CVE-2009-0783
Description
Apache Tomcat allows a malicious web application to replace the XML parser, enabling reading or modification of configuration files of other applications.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Tomcat allows a malicious web application to replace the XML parser, enabling reading or modification of configuration files of other applications.
Vulnerability
Apache Tomcat versions 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 contain a vulnerability where a web application can replace the XML parser used by other web applications [1][3][4]. This allows a crafted application loaded earlier to affect the parsing of XML configuration files (web.xml, context.xml, tld files) of other applications.
Exploitation
An attacker must have the ability to deploy a malicious web application to the Tomcat server (local user with deploy permissions). The crafted application must be loaded before the target application. By replacing the XML parser, the attacker can intercept or modify the parsing of configuration files of other applications.
Impact
Successful exploitation allows the attacker to read or modify the web.xml, context.xml, or tld files of arbitrary web applications. This could lead to disclosure of sensitive configuration data or alteration of application behavior, potentially resulting in privilege escalation or further compromise.
Mitigation
Tomcat 6.0.x has reached end of life and no fix will be provided [1]. Tomcat 5.x is also end of life [4]. Users should upgrade to Tomcat 9.0.x or later. For affected versions, no patch is available; the only mitigation is to restrict deployment of untrusted applications. Apple included a fix in Security Update 2010-002 for Mac OS X [2].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcatMaven | >= 4.1.0, <= 4.1.39 | — |
org.apache.tomcat:tomcatMaven | >= 5.5.0, <= 5.5.27 | — |
org.apache.tomcat:tomcatMaven | >= 6.0.0, < 6.0.20 | 6.0.20 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
56- svn.apache.org/viewvcnvdPatchWEB
- svn.apache.org/viewvcnvdPatchWEB
- svn.apache.org/viewvcnvdPatchWEB
- svn.apache.org/viewvcnvdPatchWEB
- svn.apache.org/viewvcnvdPatchWEB
- tomcat.apache.org/security-4.htmlnvdPatchVendor AdvisoryWEB
- tomcat.apache.org/security-5.htmlnvdPatchVendor AdvisoryWEB
- tomcat.apache.org/security-6.htmlnvdPatchVendor AdvisoryWEB
- issues.apache.org/bugzilla/show_bug.cginvdIssue TrackingPatchWEB
- lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.htmlnvdThird Party AdvisoryWEB
- marc.infonvdThird Party AdvisoryWEB
- marc.infonvdThird Party AdvisoryWEB
- marc.infonvdThird Party AdvisoryWEB
- secunia.com/advisories/35685nvdVendor AdvisoryWEB
- secunia.com/advisories/35788nvdVendor AdvisoryWEB
- secunia.com/advisories/37460nvdVendor AdvisoryWEB
- secunia.com/advisories/42368nvdVendor AdvisoryWEB
- sunsolve.sun.com/search/document.donvdThird Party AdvisoryWEB
- support.apple.com/kb/HT4077nvdThird Party AdvisoryWEB
- www.debian.org/security/2011/dsa-2207nvdThird Party AdvisoryWEB
- www.mandriva.com/security/advisoriesnvdThird Party AdvisoryWEB
- www.mandriva.com/security/advisoriesnvdThird Party AdvisoryWEB
- www.mandriva.com/security/advisoriesnvdThird Party AdvisoryWEB
- www.securityfocus.com/archive/1/504090/100/0/threadednvdThird Party AdvisoryVDB EntryWEB
- www.securityfocus.com/archive/1/507985/100/0/threadednvdThird Party AdvisoryVDB EntryWEB
- www.securityfocus.com/bid/35416nvdThird Party AdvisoryVDB EntryWEB
- www.securitytracker.com/idnvdThird Party AdvisoryVDB EntryWEB
- www.vmware.com/security/advisories/VMSA-2009-0016.htmlnvdThird Party AdvisoryWEB
- www.vupen.com/english/advisories/2009/1856nvdVendor AdvisoryWEB
- www.vupen.com/english/advisories/2009/3316nvdVendor AdvisoryWEB
- www.vupen.com/english/advisories/2010/3056nvdVendor AdvisoryWEB
- github.com/advisories/GHSA-hhjg-g8xq-hhr3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2009-0783ghsaADVISORY
- www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.htmlnvdThird Party AdvisoryWEB
- www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.htmlnvdThird Party AdvisoryWEB
- www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.htmlnvdThird Party AdvisoryWEB
- lists.apple.com/archives/security-announce/2010//Mar/msg00001.htmlnvdMailing ListWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/51195nvdVDB EntryWEB
- issues.apache.org/bugzilla/show_bug.cginvdIssue TrackingWEB
- lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3EghsaWEB
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10716nvdTool SignatureWEB
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18913nvdTool SignatureWEB
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6450nvdTool SignatureWEB
News mentions
0No linked articles in our index yet.