Download
| Alert*
|
oval:org.secpod.oval:def:501289
tomcat is installed oval:org.secpod.oval:def:14059 The host is installed with Apache Tomcat 7.x before 7.0.40 and is prone to information disclosure vulnerability. A flaw is present in the application, which fails to properly handle the throwing of a RuntimeException in an AsyncListener in an application. Successful exploitation allows attackers to ... oval:org.secpod.oval:def:21164 The host is installed with Apache Tomcat 7.x before 7.0.40 and is prone to unrestricted file upload vulnerability. A flaw is present in the application, which fails to properly handle outdated java.io.File code and a custom JMX configuration. Successful exploitation allows remote attackers to execut ... oval:org.secpod.oval:def:20816 The host is installed with Apache Tomcat 6.0.0 through 6.0.15 and is prone to information disclosure vulnerability. A flaw is present in the application, which fails handle the parameter processing. Successful exploitation allows remote attackers to obtain sensitive information. oval:org.secpod.oval:def:20834 The host is installed with Apache Tomcat 7.x before 7.0.22 and is prone to privilege escalation vulnerability. A flaw is present in the application, which does not properly restrict ContainerServlets in the Manager application. Successful exploitation allows remote attackers to gain privileges by us ... oval:org.secpod.oval:def:20840 The host is installed with Apache Tomcat 8.x before 8.0.4 and is prone to denial of service vulnerability. A flaw is present in the application, which fails to handle a "Content-Length: 0" AJP request to trigger a hang in request processing. Successful exploitation allows remote attackers to cause a ... oval:org.secpod.oval:def:25125 The host is installed with Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58 or 8.x before 8.0.16 and is prone to a security bypass vulnerability. A flaw is present in the Expression Language (EL) implementation, which does not properly consider the possibility of an accessible interface implemente ... oval:org.secpod.oval:def:25126 The host is installed with Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55 or 8.x before 8.0.9 and is prone to a denial of service vulnerability. A flaw is present in application, which does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request ... oval:org.secpod.oval:def:89046095 This update for tomcat fixes the following issues: - Remove hard log4j dependency, as it is not required by tomcat itself oval:org.secpod.oval:def:7987 The host is installed with Apache Tomcat 6.x before 6.0.36 or 7.x before 7.0.28 and is prone to denial of service vulnerability. A flaw is present in the application, which fails to properly restrict the request-header size. Successful exploitation allows remote attackers to cause a denial of servic ... oval:org.secpod.oval:def:33125 The host is installed with Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65 or 8.x before 8.0.27 and is prone to a directory traversal vulnerability. A flaw is present in RequestUtil.java, which fails to handle a /.. (slash dot dot) in a pathname used by a web application in a getResource, getReso ... oval:org.secpod.oval:def:33193 The host is installed with Apache Tomcat 7.0.x before 7.0.51 and is prone to a denial of service vulnerability. A flaw is present in the application, which fails handle a crafted Content-Type header that bypasses a loop's intended exit conditions. Successful exploitation allows remote attackers to c ... oval:org.mitre.oval:def:12401 Apache Tomcat is installed oval:org.secpod.oval:def:7942 The host is installed with Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, or 7.x before 7.0.30 and is prone to security bypass vulnerability. A flaw is present in the application, which fails to properly check for stale nonce values in conjunction with enforcement of proper credentials in the ... oval:org.secpod.oval:def:7943 The host is installed with Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, or 7.x before 7.0.30 and is prone to security bypass vulnerability. A flaw is present in the application, which fails to properly handle caches information in the HTTP Digest Access Authentication implementation. Succes ... oval:org.secpod.oval:def:8234 The host is installed with Apache Tomcat 6.x before 6.0.36 or 7.x before 7.0.28 and is prone to denial of service vulnerability. A flaw is present in the