Tomcat Logo

Apache Tomcat

Apache Logo

Apache Tomcat

Download

Documentation

Problems?

Get Involved

Misc

Apache Tomcat 4.x vulnerabilities

This page lists all security vulnerabilities fixed in released versions of Apache Tomcat 4.x. Each vulnerability is given a security impact rating by the Apache Tomcat security team - please note that this rating may vary from platform to platform. We also list the versions of Apache Tomcat the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

This page has been created from a review of the Apache Tomcat archives and the CVE list. Please send comments or corrections for these vulnerabilities to the Tomcat Security Team.


Fixed in Apache Tomcat 4.1.32

low: Directory listing CVE-2006-3835

This is expected behaviour when directory listings are enabled. The semicolon (;) is the separator for path parameters so inserting one before a file name changes the request into a request for a directory with a path parameter. If directory listings are enabled, a diretcory listing will be shown. In response to this and other directory listing issues, directory listings were changed to be disabled by default.

Affects: 4.0.0-4.0.6, 4.1.0-4.1.31

important: Denial of service CVE-2005-3510

The root cause is the relatively expensive calls required to generate the content for the directory listings. If directory listings are enabled, the number of files in each directory should be kepp to a minimum. In response to this issue, directory listings were changed to be disabled by default. Additionally, a patch has been proposed that would improve performance, particularly for large directories, by caching directory listings.

Affects: 4.0.0-4.0.6, 4.1.0-4.1.31


Fixed in Apache Tomcat 4.1.0

important: Denial of service CVE-2003-0866

A malformed HTTP request can cause the request processing thread to become unresponsive. A sequence of such requests will cause all request processing threads, and hence Tomcat as a whole, to become unresponsive.

Affects: 4.0.0-4.0.6


Unverified

low: Installation path disclosure CVE-2005-4703

This issue only affects Windows operating systems. It can not be reproduced on Windows XP Home with JDKs 1.3.1, 1.4.2, 1.5.0 or 1.6.0. Further investigation is required to determine the Windows operating system and JDK combinations that do exhibit this issue.

Affects: 4.0.3?



Copyright © 1999-2006, The Apache Software Foundation