Apache Tomcat

This page lists all security vulnerabilities fixed in released versions of Apache Tomcat 5.x. Each vulnerability is given a security impact rating by the Apache Tomcat security team - please note that this rating may vary from platform to platform. We also list the versions of Apache Tomcat the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

Please send comments or corrections for these vulnerabilities to the Tomcat Security Team.

Please note that Tomcat 5.0.x is no longer supported. Further vulnerabilities in the 5.0.x branch will not be fixed. Users should upgrade to 5.5.x or 6.x to obtain security fixes. Vulnerabilities fixed in Tomcat 5.5.26 onwards have not been assessed to determine if they are present in the 5.0.x branch.

Important: Information Disclosure CVE-2008-5515

When using a RequestDispatcher obtained from the Request, the target path was normalised before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory.

This was fixed in revision 782757 and revision 783291.

Affects: 5.5.0-5.5.27

Important: Denial of Service CVE-2009-0033

If Tomcat receives a request with invalid headers via the Java AJP connector, it does not return an error and instead closes the AJP connection. In case this connector is member of a mod_jk load balancing worker, this member will be put into an error state and will be blocked from use for approximately one minute. Thus the behaviour can be used for a denial of service attack using a carefully crafted request.

This was fixed in revision 781362.

Affects: 5.5.0-5.5.27

low: Information disclosure CVE-2009-0580

Due to insufficient error checking in some authentication classes, Tomcat allows for the enumeration (brute force testing) of user names by supplying illegally URL encoded passwords. The attack is possible if FORM based authentication (j_security_check) is used with the MemoryRealm. Note that in early versions, the DataSourceRealm and JDBCRealm were also affected.

This was fixed in revision 781379.

Affects: 5.5.0-5.5.27 (Memory Realm), 5.5.0-5.5.5 (DataSource and JDBC Realms)

low: Cross-site scripting CVE-2009-0781

The calendar application in the examples web application contains an XSS flaw due to invalid HTML which renders the XSS filtering protection ineffective.

This was fixed in revision 750928.

Affects: 5.5.0-5.5.27

low: Information disclosure CVE-2009-0783

Bugs 29936 and 45933 allowed a web application to replace the XML parser used by Tomcat to process web.xml, context.xml and tld files. In limited circumstances these bugs may allow a rogue web application to view and/or alter the web.xml, context.xml and tld files of other web applications deployed on the Tomcat instance.

This was fixed in revisions 681156 and 781542.

Affects: 5.5.0-5.5.27

low: Cross-site scripting CVE-2008-1232

The message argument of HttpServletResponse.sendError() call is not only displayed on the error page, but is also used for the reason-phrase of HTTP response. This may include characters that are illegal in HTTP headers. It is possible for a specially crafted message to result in arbitrary content being injected into the HTTP response. For a successful XSS attack, unfiltered user supplied data must be included in the message argument.

This was fixed in revision 680947.

Affects: 5.5.0-5.5.26

low: Cross-site scripting CVE-2008-1947

The Host Manager web application did not escape user provided data before including it in the output. This enabled a XSS attack. This application now filters the data before use. This issue may be mitigated by logging out (closing the browser) of the application once the management tasks have been completed.

This was fixed in revision 662583.

Affects: 5.5.9-5.5.26

important: Information disclosure CVE-2008-2370

When using a RequestDispatcher the target path was normalised before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory.

This was fixed in revision 680949.

Affects: 5.5.0-5.5.26

low: Session hi-jacking CVE-2007-5333

The previous fix for CVE-2007-3385 was incomplete. It did not consider the use of quotes or %5C within a cookie value.

Affects: 5.5.0-5.5.25

low: Elevated privileges CVE-2007-5342

The JULI logging component allows web applications to provide their own logging configurations. The default security policy does not restrict this configuration and allows an untrusted web application to add files or overwrite existing files where the Tomcat process has the necessary file permissions to do so.

Affects: 5.5.9-5.5.25

important: Information disclosure CVE-2007-5461

When Tomcat's WebDAV servlet is configured for use with a context and has been enabled for write, some WebDAV requests that specify an entity with a SYSTEM tag can result in the contents of arbitary files being returned to the client.