application, which is caused when the NIO connector is used in conjunction with sendfile and HTTPS. Successful exploitation allows remote attacker ... oval:org.secpod.oval:def:8235 The host is installed with Apache Tomcat 6.x before 6.0.36 or 7.x before 7.0.32 and is prone to security bypass vulnerability. A flaw is present in the application, which fails to handle a request that lacks a session identifier. Successful exploitation allows remote attackers to bypass the cross-si ... oval:org.secpod.oval:def:61582 The host is installed with Apache Tomcat 9.28 before 9.0.31, 7.0.98 before 7.0.100 or 8.5.48 before 8.5.51 and is prone to an HTTP request smuggling vulnerability. A flaw is present in application, which fails to properly handle a regression introduced due to refactoring. Successful exploitation all ... oval:org.secpod.oval:def:203242 tomcat6 is installed oval:org.secpod.oval:def:723 The host is installed with Apache Tomcat and is prone to information disclosure vulnerability. A flaw is present in the HTTP BIO connector, which fails to handle HTTP pipelining and mixes up the responses between requests. Successful exploitation could allow remote attackers to obtain sensitive info ... oval:org.secpod.oval:def:832 The host is installed with Apache Tomcat and is prone to cross-site scripting vulnerability. A flaw is present in the default configuration, which fails to set httpOnly flag in the Set-Cookie header. Successful exploitation allow remote attacker to hijack a session via script access to a cookie. oval:org.secpod.oval:def:8085 The host is installed with Apache Tomcat through 7.0.x and is prone to denial of service vulnerability. A flaw is present in the application, which fails to handle the partial HTTP requests. Successful exploitation allows remote attackers to cause a denial of service (daemon outage). oval:org.secpod.oval:def:203393 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. It was found that, in certain circumstances, it was possible for a malicious web application to replace the XML parsers used by Apache Tomcat to process XSLTs for the default servlet, JSP documents, tag lib ... oval:org.secpod.oval:def:67635 The host is installed with Apache Tomcat 10.x before 10.0.0-M10, 9.0.0.M1 before 9.0.40 or 8.5.0 before 8.5.60 and is prone to a request header mix-up vulnerability. A flaw is present in application, which fails to properly handle an HTTP request header value re-used from the previous stream. Succes ... oval:org.secpod.oval:def:89045787 This update for tomcat fixes the following issues: - CVE-2021-30640: Escape parameters in JNDI Realm queries . - CVE-2021-33037: Process T-E header from both HTTP 1.0 and HTTP 1.1. clients . - CVE-2021-41079: Fixed a denial of service caused by an unexpected TLS packet . oval:org.secpod.oval:def:89045797 This update for tomcat fixes the following issues: - CVE-2021-30640: Escape parameters in JNDI Realm queries . - CVE-2021-33037: Process T-E header from both HTTP 1.0 and HTTP 1.1. clients . - CVE-2021-41079: Fixed a denial of service caused by an unexpected TLS packet . oval:org.secpod.oval:def:89044203 This update for tomcat fixes the following issues: - CVE-2021-25329: Complete fix for CVE-2020-9484 oval:org.secpod.oval:def:66019 The host is installed with Apache Tomcat 10.x before 10.0.0-M8, 9.0.0.M5 before 9.0.38 or 8.5.1 before 8.5.58 and is prone to a request mix-up vulnerability. A flaw is present in application, which fails to properly handle the violation of the limit on the number of concurrent streams. Successful ex ... oval:org.secpod.oval:def:89045370 This update for tomcat6 fixes the following issue: - CVE-2016-5388 Setting HTTP_PROXY environment variable via Proxy header oval:org.secpod.oval:def:1556 The host is installed with Apache Tomcat version 7.0.0 through 7.0.19, 6.0.0 through 6.0.33 and 5.5.0 through 5.5.34 and is prone to information disclosure vulnerability. A flaw is present in the application, which fails to handle HTTP APR or HTTP NIO connector when sendfile is enabled. Successful e ... oval:org.secpod.oval:def:395 The host is installed with Apache Tomcat and is prone to security bypass vulnerability. A flaw is present in the application which is caused by an error related to ignoring ServletSecurity annotations. Successful exploitation allow attackers to bypass security restrictions and launch further attacks ... oval:org.secpod.oval:def:606 The host is installed