.redhat.com/errata/RHSA-2016-2068.html http://rhn.redhat.com/errata/RHSA-2016-2069.html http://rhn.redhat.com/errata/RHSA-2016-2070.html http://rhn.redhat.com/errata/RHSA-2016 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 74EXPL: 0CVE-2016-0763 – tomcat: security manager bypass via setGlobalContext()
https://notcve.org/view.php?id=CVE-2016-0763
The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. El método setGlobalContext en org/apache/naming/factory/ResourceLinkFactory.java en Apache Tomcat 7.x en versiones anteriores a 7.0.68, 8.x en versiones anteriores a 8.0.31 y 9.x en versiones anteriores a 9.0.0.M3 no considera si los que llaman a ResourceLinkFactory.setGlobalContext están autorizados, lo que permite a usuarios remotos autenticados eludir las restricciones de SecurityManager previstas y leer o escribir a datos de aplicación arbitrarios, o provocar una denegación de servicio (interrupción de aplicación), a través de una aplicación web que establece un contexto global manipulado. A security manager bypass flaw was found in Tomcat that could allow remote, authenticated users to access arbitrary application data, potentially resulting in a denial of service. • http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179356.html http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html http://rhn.redhat.com/errata/RHSA-2016-1089.html http://rhn.redhat.com/errata/RHSA-2016-2599.html http://rhn.redhat.com/errata/RHSA-2016-2807.html http://rhn.redhat.com/errata/RHSA-2016 • CWE-264: Permissions, Privileges, and Access Controls CWE-287: Improper Authentication •
CVSS: 5.3EPSS: 0%CPEs: 102EXPL: 0CVE-2015-5345 – tomcat: directory disclosure
https://notcve.org/view.php?id=CVE-2015-5345
The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. El componente Mapper en Apache Tomcat 6.x en versiones anteriores a 6.0.45, 7.x en versiones anteriores a 7.0.68, 8.x en versiones anteriores a 8.0.30, y 9.x en versiones anteriores a 9.0.0.M2 procesa redirecciones antes de considerar las restricciones y Filtros de seguridad, lo que permite a atacantes remotos determinar la existencia de un directorio a través de una URL que carece de un carácter / (barra) final. It was found that Tomcat could reveal the presence of a directory even when that directory was protected by a security constraint. A user could make a request to a directory via a URL not ending with a slash and, depending on whether Tomcat redirected that request, could confirm whether that directory existed. • http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00082.html http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html http://marc.info/?l=bugtraq&m=145974991225029&w=2 http://packetstormsecurity.com/files/135892/Apache-Tomcat-Directory-Disclosure.html http://rhn.redhat.com/errata/RHSA-2016-1089.html http://rhn.redhat&# • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-552: Files or Directories Accessible to External Parties •