Affects: 5.5.0-5.5.25

important: Data integrity CVE-2007-6286

When using the native (APR based) connector, connecting to the SSL port using netcat and then disconnecting without sending any data will cause tomcat to handle a duplicate copy of one of the recent requests.

Affects: 5.5.11-5.5.25

low: Cross-site scripting CVE-2007-2449

JSPs within the examples web application did not escape user provided data before including it in the output. This enabled a XSS attack. These JSPs now filter the data before use. This issue may be mitigated by undeploying the examples web application. Note that it is recommended that the examples web application is not installed on a production system.

Affects: 5.0.0-5.0.30, 5.5.0-5.5.24

low: Cross-site scripting CVE-2007-2450

The Manager and Host Manager web applications did not escape user provided data before including it in the output. This enabled a XSS attack. These applications now filter the data before use. This issue may be mitigated by logging out (closing the browser) of the application once the management tasks have been completed.

Affects: 5.0.0-5.0.30, 5.5.0-5.5.24

low: Session hi-jacking CVE-2007-3382

Tomcat incorrectly treated a single quote character (') in a cookie value as a delimiter. In some circumstances this lead to the leaking of information such as session ID to an attacker.

Affects: 5.0.0-5.0.30, 5.5.0-5.5.24

low: Session hi-jacking CVE-2007-3385

Tomcat incorrectly handled the character sequence \" in a cookie value. In some circumstances this lead to the leaking of information such as session ID to an attacker.

Affects: 5.0.0-5.0.30, 5.5.0-5.5.24

low: Cross-site scripting CVE-2007-3386

The Host Manager Servlet did not filter user supplied data before display. This enabled an XSS attack.

Affects: 5.5.0-5.5.24

moderate: Cross-site scripting CVE-2007-1355

The JSP and Servlet included in the sample application within the Tomcat documentation webapp did not escape user provided data before including it in the output. This enabled a XSS attack. These pages have been simplified not to use any user provided data in the output.

Affects: 5.0.0-5.0.30, 5.5.0-5.5.23

important: Information disclosure CVE-2005-2090

Requests with multiple content-length headers should be rejected as invalid. When multiple components (firewalls, caches, proxies and Tomcat) process a sequence of requests where one or more requests contain multiple content-length headers and several components do not reject the request and make different decisions as to which content-length leader to use an attacker can poision a web-cache, perform an XSS attack and obtain senstive information from requests other then their own. Tomcat now returns 400 for requests with multiple content-length headers.

Affects: 5.0.0-5.0.30, 5.5.0-5.5.22

important: Directory traversal CVE-2007-0450

The fix for this issue was insufficient. A fix was also required in the JK connector module for httpd. See CVE-2007-1860 for further information.

Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is used behind a proxy (including, but not limited to, Apache HTTP server with mod_proxy and mod_jk) configured to only proxy some contexts, a HTTP request containing strings like "/\../" may allow attackers to work around the context restriction of the proxy, and access the non-proxied contexts.

The following Java system properties have been added to Tomcat to provide additional control of the handling of path delimiters in URLs (both options default to false):

• org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH: true|false
• org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH: true|false

Due to the impossibility to guarantee that all URLs are handled by Tomcat as they are in proxy servers, Tomcat should always be secured as if no proxy restricting context access was used.

Affects: 5.0.0-5.0.30, 5.5.0-5.5.21

low: Cross-site scripting CVE-2007-1358

Web pages that display the Accept-Language header value sent by the client are susceptible to a cross-site scripting attack if they assume the Accept-Language header value conforms to RFC 2616. Under normal circumstances this would not be possible to exploit, however older versions of Flash player were known to allow carefully crafted malicious Flash files to make requests with such custom headers. Tomcat now ignores invalid values for Accept-Language headers that do not conform to RFC 2616.

Affects: 5.0.0-5.0.30, 5.5.0-5.5.20

moderate: Session hi-jacking CVE-2008-0128

When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is transmitted without the "secure" attribute, resulting in it being transmitted to any content that is - by purpose or error - requested via http from the same server.

