VYPR

rpm package

suse/tomcat&distro=SUSE Linux Enterprise Server for SAP Applications 12 SP2

pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2

Vulnerabilities (25)

  • CVE-2020-13935HigJul 14, 2020
    affected < 8.0.53-29.37.1fixed 8.0.53-29.37.1

    The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lea

  • CVE-2020-8022HigJun 29, 2020
    affected < 8.0.53-29.32.1fixed 8.0.53-29.32.1

    A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux

  • CVE-2020-9484HigMay 20, 2020
    affected < 8.0.53-29.27.1fixed 8.0.53-29.27.1

    When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; a

  • CVE-2020-1938CriKEVFeb 24, 2020
    affected < 8.0.53-29.22.1fixed 8.0.53-29.22.1

    When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exp

  • CVE-2020-1935MedFeb 24, 2020
    affected < 8.0.53-29.37.1fixed 8.0.53-29.37.1

    In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located be

  • CVE-2019-17569MedFeb 24, 2020
    affected < 8.0.53-29.27.1fixed 8.0.53-29.27.1

    The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomca

  • CVE-2019-12418HigDec 23, 2019
    affected < 8.0.53-29.27.1fixed 8.0.53-29.27.1

    When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack

  • CVE-2019-17563HigDec 23, 2019
    affected < 8.0.53-29.27.1fixed 8.0.53-29.27.1

    When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the si

  • CVE-2019-0221MedMay 28, 2019
    affected < 8.0.53-29.27.1fixed 8.0.53-29.27.1

    The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be pr

  • CVE-2018-1304MedFeb 28, 2018
    affected < 8.0.50-29.8.2fixed 8.0.50-29.8.2

    The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint

  • CVE-2018-1305MedFeb 23, 2018
    affected < 8.0.50-29.8.2fixed 8.0.50-29.8.2

    Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any

  • CVE-2017-15706MedJan 31, 2018
    affected < 8.0.50-29.8.2fixed 8.0.50-29.8.2

    As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. The update was no

  • CVE-2017-12617HigKEVOct 4, 2017
    affected < 8.0.43-29.5.1fixed 8.0.43-29.5.1

    When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a

  • CVE-2017-7674MedAug 11, 2017
    affected < 8.0.43-29.5.1fixed 8.0.43-29.5.1

    The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

  • CVE-2016-6796HigAug 11, 2017
    affected < 8.0.36-17.1fixed 8.0.36-17.1

    A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.

  • CVE-2016-8745HigAug 10, 2017
    affected < 8.0.43-23.1fixed 8.0.43-23.1

    A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple time

  • CVE-2016-6797HigAug 10, 2017
    affected < 8.0.36-17.1fixed 8.0.36-17.1

    The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Theref

  • CVE-2016-6794MedAug 10, 2017
    affected < 8.0.36-17.1fixed 8.0.36-17.1

    When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement fe

  • CVE-2016-5018CriAug 10, 2017
    affected < 8.0.36-17.1fixed 8.0.36-17.1

    In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.

  • CVE-2016-0762MedAug 10, 2017
    affected < 8.0.36-17.1fixed 8.0.36-17.1

    The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid

Page 1 of 2