VYPR

rpm package

suse/tomcat&distro=SUSE Linux Enterprise Server for SAP Applications 12 SP1

pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1

Vulnerabilities (36)

  • CVE-2016-5018CriAug 10, 2017
    affected < 8.0.32-10.13.2fixed 8.0.32-10.13.2

    In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.

  • CVE-2016-0762MedAug 10, 2017
    affected < 8.0.32-10.13.2fixed 8.0.32-10.13.2

    The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid

  • CVE-2017-5664HigJun 6, 2017
    affected < 8.0.43-10.24.1fixed 8.0.43-10.24.1

    The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error pag

  • CVE-2017-5648CriApr 17, 2017
    affected < 8.0.43-10.19.1fixed 8.0.43-10.19.1

    While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a Securi

  • CVE-2017-5647HigApr 17, 2017
    affected < 8.0.43-10.19.1fixed 8.0.43-10.19.1

    A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous reque

  • CVE-2016-8735CriKEVApr 6, 2017
    affected < 8.0.32-10.13.2fixed 8.0.32-10.13.2

    Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated

  • CVE-2016-6816HigMar 20, 2017
    affected < 8.0.32-10.13.2fixed 8.0.32-10.13.2

    The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characte

  • CVE-2016-5388HigJul 19, 2016
    affected < 8.0.32-8.7fixed 8.0.32-8.7

    Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attacke

  • CVE-2016-3092HigJul 4, 2016
    affected < 8.0.32-8.7fixed 8.0.32-8.7

    The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long bo

  • CVE-2016-0763MedFeb 25, 2016
    affected < 8.0.32-3.1fixed 8.0.32-3.1

    The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticate

  • CVE-2016-0714HigFeb 25, 2016
    affected < 8.0.32-3.1fixed 8.0.32-3.1

    The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary co

  • CVE-2016-0706MedFeb 25, 2016
    affected < 8.0.32-3.1fixed 8.0.32-3.1

    Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass int

  • CVE-2015-5351HigFeb 25, 2016
    affected < 8.0.32-3.1fixed 8.0.32-3.1

    The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a toke

  • CVE-2015-5346HigFeb 25, 2016
    affected < 8.0.32-3.1fixed 8.0.32-3.1

    Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leverag

  • CVE-2015-5345MedFeb 25, 2016
    affected < 8.0.32-3.1fixed 8.0.32-3.1

    The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that l

  • CVE-2015-5174MedFeb 25, 2016
    affected < 8.0.32-3.1fixed 8.0.32-3.1

    Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname

Page 2 of 2