with Apache Tomcat and is prone to multiple cross site scripting vulnerabilities. Flaws are present in the HTML Manager Interface, which fails to properly validate user supplied input before using it in dynamically generated content. Successful exploitation allows remote attack ... oval:org.secpod.oval:def:605 The host is installed with Apache Tomcat and is prone to security bypass vulnerability. A flaw is present in SecurityManager, which fails to make ServletContect attribute read-only thus allowing local web applications to read or write files outside the intended working directory. Successful exploita ... oval:org.secpod.oval:def:833 The host is installed with Apache Tomcat and is prone to multiple cross-site scripting (XSS) vulnerabilities. The flaws are present in the application which fails to properly filter HTML code from user-supplied input before displaying the input. Successful exploitation allows remote attackers to inj ... oval:org.secpod.oval:def:20822 The host is installed with Apache Tomcat 5.5.10 through 5.5.20 and is prone to array index out-of-bounds vulnerability. A flaw is present in the application, which fails handle a certain error condition. Successful exploitation can cause Tomcat to send POST content from one request to a different re ... oval:org.secpod.oval:def:20821 The host is installed with Apache Tomcat 5.5.0 and is prone to information disclosure vulnerability. A flaw is present in the application, which fails handle a request that is processed concurrently with another request but in a different thread, leading to an instance-variable overwrite associated ... oval:org.secpod.oval:def:33194 The host is installed with Adobe Flash Player before 18.0.0.268, 19.x, 20.x before 20.0.0.228 or Adobe AIR before 20.0.0.204 and is prone to an out-of-bounds vulnerability. A flaw is present in the applications, which fail to properly handle crafted MPEG-4 data. Successful exploitation could allow a ... oval:org.secpod.oval:def:3301112 SUSE Security Update: Security update for tomcat oval:org.secpod.oval:def:3300701 SUSE Security Update: Security update for tomcat oval:org.secpod.oval:def:202312 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. It was found that the Java hashCode method implementation was susceptible to predictable hash collisions. A remote attacker could use this flaw to cause Tomcat to use an excessive amount of CPU time by send ... oval:org.secpod.oval:def:203313 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. It was found that when Tomcat processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encodin ... oval:org.secpod.oval:def:202902 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. A session fixation flaw was found in the Tomcat FormAuthenticator module. During a narrow window of time, if a remote attacker sent requests while a user was logging in, it could possibly result in the atta ... oval:org.secpod.oval:def:203350 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. It was discovered that Apache Tomcat did not limit the length of chunk sizes when using chunked transfer encoding. A remote attacker could use this flaw to perform a denial of service attack against Tomcat ... oval:org.secpod.oval:def:203391 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. It was found that several application-provided XML files, such as web.xml, content.xml, *.tld, *.tagx, and *.jspx, resolved external entities, permitting XML External Entity attacks. An attacker able to de ... oval:org.secpod.oval:def:89049237 This update for tomcat fixes the following issues: * Remove the log4j dependency as it is not used by the tomcat package Security hardening, related to Spring Framework vulnerabilities: \- Deprecate getResources and always return null . oval:org.secpod.oval:def:1701728 A flaw was found in the Apache Tomcat package. An example web application did not filter the form authentication example, exposing a Cross-site scripting vulnerability oval:org.secpod.oval:def:1701773 The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using ... oval:org.secpod.oval:def:89046073 This update for tomcat fixes the following issues: - CVE-2022-23181: Fixed time of check, time of use vulnerability that allowed local privilege escalation oval:org.secpod.oval:def:89046099 This update for tomcat fixes the following issues: Security issues fixed: - CVE-2022-23181: Fixed time of check, time of use vulnerability that