Page 14 of 75 results (0.039 seconds)

CVSS: 5.0EPSS: 5%CPEs: 90EXPL: 0

CVE-2012-0022 – tomcat: large number of parameters DoS

https://notcve.org/view.php?id=CVE-2012-0022

Apache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.34, and 7.x before 7.0.23 uses an inefficient approach for handling parameters, which allows remote attackers to cause a denial of service (CPU consumption) via a request that contains many parameters and parameter values, a different vulnerability than CVE-2011-4858. Apache Tomcat v5.5.x antes de v5.5.35, v6.x antes de v6.0.34, v7.x antes de v7.0.23 utiliza un método ineficiente para el manejo de parámetros, lo que permite provocar una denegación de servicio (por consumo de CPU) a atacantes remotos a través de una solicitud que contiene muchos parámetros y valores diferentes. Se trata de una vulnerabilidad diferente a la del CVE-2011-4858. • http://archives.neohapsis.com/archives/bugtraq/2012-01/0112.html http://marc.info/?l=bugtraq&m=132871655717248&w=2 http://marc.info/?l=bugtraq&m=133294394108746&w=2 http://marc.info/?l=bugtraq&m=136485229118404&w=2 http://rhn.redhat.com/errata/RHSA-2012-0074.html http://rhn.redhat.com/errata/RHSA-2012-0075.html http://rhn.redhat.com/errata/RHSA-2012-0076.html http://rhn.redhat.com/errata/RHSA-2012-0077.html http://rhn.redhat.com/errata/RHSA-2012-0078.ht • CWE-189: Numeric Errors •

CVSS: 5.0EPSS: 0%CPEs: 26EXPL: 0

CVE-2011-3375 – tomcat: information disclosure due to improper response and request object recycling

https://notcve.org/view.php?id=CVE-2011-3375

Apache Tomcat 6.0.30 through 6.0.33 and 7.x before 7.0.22 does not properly perform certain caching and recycling operations involving request objects, which allows remote attackers to obtain unintended read access to IP address and HTTP header information in opportunistic circumstances by reading TCP data. Apache Tomcat v6.0.30 a v6.0.33 y v7.x antes de v7.0.22 no realiza correctamente ciertas operaciones de almacenamiento en caché y reciclado de objetos de solicitud, lo cual permite a atacantes remotos obtener acceso de lectura a la dirección IP y a la información de la cabecera HTTP en determinadas circunstancias leyendo datos TCP. • http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-7.html http://www.debian.org/security/2012/dsa-2401 https://access.redhat.com/security/cve/CVE-2011-3375 https://bugzilla.redhat.com/show_bug.cgi?id=782624 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 5.0EPSS: 65%CPEs: 59EXPL: 1

CVE-2011-4858 – MyBulletinBoard (MyBB) 1.1.5 - 'CLIENT-IP' SQL Injection

https://notcve.org/view.php?id=CVE-2011-4858

Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. Apache Tomcat antes de v5.5.35, v6.x antes de v6.0.35 y v7.x antes de v7.0.23 calcula los valores hash de los parámetros de los formularios, sin restringir la capacidad de desencadenar colisiones de hash de forma predecible. Esto permite a atacantes remotos provocar una denegación de servicio (por consumo de CPU) mediante el envío de gran cantidad de parámetros especialmente modificados. • https://www.exploit-db.com/exploits/2012 http://mail-archives.apache.org/mod_mbox/tomcat-announce/201112.mbox/%3c4EFB9800.5010106%40apache.org%3e http://marc.info/?l=bugtraq&m=132871655717248&w=2 http://marc.info/?l=bugtraq&m=133294394108746&w=2 http://marc.info/?l=bugtraq&m=136485229118404&w=2 http://rhn.redhat.com/errata/RHSA-2012-0074.html http://rhn.redhat.com/errata/RHSA-2012-0075.html http://rhn.redhat.com/errata/RHSA-2012-0076.html http://rhn.redhat • CWE-399: Resource Management Errors •

CVSS: 4.4EPSS: 0%CPEs: 23EXPL: 0

CVE-2011-3376

https://notcve.org/view.php?id=CVE-2011-3376

org/apache/catalina/core/DefaultInstanceManager.java in Apache Tomcat 7.x before 7.0.22 does not properly restrict ContainerServlets in the Manager application, which allows local users to gain privileges by using an untrusted web application to access the Manager application's functionality. org/apache/catalina/core/DefaultInstanceManager.java en Apache Tomcat v7.x anteriores a v7.0.22 no restringe adecuadamente ContainerServlets en la aplicación Manager, lo que permite a usuarios locales conseguir privilegios mediante una aplicación web no es de confianza para acceder a la funcionalidad de la aplicación Manager. • http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/DefaultInstanceManager.java?r1=1176588&r2=1176587&pathrev=1176588 http://svn.apache.org/viewvc?view=revision&revision=1176588 http://tomcat.apache.org/security-7.html http://www.securityfocus.com/bid/50603 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 7.5EPSS: 1%CPEs: 85EXPL: 1

CVE-2011-3190 – tomcat: authentication bypass and information disclosure

https://notcve.org/view.php?id=CVE-2011-3190

Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request. Algunas implementaciones del conector del protocolo AJP en Apache Tomcat v7.0.0 a v7.0.20, v6.0.0 a v6.0.33, v5.5.0 a v5.5.33, y posiblemente con otras versiones, permiten a atacantes remotos falsificar peticiones AJP, eludir la autenticación y obtener información sensible haciendo que el conector interprete un cuerpo de una petición como una nueva solicitud. • http://marc.info/?l=bugtraq&m=132215163318824&w=2 http://marc.info/?l=bugtraq&m=133469267822771&w=2 http://marc.info/?l=bugtraq&m=136485229118404&w=2 http://marc.info/?l=bugtraq&m=139344343412337&w=2 http://secunia.com/advisories/45748 http://secunia.com/advisories/48308 http://secunia.com/advisories/49094 http://secunia.com/advisories/57126 http://securityreason.com/securityalert/8362 http://www.debian.org/security/2012/dsa-2401 http://www.mandriva.com/securi • CWE-264: Permissions, Privileges, and Access Controls •