CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2014-0033 – tomcat: session fixation still possible with disableURLRewriting enabled
https://notcve.org/view.php?id=CVE-2014-0033
org/apache/catalina/connector/CoyoteAdapter.java in Apache Tomcat 6.0.33 through 6.0.37 does not consider the disableURLRewriting setting when handling a session ID in a URL, which allows remote attackers to conduct session fixation attacks via a crafted URL. org/apache/catalina/connector/CoyoteAdapter.java en Apache Tomcat 6.0.33 hasta 6.0.37 no considera la configuración disableURLRewriting cuando maneja un ID de sesión en una URL, lo que permite a atacantes remotos realizar ataques de fijación de sesión a través de una URL manipulada. It was found that previous fixes in Tomcat 6 to path parameter handling introduced a regression that caused Tomcat to not properly disable URL rewriting to track session IDs when the disableURLRewriting option was enabled. A man-in-the-middle attacker could potentially use this flaw to hijack a user's session. • http://seclists.org/fulldisclosure/2014/Dec/23 http://secunia.com/advisories/59036 http://secunia.com/advisories/59722 http://secunia.com/advisories/59873 http://svn.apache.org/viewvc?view=revision&revision=1558822 http://tomcat.apache.org/security-6.html http://www-01.ibm.com/support/docview.wss?uid=swg21675886 http://www-01.ibm.com/support/docview.wss?uid=swg21677147 http://www-01.ibm.com/support/docview.wss?uid=swg21678231 http://www.debian.org/security/2016/dsa-3530 • CWE-20: Improper Input Validation CWE-384: Session Fixation •
CVSS: 5.8EPSS: 0%CPEs: 183EXPL: 0CVE-2013-4286 – tomcat: multiple content-length header poisoning flaws
https://notcve.org/view.php?id=CVE-2013-4286
Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header. NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090. Apache Tomcat anterior a 6.0.39, 7.x anterior a 7.0.47 y 8.x anterior a 8.0.0-RC3, cuando se utiliza un conector HTTP o AJP, no maneja debidamente ciertas cabeceras de solicitud HTTP inconsistentes, lo que permite a atacantes remotos provocar una identificación incorrecta de la longitud de una solicitud y realizar ataques request-smuggling a través de (1) múltiples cabeceras de Content-Length o (2) una cabecera de Content-Length y una cabecera de "Transfer-Encoding: chunked". NOTA: esta vulnerabilidad existe debido a una solución incompleta para CVE-2005-2090. It was found that when Tomcat / JBoss Web processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat / JBoss Web would incorrectly handle the request. • http://advisories.mageia.org/MGASA-2014-0148.html http://marc.info/?l=bugtraq&m=141390017113542&w=2 http://marc.info/?l=bugtraq&m=144498216801440&w=2 http://rhn.redhat.com/errata/RHSA-2014-0343.html http://rhn.redhat.com/errata/RHSA-2014-0344.html http://rhn.redhat.com/errata/RHSA-2014-0345.html http://seclists.org/fulldisclosure/2014/Dec/23 http://secunia.com/advisories/57675 http://secunia.com/advisories/59036 http://secunia.com/advisories/59675 http:// • CWE-20: Improper Input Validation •
CVSS: 2.1EPSS: 0%CPEs: 54EXPL: 0CVE-2013-0346
https://notcve.org/view.php?id=CVE-2013-0346
Apache Tomcat 7.x uses world-readable permissions for the log directory and its files, which might allow local users to obtain sensitive information by reading a file. NOTE: One Tomcat distributor has stated "The tomcat log directory does not contain any sensitive information." ** DISPUTADA ** Apache Tomcat 7.x utiliza permisos de lectura para todos para los directorios de registros LOG y sus archivos, lo que permitiría a usuarios locales obtener información sensible mediante la lectura de un archivo. NOTA: Un distribuidor Tomcat ha declarado "El directorio de registros LOG de Tomcat no contiene ninguna información sensible". • http://www.openwall.com/lists/oss-security/2013/02/23/5 https://bugzilla.redhat.com/show_bug.cgi?id=924841 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 21%CPEs: 74EXPL: 2CVE-2014-0050 – Apache Commons FileUpload and Apache Tomcat - Denial of Service
https://notcve.org/view.php?id=CVE-2014-0050
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions. MultipartStream.java en Apache Commons FileUpload anterior a 1.3.1, utilizado en Apache Tomcat, JBoss Web y otros productos, permite a atacantes remotos causar una denegación de servicio (bucle infinito y consumo de CPU) a través de una cabecera Content-Type manipulada que evade las condiciones de salida del bucle. A denial of service flaw was found in the way Apache Commons FileUpload, which is embedded in Tomcat and JBoss Web, handled small-sized buffers used by MultipartStream. A remote attacker could use this flaw to create a malformed Content-Type header for a multipart request, causing Tomcat to enter an infinite loop when processing such an incoming request. • https://www.exploit-db.com/exploits/31615 http://advisories.mageia.org/MGASA-2014-0110.html http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html http://jvn.jp/en/jp/JVN14876762/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2014-000017 http://mail-archives.apache.org/mod_mbox/commons-dev/201402.mbox/%3C52F373FC.9030907%40apache.org%3E http://marc.info/?l=bugtraq&m=143136844732487&w=2 http://packetstormsecurity.com/files/127215/VMware& • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.8EPSS: 0%CPEs: 93EXPL: 2CVE-2013-6357 – Apache Tomcat 5.5.25 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2013-6357
Cross-site request forgery (CSRF) vulnerability in the Manager application in Apache Tomcat 5.5.25 and earlier allows remote attackers to hijack the authentication of administrators for requests that manipulate application deployment via the POST method, as demonstrated by a /manager/html/undeploy?path= URI. NOTE: the vendor disputes the significance of this report, stating that "the Apache Tomcat Security team has not accepted any reports of CSRF attacks against the Manager application ... as they require a reckless system administrator. ** DISPUTADO ** Vulnerabilidad de CSRF en la aplicación Manager en Apache Tomcat 5.5.25 y anteriores versiones permite a atacantes remotos secuestrar la autenticación de peticiones de administrador que manipulen la distribución de aplicaciones a través del método POST, tal tal y como se demuestra mediante la URI /manager/html/undeploy?path=. NOTA: el vendedor discute la importancia de este reporte, indicando que "el equipo de seguridad de Apache Tomcat no acepta ningún reporte de ataques CSRF contra la aplicación Manager ... ya que requieren un administrador de sistemas imprudente". • https://www.exploit-db.com/exploits/29435 http://www.webapp-security.com/wp-content/uploads/2013/11/Apache-Tomcat-5.5.25-CSRF-Vulnerabilities.txt • CWE-352: Cross-Site Request Forgery (CSRF) •