allowed local privilege escalation. - Remove log4j dependency, which is currently directly in use - Make the package RPM conflict even more specific to co ... oval:org.secpod.oval:def:1701684 The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using ... oval:org.secpod.oval:def:89046010 This update for tomcat fixes the following issues: - CVE-2022-23181: Fixed time of check, time of use vulnerability that allowed local privilege escalation oval:org.secpod.oval:def:81759 The host is installed with Apache Tomcat 10.1.0-M1 through 10.1.0-M14, 10.0.0.M1 through 10.0.20, 9.0.13 through 9.0.62 or 8.5.38 through 8.5.78 and is prone to a denial service of vulnerability. A flaw is present in application, which fails to handle an issue in EncryptInterceptor which incorrectly ... oval:org.secpod.oval:def:1701683 If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection , it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 ps ... oval:org.secpod.oval:def:1701758 A flaw was found in Spring Framework, specifically within two modules called Spring MVC and Spring WebFlux, , using parameter data binding. This flaw allows an attacker to pass specially-constructed malicious requests to certain parameters and possibly gain access to normally-restricted functionalit ... oval:org.secpod.oval:def:1701687 A flaw was found in Spring Framework, specifically within two modules called Spring MVC and Spring WebFlux, , using parameter data binding. This flaw allows an attacker to pass specially-constructed malicious requests to certain parameters and possibly gain access to normally-restricted functionalit ... oval:org.secpod.oval:def:1503298 Updated tomcat6 packages that fix several security issues and one bug are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System base scores, which give detailed severity ratings, ... oval:org.secpod.oval:def:3939 The host is installed with Apache Tomcat 6.x before 6.0.34, and 7.x before 7.0.23 and is prone to an information disclosure vulnerability. A flaw is present in the application, which fails to properly perform certain caching and recycling operations involving request objects. Successful exploitation ... oval:org.secpod.oval:def:2277 The host is installed with Apache Tomcat 7.0.0 through 7.0.20, or 6.0.0 through 6.0.33 or 5.5.0 through 5.5.33 and is prone to security bypass vulnerability. A flaw is present in the application which is caused by the improper handling of messages by the AJP protocol. Successful exploitation allows ... oval:org.secpod.oval:def:202865 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. APR as mentioned in the CVE-2011-3190 and CVE-2011-2526 descriptions does not refer to APR provided by the apr packages. It refers to the implementation of APR provided by the Tomcat Native library, which ... oval:org.secpod.oval:def:1601229 Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a ... oval:org.secpod.oval:def:500262 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. APR as mentioned in the CVE-2011-3190 and CVE-2011-2526 descriptions does not refer to APR provided by the apr packages. It refers to the implementation of APR provided by the Tomcat Native library, which ... oval:org.secpod.oval:def:1518 The host is installed with Apache Tomcat and is prone to an information disclosure vulnerability. A flaw is present in the application, which stores passwords in log files if errors are encountered during JMX user creation. Successful exploitation could allow an attacker to read log files and obtain ... oval:org.secpod.oval:def:1055 The host is installed with Apache Tomcat and is prone to security bypass vulnerability. A flaw is present in the default configuration, which fails to enforce security constraints that have been configured through annotations on the first request to a servlet. Successful exploitation allow remote at ... oval:org.secpod.oval:def:722 The host is installed with Apache Tomcat and is prone to security bypass vulnerability. A flaw is present in the browser, which fails to implement security constraints when login configuration is not present in the web.xml and the web application is marked as meta-data complete. Successful exploitat ... oval:org.secpod.oval:def:396 The host is installed with Apache Tomcat and is prone to security bypass vulnerability. A flaw is present in web.xml in the application which is caused by an error related to ignoring ServletSecurity annotations. Successful