low: Session hi-jacking
CVE-2007-5333
The previous fix for
CVE-2007-3385 was incomplete. It did not consider the use of quotes
or %5C within a cookie value.
Affects: 6.0.0-6.0.14
low: Elevated privileges
CVE-2007-5342
The JULI logging component allows web applications to provide their own
logging configurations. The default security policy does not restrict
this configuration and allows an untrusted web application to add files
or overwrite existing files where the Tomcat process has the necessary
file permissions to do so.
Affects: 6.0.0-6.0.15
important: Information disclosure
CVE-2007-5461
When Tomcat's WebDAV servlet is configured for use with a context and
has been enabled for write, some WebDAV requests that specify an entity
with a SYSTEM tag can result in the contents of arbitary files being
returned to the client.
Affects: 6.0.0-6.0.14
important: Data integrity
CVE-2007-6286
When using the native (APR based) connector, connecting to the SSL port
using netcat and then disconnecting without sending any data will cause
tomcat to handle a duplicate copy of one of the recent requests.
Affects: 6.0.0-6.0.15
important: Information disclosure
CVE-2008-0002
If an exception occurs during the processing of parameters (eg if the
client disconnects) then it is possible that the parameters submitted for
that request will be incorrectly processed as part of a subsequent
request.
Affects: 6.0.5-6.0.15