VYPR

Maven package

org.apache.tomcat/tomcat

pkg:maven/org.apache.tomcat/tomcat

Vulnerabilities (148)

  • CVE-2009-0580Jun 5, 2009
    affected >= 4.1.0, < 4.1.40fixed 4.1.40

    Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checkin

  • CVE-2009-0033Jun 5, 2009
    affected >= 4.1.0, <= 4.1.39

    Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the Java AJP connector and mod_jk load balancing are used, allows remote attackers to cause a denial of service (application outage) via a crafted request with invalid headers, related to tem

  • CVE-2009-0781Mar 9, 2009
    affected >= 4.1.0, <= 4.1.39

    Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 allows remote attackers to inject arbitrary web script or HTML via the ti

  • CVE-2008-4308Feb 26, 2009
    affected >= 4.1.32, < 4.1.35fixed 4.1.35

    The doRead method in Apache Tomcat 4.1.32 through 4.1.34 and 5.5.10 through 5.5.20 does not return a -1 to indicate when a certain error condition has occurred, which can cause Tomcat to send POST content from one request to a different request.

  • CVE-2008-2938Aug 13, 2008
    affected >= 4.1.0, < 4.1.39fixed 4.1.39

    Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vuln

  • CVE-2008-2370Aug 4, 2008
    affected >= 4.1.0, < 4.1.38fixed 4.1.38

    Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary

  • CVE-2008-1232Aug 4, 2008
    affected >= 4.1.0, < 4.1.38fixed 4.1.38

    Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via a crafted string that is used in the message argument to the HttpServletResponse.sendE

  • CVE-2008-1947Jun 4, 2008
    affected >= 5.5.9, < 5.5.27fixed 5.5.27

    Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to host-manager/html/add.

  • CVE-2008-0002Feb 12, 2008
    affected >= 6.0.0, < 6.0.16fixed 6.0.16

    Apache Tomcat 6.0.0 through 6.0.15 processes parameters in the context of the wrong request when an exception occurs during parameter processing, which might allow remote attackers to obtain sensitive information, as demonstrated by disconnecting during this processing in order t

  • CVE-2007-6286Feb 12, 2008
    affected >= 5.5.11, <= 5.5.25

    Apache Tomcat 5.5.11 through 5.5.25 and 6.0.0 through 6.0.15, when the native APR connector is used, does not properly handle an empty request to the SSL port, which allows remote attackers to trigger handling of "a duplicate copy of one of the recent requests," as demonstrated b

  • CVE-2007-5333Feb 12, 2008
    affected >= 6.0.0, < 6.0.15fixed 6.0.15

    Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remo

  • CVE-2007-5461Oct 15, 2007
    affected >= 4.0.0, <= 4.0.6

    Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity wi

  • CVE-2007-4724Sep 5, 2007
    affected <= 4.1.31

    Cross-site request forgery (CSRF) vulnerability in cal2.jsp in the calendar examples application in Apache Tomcat 4.1.31 allows remote attackers to add events as arbitrary users via the time and description parameters.

  • CVE-2007-3385Aug 14, 2007
    affected >= 6.0.0, <= 6.0.13

    Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 does not properly handle the \" character sequence in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session

  • CVE-2007-3382Aug 14, 2007
    affected >= 6.0.0, <= 6.0.13

    Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 treats single quotes ("'") as delimiters in cookies, which might cause sensitive information such as session IDs to be leaked and allow remote attackers to conduct session hijacking

  • CVE-2007-3384Aug 8, 2007
    affected >= 3.3.0, <= 3.3.2

    Multiple cross-site scripting (XSS) vulnerabilities in examples/servlet/CookieExample in Apache Tomcat 3.3 through 3.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) Name or (2) Value field, related to error messages.

  • CVE-2007-3383Jul 25, 2007
    affected >= 4.0.0, <= 4.0.6

    Cross-site scripting (XSS) vulnerability in SendMailServlet in the examples web application (examples/jsp/mail/sendmail.jsp) in Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.36 allows remote attackers to inject arbitrary web script or HTML via the From field and possibl

  • CVE-2007-2450Jun 14, 2007
    affected >= 4.0.0, <= 4.0.6

    Multiple cross-site scripting (XSS) vulnerabilities in the (1) Manager and (2) Host Manager web applications in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote authenticated users to inject

  • CVE-2007-2449Jun 14, 2007
    affected >= 4.0.0, <= 4.0.6

    Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary web

  • CVE-2007-1358May 10, 2007
    affected >= 4.0.0, <= 4.0.6

    Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616".

Page 6 of 8