Page 18 of 96 results (0.023 seconds)

CVSS: 2.1EPSS: 0%CPEs: 79EXPL: 0

Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.17, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file. Apache Tomcat v5.5.x antes de v5.5.34, v6.0.33 antes de v6.x, v7.x antes de v7.0.17, cuando el MemoryUserDatabase se utiliza, crea entradas del registro que contienen las contraseñas al encontrar errores en la creación de usuarios JMX, lo que permite a usuarios locales obtener información sensible mediante la lectura de un archivo de registro. • http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html http://marc.info/?l=bugtraq&m=132215163318824&w=2 http://marc.info/?l=bugtraq&m=133469267822771&w=2 http://marc.info/?l=bugtraq&m=136485229118404&w=2 http://marc.info/?l=bugtraq&m=139344343412337&w=2 http://secunia.com/advisories/44981 http://secunia.com/advisories/48308 http://secunia.com/advisories/57126 http://securitytracker.com/id? • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0

Apache Tomcat 7.0.12 and 7.0.13 processes the first request to a servlet without following security constraints that have been configured through annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088, CVE-2011-1183, and CVE-2011-1419. Apache Tomcat v7.0.12 y v7.0.13 procesa la primera petición a un servlet sin seguir las restricciones de seguridad que se han configurado a través de anotaciones, que permite a atacantes remotos evitar las restricciones de acceso previstas a través de peticiones HTTP. NOTA: esta vulnerabilidad existe debido a una solución incompleta para CVE-2011-1088, CVE-2011-1183, y CVE-2011-1419. • http://mail-archives.apache.org/mod_mbox/www-announce/201105.mbox/%3C4DD26E30.2060103%40apache.org%3E http://securityreason.com/securityalert/8256 http://svn.apache.org/viewvc?view=revision&revision=1100832 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.14_%28released_12_May_2011%29 http://www.securityfocus.com/archive/1/518032/100/0/threaded http://www.securityfocus.com/bid/47886 http://www.vupen.com/english/advisories/2011/1255 https://exchange.xforce.ibmcloud& • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 5.0EPSS: 0%CPEs: 13EXPL: 1

The HTTP BIO connector in Apache Tomcat 7.0.x before 7.0.12 does not properly handle HTTP pipelining, which allows remote attackers to read responses intended for other clients in opportunistic circumstances by examining the application data in HTTP packets, related to "a mix-up of responses for requests from different users." El conector HTTP BIO en Apache Tomcat v7.0.x anterior a v7.0.12 no controla correctamente HTTP "pipelining", permitiendo a atacantes remotos leer las respuestas para otros clientes en circunstancias oportunistas mediante la examinación de los datos de la aplicación en paquetes HTTP, relacionado con una "una mezcla de respuestas a las peticiones de los diferentes usuarios" • https://github.com/samaujs/CVE-2011-1475 http://seclists.org/fulldisclosure/2011/Apr/97 http://securityreason.com/securityalert/8188 http://svn.apache.org/viewvc?view=revision&revision=1086349 http://svn.apache.org/viewvc?view=revision&revision=1086352 http://tomcat.apache.org/security-7.html http://www.securityfocus.com/archive/1/517363 http://www.securityfocus.com/bid/47199 http://www.securitytracker.com/id?1025303 http://www.vupen.com/english/advisories/2011/0894 https://ex • CWE-20: Improper Input Validation •

CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0

Apache Tomcat 7.0.11, when web.xml has no login configuration, does not follow security constraints, which allows remote attackers to bypass intended access restrictions via HTTP requests to a meta-data complete web application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1088 and CVE-2011-1419. Apache Tomcat v7.0.11, cuando web.xml no tiene configuración de login, no se siguen las restricciones de seguridad, permitiendo a atacantes remotos evitar las restricciones de acceso a través de peticiones HTTP a los meta-datos de la aplicación web. NOTA: esta vulnerabilidad existe debido a un parche incorrecto para CVE-2011-1088 y CVE-2011-1419. • http://seclists.org/fulldisclosure/2011/Apr/96 http://securityreason.com/securityalert/8187 http://svn.apache.org/viewvc?view=revision&revision=1087643 http://tomcat.apache.org/security-7.html http://www.securityfocus.com/archive/1/517362/100/0/threaded http://www.securityfocus.com/bid/47196 https://exchange.xforce.ibmcloud.com/vulnerabilities/66675 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12701 •

CVSS: 5.8EPSS: 0%CPEs: 12EXPL: 0

Apache Tomcat 7.x before 7.0.11, when web.xml has no security constraints, does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088. Apache Tomcat v7.x anterior a v7.0.11, cuando web.xml no tiene restricciones de seguridad, no sigue anotaciones ServletSecurity, lo que permite a atacantes remotos evitar las restricciones de acceso a través de peticiones HTTP a una aplicación web. Nota: esta vulnerabilidad existe debido a un parche incompleto para CVE-2011-1088. • http://mail-archives.apache.org/mod_mbox/www-announce/201103.mbox/%3C4D6E74FF.7050106%40apache.org%3E http://marc.info/?l=tomcat-user&m=129966773405409&w=2 http://markmail.org/message/lzx5273wsgl5pob6 http://markmail.org/message/yzmyn44f5aetmm2r http://secunia.com/advisories/43684 http://securityreason.com/securityalert/8131 http://svn.apache.org/viewvc?view=revision&revision=1079752 http://tomcat.apache.org/security-7.html http://www.osvdb.org/71027 http://www.securityfocus.com/bid •