Affects: 5.0.0-5.0.SVN, 5.5.0-5.5.20

low: Information disclosure CVE-2008-4308

Bug 40771 may result in the disclosure of POSTed content from a previous request. For a vulnerability to exist, the content read from the input stream must be disclosed, eg via writing it to the response and committing the response, before the ArrayIndexOutOfBoundsException occurs which will halt processing of the request.

Affects: 5.5.10-5.5.20 (5.0.x unknown)

moderate: Cross-site scripting CVE-2006-7195

The implicit-objects.jsp in the examples webapp displayed a number of unfiltered header values. This enabled a XSS attack. These values are now filtered.

Affects: 5.0.0-5.0.30, 5.5.0-5.5.17

important: Information disclosure CVE-2007-1858

The default SSL configuration permitted the use of insecure cipher suites including the anonymous cipher suite. The default configuration no longer permits the use of insecure cipher suites.

Affects: 5.0.0-5.0.30, 5.5.0-5.5.16

low: Cross-site scripting CVE-2006-7196

The calendar application included as part of the JSP examples is susceptible to a cross-site scripting attack as it does not escape user provided data before including it in the returned page.

Affects: 5.0.0-5.0.30, 5.5.0-5.5.15

low: Directory listing CVE-2006-3835

This is expected behaviour when directory listings are enabled. The semicolon (;) is the separator for path parameters so inserting one before a file name changes the request into a request for a directory with a path parameter. If directory listings are enabled, a directory listing will be shown. In response to this and other directory listing issues, directory listings were changed to be disabled by default.

Affects: 5.0.0-5.0.30, 5.5.0-5.5.12

important: Denial of service CVE-2005-3510

The root cause is the relatively expensive calls required to generate the content for the directory listings. If directory listings are enabled, the number of files in each directory should be kepp to a minimum. In response to this issue, directory listings were changed to be disabled by default. Additionally, a patch has been proposed that would improve performance, particularly for large directories, by caching directory listings.

Affects: 5.0.0-5.0.30, 5.5.0-5.5.12

low: Cross-site scripting CVE-2005-4838

Various JSPs included as part of the JSP examples and the Tomcat Manager are susceptible to a cross-site scripting attack as they do not escape user provided data before including it in the returned page.

Affects: 5.0.0-5.0.30, 5.5.0-5.5.6

low: Information disclosure CVE-2008-3271

Bug 25835 can, in rare circumstances - this has only been reproduced using a debugger to force a particular processing sequence for two threads - allow a user from a non-permitted IP address to gain access to a context that is protected with a valve that extends RequestFilterValve. This includes the standard RemoteAddrValve and RemoteHostValve implementations.

Affects: 5.5.0 (5.0.x unknown)

JavaMail information disclosure CVE-2005-1754

The vulnerability described is in the web application deployed on Tomcat rather than in Tomcat.

JavaMail information disclosure CVE-2005-1753

The vulnerability described is in the web application deployed on Tomcat rather than in Tomcat.

important: Directory traversal CVE-2008-2938

Originally reported as a Tomcat vulnerability the root cause of this issue is that the JVM does not correctly decode UTF-8 encoded URLs to UTF-8. This exposes a directory traversal vulnerability when the connector uses URIEncoding="UTF-8". This directory traversal is limited to the docBase of the web application.

If a context is configured with allowLinking="true" then the directory traversal vulnerability is extended to the entire file system of the host server.

It should also be noted that setting useBodyEncodingForURI="true" has the same effect as setting URIEncoding="UTF-8" when processing requests with bodies encoded with UTF-8.

Although the root cause was quickly identified as a JVM issue and that it affected multiple JVMs from multiple vendors, it was decided to report this as a Tomcat vulnerability until such time as the JVM vendors provided updates to resolve this issue. For further information on the status of this issue for your JVM, contact your JVM vendor.

A workaround was implemented in revision 681029 that protects against this and any similar character encoding issues that may still exist in the JVM. This work around is included in Tomcat 5.5.27 onwards.