Download
| Alert*
oval:org.secpod.oval:def:602978
libservlet3.0-java is installed oval:org.secpod.oval:def:1901153 Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an ap ... oval:org.secpod.oval:def:602966 Aniket Nandkishor Kulkarni discovered that in tomcat7, a servlet and JSP engine, static error pages used the original request"s HTTP method to serve content, instead of systematically using the GET method. This could under certain conditions result in undesirable results, including the replacement o ... oval:org.secpod.oval:def:53087 Aniket Nandkishor Kulkarni discovered that in tomcat7, a servlet and JSP engine, static error pages used the original request"s HTTP method to serve content, instead of systematically using the GET method. This could under certain conditions result in undesirable results, including the replacement o ... oval:org.secpod.oval:def:1901496 When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. oval:org.secpod.oval:def:1900768 When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request. oval:org.secpod.oval:def:61624 The host is installed with Apache Tomcat 9.x before 9.0.31, 7.x before 7.0.100 or 8.5.x before 8.5.51 and is prone to an AJP request injection vulnerability. A flaw is present in application, which fails to properly handle a regression introduced due to refactoring. Successful exploitation allows re ... |