Apache Tomcat
Download
Documentation
Problems?
Get Involved
Misc
|
Apache Tomcat 4.x vulnerabilities
|
This page lists all security vulnerabilities fixed in released versions
of Apache Tomcat 4.x. Each vulnerability is given a
security impact rating by the Apache
Tomcat security team - please note that this rating may vary from
platform to platform. We also list the versions of Apache Tomcat the flaw
is known to affect, and where a flaw has not been verified list the
version with a question mark.
This page has been created from a review of the Apache Tomcat archives
and the CVE list. Please send comments or corrections for these
vulnerabilities to the Tomcat
Security Team.
|
|
Not fixed in Apache Tomcat 4.1.x
|
moderate: Information disclosure
CVE-2005-4836
The deprecated HTTP/1.1 connector does not reject request URIs containing
null bytes when used with contexts that are configured with
allowLinking="true". Failure to reject the null byte enables an attacker
to obtain the source for any JSP page in these contexts. Users of Tomcat
4.1.x are advised to use the default, supported Coyote HTTP/1.1 connector
which does not exhibit this issue. There are no plans to issue an update
to Tomcat 4.1.x for this issue.
Affects: 4.1.15-4.1.HEAD
|
|
Fixed in Apache Tomcat 4.1.HEAD
|
moderate: Cross-site scripting
CVE-2007-1355
The JSP and Servlet included in the sample application within the Tomcat
documentation webapp did not escape user provided data before including
it in the output. This enabled a XSS attack. These pages have been
simplified not to use any user provided data in the output.
Affects: 4.0.1-4.0.6, 4.1.0-4.1.36
|
|
Fixed in Apache Tomcat 4.1.HEAD
|
important: Information disclosure
CVE-2005-3164
If a client specifies a Content-Length but disconnects before sending
any of the request body, the deprecated AJP connector processes the
request using the request body of the previous request. Users are advised
to use the default, supported Coyote AJP connector which does not exhibit
this issue.
Affects: 4.0.1-4.0.6, 4.1.0-4.1.36
|
|
Fixed in Apache Tomcat 4.1.36
|
important: Information disclosure
CVE-2005-2090
Requests with multiple content-length headers should be rejected as
invalid. When multiple components (firewalls, caches, proxies and Tomcat)
process a sequence of requests where one or more requests contain
multiple content-length headers and several components do not
reject the request and make different decisions as to which
content-length leader to use an attacker can poision a web-cache, perform
an XSS attack and obtain senstive information from requests other then
their own. Tomcat now returns 400 for requests with multiple
content-length headers.
Affects: 4.0.0-4.0.6, 4.1.0-4.1.34
important: Directory traversal
CVE-2007-0450
The fix for this issue was insufficient. A fix was also required in the
JK connector module for httpd. See
CVE-2007-1860 for further information.
Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is used
behind a proxy (including, but not limited to, Apache HTTP server with
mod_proxy and mod_jk) configured to only proxy some contexts, a HTTP request
containing strings like "/\../" may allow attackers to work around the context
restriction of the proxy, and access the non-proxied contexts.
The following Java system properties have been added to Tomcat to provide
additional control of the handling of path delimiters in URLs (both options
default to false):
-
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH : true|false
-
org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH : true|false
Due to the impossibility to guarantee that all URLs are handled by Tomcat as
they are in proxy servers, Tomcat should always be secured as if no proxy
restricting context access was used.
Affects: 4.0.0-4.0.6, 4.1.0-4.1.34
low: Cross-site scripting
CVE-2007-1358
Web pages that display the Accept-Language header value sent by the
client are susceptible to a cross-site scripting attack if they assume
the Accept-Language header value conforms to RFC 2616. Under normal
circumstances this would not be possible to exploit, however older
versions of Flash player were known to allow carefully crafted malicious
Flash files to make requests with such custom headers. Tomcat now ignores
invalid values for Accept-Language headers that do not conform to RFC
2616.
Affects: 4.0.0-4.0.6, 4.1.0-4.1.34
|
|
Fixed in Apache Tomcat 4.1.32
|
important: Information disclosure
CVE-2007-1858
The default SSL configuration permitted the use of insecure cipher suites
including the anonymous cipher suite. The default configuration no
longer permits the use of insecure cipher suites.
Affects: 4.1.28-4.1.31
low: Cross-site scripting
CVE-2006-7196
The calendar application included as part of the JSP examples is
susceptible to a cross-site scripting attack as it does not escape
user provided data before including it in the returned page.
Affects: 4.0.0-4.0.6, 4.1.0-4.1.31
low: Directory listing
CVE-2006-3835
This is expected behaviour when directory listings are enabled. The
semicolon (;) is the separator for path parameters so inserting one
before a file name changes the request into a request for a directory
with a path parameter. If directory listings are enabled, a diretcory
listing will be shown. In response to this and other directory listing
issues, directory listings were changed to be disabled by default.
