Tomcat Logo

Apache Tomcat

Apache Logo

Apache Tomcat

Download

Documentation

Problems?

Get Involved

Misc

Apache Tomcat 5.x vulnerabilities

This page lists all security vulnerabilities fixed in released versions of Apache Tomcat 5.x. Each vulnerability is given a security impact rating by the Apache Tomcat security team - please note that this rating may vary from platform to platform. We also list the versions of Apache Tomcat the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

This page has been created from a review of the Apache Tomcat archives and the CVE list. Please send comments or corrections for these vulnerabilities to the Tomcat Security Team.


Fixed in Apache Tomcat 5.5.HEAD, 5.0.HEAD

moderate: Cross-site scripting CVE-2007-1355

The JSP and Servlet included in the sample application within the Tomcat documentation webapp did not escape user provided data before including it in the output. This enabled a XSS attack. These pages have been simplified not to use any user provided data in the output.

Affects: 5.0.0-5.0.30, 5.5.0-5.5.23


Fixed in Apache Tomcat 5.5.23, 5.0.HEAD

important: Information disclosure CVE-2005-2090

Requests with multiple content-length headers should be rejected as invalid. When multiple components (firewalls, caches, proxies and Tomcat) process a sequence of requests where one or more requests contain multiple content-length headers and several components do not reject the request and make different decisions as to which content-length leader to use an attacker can poision a web-cache, perform an XSS attack and obtain senstive information from requests other then their own. Tomcat now returns 400 for requests with multiple content-length headers.

Affects: 5.0.0-5.0.30, 5.5.0-5.5.22


Fixed in Apache Tomcat 5.5.22, 5.0.HEAD

important: Directory traversal CVE-2007-0450

The fix for this issue was insufficient. A fix was also required in the JK connector module for httpd. See CVE-2007-1860 for further information.

Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is used behind a proxy (including, but not limited to, Apache HTTP server with mod_proxy and mod_jk) configured to only proxy some contexts, a HTTP request containing strings like "/\../" may allow attackers to work around the context restriction of the proxy, and access the non-proxied contexts.

The following Java system properties have been added to Tomcat to provide additional control of the handling of path delimiters in URLs (both options default to false):

  • org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH: true|false
  • org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH: true|false

Due to the impossibility to guarantee that all URLs are handled by Tomcat as they are in proxy servers, Tomcat should always be secured as if no proxy restricting context access was used.

Affects: 5.0.0-5.0.30, 5.5.0-5.5.21


Fixed in Apache Tomcat 5.5.21, 5.0.HEAD

low: Cross-site scripting CVE-2007-1358

Web pages that display the Accept-Language header value sent by the client are susceptible to a cross-site scripting attack if they assume the Accept-Language header value conforms to RFC 2616. Under normal circumstances this would not be possible to exploit, however older versions of Flash player were known to allow carefully crafted malicious Flash files to make requests with such custom headers. Tomcat now ignores invalid values for Accept-Language headers that do not conform to RFC 2616.

Affects: 5.0.0-5.0.30, 5.5.0-5.5.20


Fixed in Apache Tomcat 5.5.18, 5.0.HEAD

moderate: Cross-site scripting CVE-2006-7195

The implicit-objects.jsp in the examples webapp displayed a number of unfiltered header values. This enabled a XSS attack. These values are now filtered.

Affects: 5.0.0-5.0.30, 5.5.0-5.5.17


Fixed in Apache Tomcat 5.5.17, 5.0.HEAD

important: Information disclosure CVE-2007-1858

The default SSL configuration permitted the use of insecure cipher suites including the anonymous cipher suite. The default configuration no longer permits the use of insecure cipher suites.

Affects: 5.0.0-5.0.30, 5.5.0-5.5.16


Fixed in Apache Tomcat 5.5.16, 5.0.HEAD

low: Cross-site scripting CVE-2006-7196

The calendar application included as part of the JSP examples is susceptible to a cross-site scripting attack as it does not escape user provided data before including it in the returned page.

Affects: 5.0.0-5.0.30, 5.5.0-5.5.15


Fixed in Apache Tomcat 5.5.13, 5.0.HEAD

low: Directory listing CVE-2006-3835

This is expected behaviour when directory listings are enabled. The semicolon (;) is the separator for path parameters so inserting one before a file name changes the request into a request for a directory with a path parameter. If directory listings are enabled, a directory listing will be shown. In response to this and other directory listing issues, directory listings were changed to be disabled by default.

Affects: 5.0.0-5.0.30, 5.5.0-5.5.12

important: Denial of service CVE-2005-3510

The root cause is the relatively expensive calls required to generate the content for the directory listings. If directory listings are enabled, the number of files in each directory should be kepp to a minimum. In response to this issue, directory listings were changed to be disabled by default. Additionally, a patch has been proposed that would improve performance, particularly for large directories, by caching directory listings.

Affects: 5.0.0-5.0.30, 5.5.0-5.5.12


Fixed in Apache Tomcat 5.5.7, 5.0.HEAD

low: Cross-site scripting CVE-2005-4838

Various JSPs included as part of the JSP examples and the Tomcat Manager are susceptible to a cross-site scripting attack as they do not escape user provided data before including it in the returned page.

Affects: 5.0.0-5.0.30, 5.5.0-5.5.6


Not a vulnerability in Tomcat

JavaMail information disclosure CVE-2005-1754

The vulnerability described is in the web application deployed on Tomcat rather than in Tomcat.

JavaMail information disclosure CVE-2005-1753

The vulnerability described is in the web application deployed on Tomcat rather than in Tomcat.



Copyright © 1999-2007, The Apache Software Foundation