CVSS: 9.8EPSS: 24%CPEs: 142EXPL: 3CVE-2009-3548 – Apache Tomcat Manager - Application Upload (Authenticated) Code Execution
https://notcve.org/view.php?id=CVE-2009-3548
12 Nov 2009 — The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the administrative user, which allows remote attackers to gain privileges. El instalador de Windows para Apache Tomcat 6.0.0 a 6.0.20, 5.5.0 a 5.5.28, y posiblemente versiones anteriores, usa una contraseña en blanco por defecto para el usuario administrador, lo que permite a atacantes remotos obtener privilegios. Potential security vulnerabilities have been ide... • https://packetstorm.news/files/id/125021 • CWE-255: Credentials Management Errors •
CVSS: 7.5EPSS: 0%CPEs: 80EXPL: 0CVE-2008-5515 – tomcat request dispatcher information disclosure vulnerability
https://notcve.org/view.php?id=CVE-2008-5515
16 Jun 2009 — Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request. Apache Tomcat desde v4.1.0 hasta v4.1.39, desde v5.5.0 hasta v5.5.27, desde v6.0.0 hasta v6.0.18, y posiblemente version... • http://jvn.jp/en/jp/JVN63832775/index.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 96%CPEs: 87EXPL: 2CVE-2009-0580 – Apache Tomcat 6.0.18 - Form Authentication Existing/Non-Existing 'Username' Enumeration
https://notcve.org/view.php?id=CVE-2009-0580
05 Jun 2009 — Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter. Apache Tomcat v4.1.0 hasta v4.1.39, v5.5.0 hasta v5.5.27, y v6.0.0 hasta v6... • https://packetstorm.news/files/id/181053 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 2%CPEs: 87EXPL: 0CVE-2009-0033 – tomcat6 Denial-Of-Service with AJP connection
https://notcve.org/view.php?id=CVE-2009-0033
05 Jun 2009 — Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the Java AJP connector and mod_jk load balancing are used, allows remote attackers to cause a denial of service (application outage) via a crafted request with invalid headers, related to temporary blocking of connectors that have encountered errors, as demonstrated by an error involving a malformed HTTP Host header. Apache Tomcat v4.1.0 hasta v4.1.39, v5.5.0 hasta v5.5.27 y v6.0.0 hasta v6.0.18, cuando se utilizan el c... • http://jvn.jp/en/jp/JVN87272440/index.html • CWE-20: Improper Input Validation •
CVSS: 4.6EPSS: 0%CPEs: 3EXPL: 0CVE-2009-0783 – tomcat XML parser information disclosure
https://notcve.org/view.php?id=CVE-2009-0783
05 Jun 2009 — Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application. Apache Tomcat v4.1.0 hasta la v4.1.39, v5.5.0 hasta la v5.5.27 y v6.0.0 hasta la v6.0.18 permite a las aplicaciones web reemplazar un "parser" (... • http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 128EXPL: 1CVE-2008-5519 – mod_jk: session information leak
https://notcve.org/view.php?id=CVE-2008-5519
09 Apr 2009 — The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat allows remote attackers to obtain sensitive information via an arbitrary request from an HTTP client, in opportunistic circumstances involving (1) a request from a different client that included a Content-Length header but no POST data or (2) a rapid series of requests, related to noncompliance with the AJP protocol's requirements for requests containing Content-Length headers. El conector JK (tambien conocido como mod_jk) v1.2.0 hasta la v... • http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 9%CPEs: 85EXPL: 0CVE-2009-0781 – tomcat: XSS in Apache Tomcat calendar application
https://notcve.org/view.php?id=CVE-2009-0781
09 Mar 2009 — Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." Una vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en jsp/cal/cal2.jsp en la aplicación 'calendar' de los ejemplos de aplicaciones Web de Apache Tomcat 4.1.0 a... • http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 14EXPL: 1CVE-2008-4308
https://notcve.org/view.php?id=CVE-2008-4308
26 Feb 2009 — The doRead method in Apache Tomcat 4.1.32 through 4.1.34 and 5.5.10 through 5.5.20 does not return a -1 to indicate when a certain error condition has occurred, which can cause Tomcat to send POST content from one request to a different request. El método doRead en Apache Tomcat v4.1.32 hasta v4.1.34 y v5.5.10 hasta v5.5.20 no devuelve un -1 para indicar que una cierta condición de error ha ocurrido, lo que puede causar Tomcat enviar un contenido POST desde una petición a diferentes peticiones. • http://jvn.jp/en/jp/JVN66905322/index.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 96%CPEs: 3EXPL: 5CVE-2008-2938 – Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal (PoC)
https://notcve.org/view.php?id=CVE-2008-2938
13 Aug 2008 — Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version. Una vulnerabilidad de salto de directorio (Directory Traversal) en Apache To... • https://packetstorm.news/files/id/180872 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 14%CPEs: 82EXPL: 2CVE-2008-2370 – Apache Tomcat 6.0.16 - 'RequestDispatcher' Information Disclosure
https://notcve.org/view.php?id=CVE-2008-2370
04 Aug 2008 — Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter. Apache Tomcat 4.1.0 hasta la 4.1.37, 5.5.0 hasta la 5.5.26 y 6.0.0 hasta la 6.0.16, cuando se utiliza RequestDispatcher, realiza una regularización de ruta antes de eliminar la caden... • https://www.exploit-db.com/exploits/32137 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •