Apache Tomcat

This page lists all security vulnerabilities fixed in released versions of Apache Tomcat 4.x. Each vulnerability is given a security impact rating by the Apache Tomcat security team - please note that this rating may vary from platform to platform. We also list the versions of Apache Tomcat the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

Please send comments or corrections for these vulnerabilities to the Tomcat Security Team.

Please note that Tomcat 4.0.x is no longer supported. Further vulnerabilities in the 4.0.x branch will not be fixed. Users should upgrade to 4.1.x, 5.5.x or 6.x to obtain security fixes.

moderate: Information disclosure CVE-2005-4836

The deprecated HTTP/1.1 connector does not reject request URIs containing null bytes when used with contexts that are configured with allowLinking="true". Failure to reject the null byte enables an attacker to obtain the source for any JSP page in these contexts. Users of Tomcat 4.1.x are advised to use the default, supported Coyote HTTP/1.1 connector which does not exhibit this issue. There are no plans to issue an update to Tomcat 4.1.x for this issue.

Affects: 4.1.15-4.1.SVN

moderate: Session hi-jacking CVE-2008-0128

When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is transmitted without the "secure" attribute, resulting in it being transmitted to any content that is - by purpose or error - requested via http from the same server.

Affects: 4.1.0-4.1.37

low: Cross-site scripting CVE-2008-1232

The message argument of HttpServletResponse.sendError() call is not only displayed on the error page, but is also used for the reason-phrase of HTTP response. This may include characters that are illegal in HTTP headers. It is possible for a specially crafted message to result in arbitrary content being injected into the HTTP response. For a successful XSS attack, unfiltered user supplied data must be included in the message argument.

Affects: 4.1.0-4.1.37

important: Information disclosure CVE-2008-2370

When using a RequestDispatcher the target path was normalised before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory.

Affects: 4.1.0-4.1.37

moderate: Directory traversal CVE-2008-2938

If a context is configured with allowLinking="true" and the connector is configured with URIEncoding="UTF-8" then a malformed request may be used to access arbitrary files on the server.

Affects: 4.1.0-4.1.37

important: Information disclosure CVE-2005-3164

If a client specifies a Content-Length but disconnects before sending any of the request body, the deprecated AJP connector processes the request using the request body of the previous request. Users are advised to use the default, supported Coyote AJP connector which does not exhibit this issue.

Affects: 4.0.1-4.0.6, 4.1.0-4.1.36

moderate: Cross-site scripting CVE-2007-1355

The JSP and Servlet included in the sample application within the Tomcat documentation webapp did not escape user provided data before including it in the output. This enabled a XSS attack. These pages have been simplified not to use any user provided data in the output.

Affects: 4.0.1-4.0.6, 4.1.0-4.1.36

low: Cross-site scripting CVE-2007-2449

JSPs within the examples web application did not escape user provided data before including it in the output. This enabled a XSS attack. These JSPs now filter the data before use. This issue may be mitigated by undeploying the examples web application. Note that it is recommended that the examples web application is not installed on a production system.

Affects: 4.0.0-4.0.6, 4.1.0-4.1.36

low: Cross-site scripting CVE-2007-2450

The Manager web application did not escape user provided data before including it in the output. This enabled a XSS attack. This applciation now filters the data before use. This issue may be mitigated by logging out (closing the browser) of the application once the management tasks have been completed.

Affects: 4.0.1-4.0.6, 4.1.0-4.1.36

low: Session hi-jacking CVE-2007-3382

Tomcat incorrectly treated a single quote character (') in a cookie value as a delimiter. In some circumstances this lead to the leaking of information such as session ID to an attacker.

Affects: 4.1.0-4.1.36

low: Cross-site scripting CVE-2007-3383

When reporting error messages, the SendMailServlet (part of the examples web application) did not escape user provided data before including it in the output. This enabled a XSS attack. This Servlet now filters the data before use. This issue may be mitigated by undeploying the examples web application. Note that it is recommended that the examples web application is not installed on a production system.

Affects: 4.0.0-4.0.6, 4.1.0-4.1.36

low: Session hi-jacking CVE-2007-3385

Tomcat incorrectly handled the character sequence \" in a cookie value. In some circumstances this lead to the leaking of information such as session ID to an attacker.

Affects: 4.1.0-4.1.36

low: Session hi-jacking CVE-2007-5333

The previous fix for CVE-2007-3385 was incomplete. It did not consider the use of quotes or %5C within a cookie value.

Affects: 4.1.0-4.1.36

important: Information disclosure CVE-2007-5461

When Tomcat's WebDAV servlet is configured for use with a context and has been enabled for write, some WebDAV requests that specify an entity with a SYSTEM tag can result in the contents of arbitary files being returned to the client.

Affects: 4.0.0-4.0.6, 4.1.0-4.1.36

important: Information disclosure CVE-2005-2090

Requests with multiple content-length headers should be rejected as invalid. When multiple components (firewalls, caches, proxies and Tomcat) process a sequence of requests where one or more requests contain multiple content-length headers and several components do not reject the request and make different decisions as to which content-length leader to use an attacker can poision a web-cache, perform an XSS attack and obtain senstive information from requests other then their own. Tomcat now returns 400 for requests with multiple content-length headers.

Affects: 4.0.0-4.0.6, 4.1.0-4.1.34

important: Directory traversal CVE-2007-0450

The fix for this issue was insufficient. A fix was also required in the JK connector module for httpd. See CVE-2007-1860 for further information.

Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is used behind a proxy (including, but not limited to, Apache HTTP server with mod_proxy and mod_jk) configured to only proxy some contexts, a HTTP request containing strings like "/\../" may allow attackers to work around the context restriction of the proxy, and access the non-proxied contexts.

The following Java system properties have been added to Tomcat to provide additional control of the handling of path delimiters in URLs (both options default to false):

• org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH: true|false
• org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH: true|false

Due to the impossibility to guarantee that all URLs are handled by Tomcat as they are in proxy servers, Tomcat should always be secured as if no proxy restricting context access was used.

Affects: 4.0.0-4.0.6, 4.1.0-4.1.34

low: Cross-site scripting CVE-2007-1358

Web pages that display the Accept-Language header value sent by the client are susceptible to a cross-site scripting attack if they assume the Accept-Language header value conforms to RFC 2616. Under normal circumstances this would not be possible to exploit, however older versions of Flash player were known to allow carefully crafted malicious Flash files to make requests with such custom headers. Tomcat now ignores invalid values for Accept-Language headers that do not conform to RFC 2616.

Affects: 4.0.0-4.0.6, 4.1.0-4.1.34

important: Information disclosure CVE-2007-1858

The default SSL configuration permitted the use of insecure cipher suites including the anonymous cipher suite. The default configuration no longer permits the use of insecure cipher suites.

Affects: 4.1.28-4.1.31

low: Cross-site scripting CVE-2006-7196

The calendar application included as part of the JSP examples is susceptible to a cross-site scripting attack as it does not escape user provided data before including it in the returned page.

Affects: 4.0.0-4.0.6, 4.1.0-4.1.31

low: Directory listing CVE-2006-3835

This is expected behaviour when directory listings are enabled. The semicolon (;) is the separator for path parameters so inserting one before a file name changes the request into a request for a directory with a path parameter. If directory listings are enabled, a diretcory listing will be shown. In response to this and other directory listing issues, directory listings were changed to be disabled by default.

Affects: 4.0.0-4.0.6, 4.1.0-4.1.31

low: Cross-site scripting CVE-2005-4838

Various JSPs included as part of the JSP examples and the Tomcat Manager are susceptible to a cross-site scripting attack as they do not escape user provided data before including it in the returned page.

Affects: 4.0.0-4.0.6, 4.1.0-4.1.31

important: Denial of service CVE-2005-3510

The root cause is the relatively expensive calls required to generate the content for the directory listings. If directory listings are enabled, the number of files in each directory should be kepp to a minimum. In response to this issue, directory listings were changed to be disabled by default. Additionally, a patch has been proposed that would improve performance, particularly for large directories, by caching directory listings.

Affects: 4.0.0-4.0.6, 4.1.0-4.1.31

moderate: Cross-site scripting CVE-2002-1567

The unmodified requested URL is included in the 404 response header. The new lines in this URL appear to the client to be the end of the header section. The remaining part of the URL, including the script elements, is treated as part of the response body and the client executes the script. Tomcat now replaces potentially unsafe characters in the response headers with spaces.

Affects: 4.1.0-4.1.28

important: Information disclosure CVE-2002-1394

A specially crafted URL using the invoker servlet in conjunction with the default servlet can enable an attacker to obtain the source of JSP pages or, under special circumstances, a static resource that would otherwise have been protected by a security constraint without the need to be properly authenticated. This is a variation of CVE-2002-1148

Affects: 4.0.0-4.0.5, 4.1.0-4.1.12

moderate: Cross-site scripting CVE-2002-0682

A specially crafted URL using the invoker servlet and various internal classess causes Tomcat to throw an exception that includes unescaped information from the malformed request. This allows the XSS attack.

Affects: 4.0.0-4.0.5, 4.1.0-4.1.12

important: Information disclosure CVE-2002-1148

A specially crafted URL using the default servlet can enable an attacker to obtain the source of JSP pages.

Affects: 4.0.0-4.0.4, 4.1.0-4.1.11

important: Denial of service CVE-2002-0935

A malformed HTTP request can cause the request processing thread to become unresponsive. A sequence of such requests will cause all request processing threads, and hence Tomcat as a whole, to become unresponsive.

Affects: 4.0.0-4.0.2?, 4.0.3, 4.0.4-4.0.6?, 4.1.0-4.1.2?

important: Denial of service CVE-2003-0866

A malformed HTTP request can cause the request processing thread to become unresponsive. A sequence of such requests will cause all request processing threads, and hence Tomcat as a whole, to become unresponsive.

Affects: 4.0.0-4.0.6

low: Information disclosure CVE-2002-2006

The snoop and trouble shooting servlets installed as part of the examples include output that identifies the Tomcat installation path.

Affects: 4.0.0-4.0.6

low: Information disclosure CVE-2002-2009, CVE-2001-0917

Requests for JSP files where the file name is preceded by '+/', '>/', '</' or '%20/' or a request for a JSP with a long file name would result in in an error page that included the full file system path to the JSP file.

Affects: 4.0.0-4.0.1

moderate: Security manager bypass CVE-2002-0493

If errors are encountered during the parsing of web.xml and Tomcat is configured to use a security manager it is possible for Tomcat to start without the security manager in place.

Affects: Pre-release builds of 4.0.0

low: Installation path disclosure CVE-2005-4703, CVE-2002-2008

This issue only affects Windows operating systems. It can not be reproduced on Windows XP Home with JDKs 1.3.1, 1.4.2, 1.5.0 or 1.6.0. Further investigation is required to determine the Windows operating system and JDK combinations that do exhibit this issue. The vulnerability reports for this issue state that it is fixed in 4.1.3 onwards.

Affects: 4.0.3?

important: Denial of service CVE-2002-1895

This issue only affects configurations that use IIS in conjunction with Tomcat and the AJP1.3 connector. It can not be reproduced using Windows 2000 SP4 with latest patches and Tomcat 4.0.4 with JDK 1.3.1. The vulnerability reports for this issue state that it is fixed in 4.1.10 onwards.

Affects: 4.0.4?

Denial of service vulnerability CVE-2002-0936

The issue described requires an attacker to be able to plant a JSP page on the Tomcat server. If an attacker can do this then the server is already compromised. In this case an attacker could just as easily add a page that called System.exit(1) rather than relying on a bug in an internal Sun class.