CVSS: 9.8EPSS: 1%CPEs: 4EXPL: 1CVE-2012-5568
https://notcve.org/view.php?id=CVE-2012-5568
30 Nov 2012 — Apache Tomcat through 7.0.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris. Apache Tomcat hasta v7.0.x permite a atacantes remotos provocar una denegación de servicio (parada del demonio) a través de peticiones HTTP parciales, tal y como quedó demostrado por Slowloris. • http://captainholly.wordpress.com/2009/06/19/slowloris-vs-tomcat •
CVSS: 5.3EPSS: 0%CPEs: 107EXPL: 0CVE-2012-5885 – tomcat: three DIGEST authentication implementation issues
https://notcve.org/view.php?id=CVE-2012-5885
17 Nov 2012 — The replay-countermeasure functionality in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 tracks cnonce (aka client nonce) values instead of nonce (aka server nonce) and nc (aka nonce-count) values, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, a different vulnerability than CVE-2011-1184. La funcionalidad replay-countermeasure en Apache Tomcat ... • http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.3EPSS: 0%CPEs: 107EXPL: 0CVE-2012-5886 – tomcat: three DIGEST authentication implementation issues
https://notcve.org/view.php?id=CVE-2012-5886
17 Nov 2012 — The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches information about the authenticated user within the session state, which makes it easier for remote attackers to bypass authentication via vectors related to the session ID. La implementación de HTTP Digest Access Authentication en Apache Tomcat v5.5.x antes de v5.5.36, 6.x antes 6.0.36, v7.x antes de v7.0.30 cachés información sobre el usuario autenticado en el estado d... • http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html • CWE-287: Improper Authentication •
CVSS: 5.3EPSS: 0%CPEs: 107EXPL: 0CVE-2012-5887 – tomcat: three DIGEST authentication implementation issues
https://notcve.org/view.php?id=CVE-2012-5887
17 Nov 2012 — The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 does not properly check for stale nonce values in conjunction with enforcement of proper credentials, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests. La implementación de HTTP Digest Access Authentication en Apache Tomcat v5.5.x antes de v5.5.36, v6.x antes de v6.0.36, v7.x antes de v7.0.30 no comprue... • http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html • CWE-287: Improper Authentication •
CVSS: 5.3EPSS: 4%CPEs: 70EXPL: 0CVE-2012-2733 – tomcat: HTTP NIO connector OOM DoS via a request with large headers
https://notcve.org/view.php?id=CVE-2012-2733
16 Nov 2012 — java/org/apache/coyote/http11/InternalNioInputBuffer.java in the HTTP NIO connector in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28 does not properly restrict the request-header size, which allows remote attackers to cause a denial of service (memory consumption) via a large amount of header data. java/org/apache/coyote/http11/InternalNioInputBuffer.java en el conector HTTP NIO en Apache Tomcat v6.x antes de v6.0.36 y v7.x antes de V7.0.28 no restringe correctamente el tamaño de la petición de cabe... • http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 26EXPL: 0CVE-2011-3375 – tomcat: information disclosure due to improper response and request object recycling
https://notcve.org/view.php?id=CVE-2011-3375
19 Jan 2012 — Apache Tomcat 6.0.30 through 6.0.33 and 7.x before 7.0.22 does not properly perform certain caching and recycling operations involving request objects, which allows remote attackers to obtain unintended read access to IP address and HTTP header information in opportunistic circumstances by reading TCP data. Apache Tomcat v6.0.30 a v6.0.33 y v7.x antes de v7.0.22 no realiza correctamente ciertas operaciones de almacenamiento en caché y reciclado de objetos de solicitud, lo cual permite a atacantes remotos ob... • http://tomcat.apache.org/security-6.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 13%CPEs: 90EXPL: 0CVE-2012-0022 – tomcat: large number of parameters DoS
https://notcve.org/view.php?id=CVE-2012-0022
19 Jan 2012 — Apache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.34, and 7.x before 7.0.23 uses an inefficient approach for handling parameters, which allows remote attackers to cause a denial of service (CPU consumption) via a request that contains many parameters and parameter values, a different vulnerability than CVE-2011-4858. Apache Tomcat v5.5.x antes de v5.5.35, v6.x antes de v6.0.34, v7.x antes de v7.0.23 utiliza un método ineficiente para el manejo de parámetros, lo que permite provocar una denegación de servici... • http://archives.neohapsis.com/archives/bugtraq/2012-01/0112.html • CWE-189: Numeric Errors •
CVSS: 5.3EPSS: 80%CPEs: 59EXPL: 2CVE-2011-4858 – MyBulletinBoard (MyBB) 1.1.5 - 'CLIENT-IP' SQL Injection
https://notcve.org/view.php?id=CVE-2011-4858
05 Jan 2012 — Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. Apache Tomcat antes de v5.5.35, v6.x antes de v6.0.35 y v7.x antes de v7.0.23 calcula los valores hash de los parámetros de los formularios, sin restringir la capacidad de desencadenar colisiones de hash de forma pre... • https://packetstorm.news/files/id/180523 • CWE-399: Resource Management Errors •
CVSS: 5.3EPSS: 0%CPEs: 23EXPL: 0CVE-2011-3376
https://notcve.org/view.php?id=CVE-2011-3376
11 Nov 2011 — org/apache/catalina/core/DefaultInstanceManager.java in Apache Tomcat 7.x before 7.0.22 does not properly restrict ContainerServlets in the Manager application, which allows local users to gain privileges by using an untrusted web application to access the Manager application's functionality. org/apache/catalina/core/DefaultInstanceManager.java en Apache Tomcat v7.x anteriores a v7.0.22 no restringe adecuadamente ContainerServlets en la aplicación Manager, lo que permite a usuarios locales conseguir privile... • http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/DefaultInstanceManager.java?r1=1176588&r2=1176587&pathrev=1176588 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 1%CPEs: 85EXPL: 1CVE-2011-3190 – tomcat: authentication bypass and information disclosure
https://notcve.org/view.php?id=CVE-2011-3190
31 Aug 2011 — Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request. Algunas implementaciones del conector del protocolo AJP en Apache Tomcat v7.0.0 a v7.0.20, v6.0.0 a v6.0.33, v5.5.0 a v5.5.33, y posiblemente con otras versiones, permiten a atacant... • http://marc.info/?l=bugtraq&m=132215163318824&w=2 • CWE-264: Permissions, Privileges, and Access Controls •