Note: These issues were fixed in Apache Tomcat 6.0.19 but the release
vote for that release candidate did not pass. Therefore, although users
must download 6.0.20 to obtain a version that includes fixes for these
issues, 6.0.19 is not included in the list of affected versions.
Important: Information Disclosure
CVE-2008-5515
When using a RequestDispatcher obtained from the Request, the target path
was normalised before the query string was removed. A request that
included a specially crafted request parameter could be used to access
content that would otherwise be protected by a security constraint or by
locating it in under the WEB-INF directory.
This was fixed in
revision 734734.
Affects: 6.0.0-6.0.18
Important: Denial of Service
CVE-2009-0033
If Tomcat receives a request with invalid headers via the Java AJP
connector, it does not return an error and instead closes the AJP
connection. In case this connector is member of a mod_jk load balancing
worker, this member will be put into an error state and will be blocked
from use for approximately one minute. Thus the behaviour can be used for
a denial of service attack using a carefully crafted request.
This was fixed in
revision 742915.
Affects: 6.0.0-6.0.18
low: Information disclosure
CVE-2009-0580
Due to insufficient error checking in some authentication classes, Tomcat
allows for the enumeration (brute force testing) of user names by
supplying illegally URL encoded passwords. The attack is possible if FORM
based authentication (j_security_check) is used with the MemoryRealm.
This was fixed in
revision 747840.
Affects: 6.0.0-6.0.18
low: Cross-site scripting
CVE-2009-0781
The calendar application in the examples web application contains an
XSS flaw due to invalid HTML which renders the XSS filtering protection
ineffective.
This was fixed in
revision 750924.
Affects: 6.0.0-6.0.18
low: Information disclosure
CVE-2009-0783
Bugs
29936 and
45933 allowed a web application to replace the XML parser used by
Tomcat to process web.xml, context.xml and tld files. In limited
circumstances these bugs may allow a rogue web application to view and/or
alter the web.xml, context.xml and tld files of other web applications
deployed on the Tomcat instance.
This was fixed in revisions
652592 and
739522.
Affects: 6.0.0-6.0.18