Affects: 4.0.0-4.0.6, 4.1.0-4.1.31
low: Cross-site scripting
CVE-2005-4838
Various JSPs included as part of the JSP examples and the Tomcat Manager
are susceptible to a cross-site scripting attack as they do not escape
user provided data before including it in the returned page.
Affects: 4.0.0-4.0.6, 4.1.0-4.1.31
important: Denial of service
CVE-2005-3510
The root cause is the relatively expensive calls required to generate
the content for the directory listings. If directory listings are
enabled, the number of files in each directory should be kepp to a
minimum. In response to this issue, directory listings were changed to
be disabled by default. Additionally, a
patch has been proposed that would improve performance, particularly
for large directories, by caching directory listings.
Affects: 4.0.0-4.0.6, 4.1.0-4.1.31
|
|
Fixed in Apache Tomcat 4.1.29
|
moderate: Cross-site scripting
CVE-2002-1567
The unmodified requested URL is included in the 404 response header. The
new lines in this URL appear to the client to be the end of the header
section. The remaining part of the URL, including the script elements, is
treated as part of the response body and the client executes the script.
Tomcat now replaces potentially unsafe characters in the response
headers with spaces.
Affects: 4.1.0-4.1.28
|
|
Fixed in Apache Tomcat 4.1.13, 4.0.6
|
important: Information disclosure
CVE-2002-1394
A specially crafted URL using the invoker servlet in conjunction with the
default servlet can enable an attacker to obtain the source of JSP pages
or, under special circumstances, a static resource that would otherwise
have been protected by a security constraint without the need to be
properly authenticated. This is a variation of
CVE-2002-1148
Affects: 4.0.0-4.0.5, 4.1.0-4.1.12
moderate: Cross-site scripting
CVE-2002-0682
A specially crafted URL using the invoker servlet and various internal
classess causes Tomcat to throw an exception that includes unescaped
information from the malformed request. This allows the XSS attack.
Affects: 4.0.0-4.0.5, 4.1.0-4.1.12
|
|
Fixed in Apache Tomcat 4.1.3
|
important: Denial of service
CVE-2002-0935
A malformed HTTP request can cause the request processing thread to
become unresponsive. A sequence of such requests will cause all request
processing threads, and hence Tomcat as a whole, to become unresponsive.
Affects: 4.0.0-4.0.2?, 4.0.3, 4.0.4-4.0.6?, 4.1.0-4.1.2?
|
|
Fixed in Apache Tomcat 4.1.0
|
important: Denial of service
CVE-2003-0866
A malformed HTTP request can cause the request processing thread to
become unresponsive. A sequence of such requests will cause all request
processing threads, and hence Tomcat as a whole, to become unresponsive.
Affects: 4.0.0-4.0.6
low: Information disclosure
CVE-2002-2006
The snoop and trouble shooting servlets installed as part of the examples
include output that identifies the Tomcat installation path.
Affects: 4.0.0-4.0.6
|
|
Fixed in Apache Tomcat 4.0.2
|
low: Information disclosure
CVE-2002-2009,
CVE-2001-0917
Requests for JSP files where the file name is preceded by '+/', '>/',
'</' or '%20/' or a request for a JSP with a long file name would
result in in an error page that included the full file system path to
the JSP file.
Affects: 4.0.0-4.0.1
|
|
Fixed in Apache Tomcat 4.0.0
|
moderate: Security manager bypass
CVE-2002-0493
If errors are encountered during the parsing of web.xml and Tomcat is
configured to use a security manager it is possible for Tomcat to start
without the security manager in place.
Affects: Pre-release builds of 4.0.0
|
|
Unverified
|
low: Installation path disclosure
CVE-2005-4703,
CVE-2002-2008
This issue only affects Windows operating systems. It can not be
reproduced on Windows XP Home with JDKs 1.3.1, 1.4.2, 1.5.0 or 1.6.0.
Further investigation is required to determine the Windows operating
system and JDK combinations that do exhibit this issue. The
vulnerability reports for this issue state that it is fixed in 4.1.3
onwards.
Affects: 4.0.3?
important: Denial of service
CVE-2002-1895
This issue only affects configurations that use IIS in conjunction with
Tomcat and the AJP1.3 connector. It can not be reproduced using Windows
2000 SP4 with latest patches and Tomcat 4.0.4 with JDK 1.3.1. The
vulnerability reports for this issue state that it is fixed in 4.1.10
onwards.
Affects: 4.0.4?
|
|
Not a vulnerability in Tomcat
|
Denial of service vulnerability
CVE-2002-0936
The issue described requires an attacker to be able to plant a JSP page
on the Tomcat server. If an attacker can do this then the server is
already compromised. In this case an attacker could just as easily add a
page that called System.exit(1) rather than relying on a bug in an
internal Sun class.
|
|
|