CVSS: 5.5EPSS: 0%CPEs: 54EXPL: 0CVE-2013-0346
https://notcve.org/view.php?id=CVE-2013-0346
15 Feb 2014 — Apache Tomcat 7.x uses world-readable permissions for the log directory and its files, which might allow local users to obtain sensitive information by reading a file. NOTE: One Tomcat distributor has stated "The tomcat log directory does not contain any sensitive information." ** DISPUTADA ** Apache Tomcat 7.x utiliza permisos de lectura para todos para los directorios de registros LOG y sus archivos, lo que permitiría a usuarios locales obtener información sensible mediante la lectura de un archivo. NOTA:... • http://www.openwall.com/lists/oss-security/2013/02/23/5 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 42%CPEs: 74EXPL: 4CVE-2014-0050 – Apache Commons FileUpload and Apache Tomcat - Denial of Service
https://notcve.org/view.php?id=CVE-2014-0050
07 Feb 2014 — MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions. MultipartStream.java en Apache Commons FileUpload anterior a 1.3.1, utilizado en Apache Tomcat, JBoss Web y otros productos, permite a atacantes remotos causar una denegación de servicio (bucle infinito y consumo de CPU... • https://packetstorm.news/files/id/180508 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2013-2185 – Tomcat/JBossWeb: Arbitrary file upload via deserialization
https://notcve.org/view.php?id=CVE-2013-2185
04 Sep 2013 — The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications t... • http://openwall.com/lists/oss-security/2014/10/24/12 • CWE-20: Improper Input Validation CWE-626: Null Byte Interaction Error (Poison Null Byte) •
CVSS: 3.7EPSS: 0%CPEs: 31EXPL: 1CVE-2013-2071 – tomcat: Information disclosure in asynchronous context when using AsyncListeners that threw RuntimeExceptions
https://notcve.org/view.php?id=CVE-2013-2071
28 May 2013 — java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive request information intended for other applications in opportunistic circumstances via an application that records the requests that it processes. java/org/apache/catalina/core/AsyncContextImpl.java en Apache Tomcat v7.x anteriores a v7.0.40 no gestionan de forma a... • http://archives.neohapsis.com/archives/bugtraq/2013-05/0040.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 1%CPEs: 43EXPL: 0CVE-2013-2067 – tomcat: Session fixation in form authenticator
https://notcve.org/view.php?id=CVE-2013-2067
28 May 2013 — java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack. v6.0.21 hasta v6.0.36 y v7.x anteriores a v7.0.33 no maneja de forma adecuada las relaciones en... • http://archives.neohapsis.com/archives/bugtraq/2013-05/0041.html • CWE-287: Improper Authentication CWE-384: Session Fixation •
CVSS: 5.3EPSS: 8%CPEs: 72EXPL: 0CVE-2012-3544 – tomcat: Limited DoS in chunked transfer encoding input filter
https://notcve.org/view.php?id=CVE-2012-3544
28 May 2013 — Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30 does not properly handle chunk extensions in chunked transfer coding, which allows remote attackers to cause a denial of service by streaming data. Apache Tomcat v6.x anteriores a v6.0.37 y v7.x anteriores a v7.0.30 no gestionan de forma adecuada las extensiones troceadas, en la transferencia de trozos codificados, lo que permite a atacantes remotos a provocar una denegación de servicio mediante datos en stream. It was discovered that Tomcat incorrectly ... • http://archives.neohapsis.com/archives/bugtraq/2013-05/0042.html • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 12%CPEs: 70EXPL: 1CVE-2012-4534 – Tomcat - Denial Of Service when using NIO+SSL+sendfile
https://notcve.org/view.php?id=CVE-2012-4534
19 Dec 2012 — org/apache/tomcat/util/net/NioEndpoint.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28, when the NIO connector is used in conjunction with sendfile and HTTPS, allows remote attackers to cause a denial of service (infinite loop) by terminating the connection during the reading of a response. org/apache/tomcat/util/net/NioEndpoint.java en Apache Tomcat v6.x antes de v6.0.36 y v7.x antes de V7.0.28, cuando el conector NIO se utiliza junto con sendfile y HTTPS permite a atacantes remotos provocar ... • http://archives.neohapsis.com/archives/bugtraq/2012-12/0043.html • CWE-399: Resource Management Errors •
CVSS: 4.3EPSS: 0%CPEs: 72EXPL: 1CVE-2012-4431 – Tomcat/JBoss Web - Bypass of CSRF prevention filter
https://notcve.org/view.php?id=CVE-2012-4431
19 Dec 2012 — org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism via a request that lacks a session identifier. org/apache/catalina/filters/CsrfPreventionFilter.java en Apache Tomcat v6.x antes de v6.0.36 y v7.x antes de v7.0.32 permite a atacantes remotos evitar el mecanismo de protección de CSRF a través de una petición que carece de un identificador de sesión. Potenti... • https://github.com/imjdl/CVE-2012-4431 • CWE-264: Permissions, Privileges, and Access Controls CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.5EPSS: 0%CPEs: 66EXPL: 0CVE-2012-3546 – Web: Bypass of security constraints
https://notcve.org/view.php?id=CVE-2012-3546
19 Dec 2012 — org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote attackers to bypass security-constraint checks by leveraging a previous setUserPrincipal call and then placing /j_security_check at the end of a URI. org/apache/catalina/campo/RealmBase.java en Apache Tomcat v6.x antes de v6.0.36 y v7.x antes de v7.0.30, cuando se utiliza la autenticación de formularios, permite a atacantes remotos evitar restricciones de segurid... • http://archives.neohapsis.com/archives/bugtraq/2012-12/0044.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 1%CPEs: 4EXPL: 1CVE-2012-5568
https://notcve.org/view.php?id=CVE-2012-5568
30 Nov 2012 — Apache Tomcat through 7.0.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris. Apache Tomcat hasta v7.0.x permite a atacantes remotos provocar una denegación de servicio (parada del demonio) a través de peticiones HTTP parciales, tal y como quedó demostrado por Slowloris. • http://captainholly.wordpress.com/2009/06/19/slowloris-vs-tomcat •