Apache Tomcat

This page lists all security vulnerabilities fixed in released versions of Apache Tomcat 5.x. Each vulnerability is given a security impact rating by the Apache Tomcat security team - please note that this rating may vary from platform to platform. We also list the versions of Apache Tomcat the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

This page has been created from a review of the Apache Tomcat archives and the CVE list. Please send comments or corrections for these vulnerabilities to the Tomcat Security Team.

low: Directory listing CVE-2006-3835

This is expected behaviour when directory listings are enabled. The semicolon (;) is the separator for path parameters so inserting one before a file name changes the request into a request for a directory with a path parameter. If directory listings are enabled, a directory listing will be shown. In response to this and other directory listing issues, directory listings were changed to be disabled by default.

Affects: 5.0.0-5.5.30, 5.5.0-5.5.12

important: Denial of service CVE-2005-3510

The root cause is the relatively expensive calls required to generate the content for the directory listings. If directory listings are enabled, the number of files in each directory should be kepp to a minimum. In response to this issue, directory listings were changed to be disabled by default. Additionally, a patch has been proposed that would improve performance, particularly for large directories, by caching directory listings.

Affects: 5.0.0-5.5.30, 5.5.0-5.5.12

JavaMail information disclosure CVE-2005-1754

The vulnerability described is in the web application deployed on Tomcat rather than in Tomcat.

JavaMail information disclosure CVE-2005-1753

The vulnerability described is in the web application deployed on Tomcat rather than in Tomcat.