Apache Tomcat

This page lists all security vulnerabilities fixed in released versions of Apache Tomcat 3.x. Each vulnerability is given a security impact rating by the Apache Tomcat security team - please note that this rating may vary from platform to platform. We also list the versions of Apache Tomcat the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

This page has been created from a review of the Apache Tomcat archives and the CVE list. Please send comments or corrections for these vulnerabilities to the Tomcat Security Team.

important: Denial of service CVE-2005-0808

Tomcat 3.x can be remotely caused to crash or shutdown by a connection sending the right sequence of bytes to the AJP12 protocol port (TCP 8007 by default). Tomcat 3.x users are advised to ensure that this port is adequately firewalled to ensure it is not accessible to remote attackers. There are no plans to issue a an update to Tomcat 3.x for this issue.

Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3-3.3.2

moderate: Cross site scripting CVE-2003-0044

The root web application and the examples web application contained a number a cross-site scripting vulnerabilities. Note that is it recommended that the examples web application is not installed on production servers.

Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3-3.3.1a

important: Information disclosure CVE-2003-0043

When used with JDK 1.3.1 or earlier, web.xml files were read with trusted privileges enabling files outside of the web application to be read even when running under a security manager.

Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3-3.3.1

important: Information disclosure CVE-2003-0042

URLs containing null characters could result in file contents being returned or a directory listing being returned even when a welcome file was defined.

Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3-3.3.1

important: Denial of service CVE-2003-0045

JSP page names that match a Windows DOS device name, such as aux.jsp, may cause the thread processing the request to become unresponsive. A sequence of such requests may cause all request processing threads, and hence Tomcat, to become unresponsive.

Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3