exploitation allow attackers to bypass security restrictions and launch furt ... oval:org.secpod.oval:def:500221 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. It was found that web applications could modify the location of the Tomcat host"s work directory. As web applications deployed on Tomcat have read and write access to this directory, a malicious web applica ... oval:org.secpod.oval:def:1504565 [6.0.24-33] - resolves: rhbz 695284 - multiple instances logging fiasco [6.0.24-32] - Resolves: rhbz 698624 - inet4address can"t be cast to String [6.0.24-31] - Resolves: rhbz 656403 - cve-2010-4172 jsp syntax error [6.0.24-30] - Resolves: rhbz#697504 initscript logging location [6.0.24-29] - Resolv ... oval:org.secpod.oval:def:604 The host is installed with Apache Tomcat and is prone to denial of service vulnerability. A flaw is present in the application which is caused by an error in the NIO connector when processing a request line. Successful exploitation allow remote attackers to cause an OutOfMemory error and crash the s ... oval:org.secpod.oval:def:20831 The host is installed with Apache Tomcat 5.5.0 through 5.5.29 or 6.0.0 through 6.0.26 and is prone to information disclosure vulnerability. A flaw is present in the application, which fails handle a directory traversal sequences in a WAR filename, as demonstrated by the ...war filename. Successful e ... oval:org.secpod.oval:def:20823 The host is installed with Apache Tomcat 5.5.0 through 5.5.27 or 6.0.0 through 6.0.18 and is prone to security bypass vulnerability. A flaw is present in the application, which fails handle a .. (dot dot) in sequences and the WEB-INF directory in a request. Successful exploitation allows remote atta ... oval:org.secpod.oval:def:20824 The host is installed with Apache Tomcat 5.5.0 through 5.5.27 or 6.0.0 through 6.0.18 and is prone to security bypass vulnerability. A flaw is present in the application, which fails handle a crafted request with invalid headers, related to temporary blocking of connectors that have encountered erro ... oval:org.secpod.oval:def:20827 The host is installed with Apache Tomcat 5.5.0 through 5.5.27 or 6.0.0 through 6.0.18 and is prone to unspecified vulnerability. A flaw is present in the application, which fails handle a crafted application. Successful exploitation allows remote attackers to read or modify the (1) web.xml, (2) cont ... oval:org.secpod.oval:def:20825 The host is installed with Apache Tomcat 5.5.0 through 5.5.27 or 6.0.0 through 6.0.18 and is prone to security bypass vulnerability. A flaw is present in the application, which fails handle a error checking in some authentication classes. Successful exploitation allows remote attackers to enumerate ... oval:org.secpod.oval:def:20826 The host is installed with Apache Tomcat 5.5.0 through 5.5.27 or 6.0.0 through 6.0.18 and is prone to security bypass vulnerability. A flaw is present in the application, which fails handle a the time parameter. Successful exploitation allows remote attackers to inject arbitrary web script or HTML v ... oval:org.secpod.oval:def:20830 The host is installed with Apache Tomcat 5.5.0 through 5.5.28 or 6.0.0 through 6.0.20 and is prone to directory traversal vulnerability. A flaw is present in the application, which fails handle a directory traversal sequences in a WAR filename, as demonstrated by the ...war filename. Successful expl ... oval:org.secpod.oval:def:20829 The host is installed with Apache Tomcat 5.5.0 through 5.5.28 or 6.0.0 through 6.0.20 and is prone to security bypass vulnerability. A flaw is present in the application, which fails handle HTTP requests. Successful exploitation allows remote attackers to bypass intended authentication requirements. oval:org.secpod.oval:def:7988 The host is installed with Apache Tomcat 6.0.0 through 6.0.20 or 5.5.0 through 5.5.28 and is prone to insecure default administrative password vulnerability. A flaw is present in the application, where the Windows installer creates a blank password by default for the administrative user. Successful ... oval:org.secpod.oval:def:20820 The host is installed with Apache Tomcat 5.5.0 through 5.5.26 or 6.0.0 through 6.0.16 and is prone to directory traversal vulnerability. A flaw is present in the application, which fails handle a .. (dot dot) in a request parameter. Successful exploitation allows remote attackers to conduct director ... oval:org.secpod.oval:def:20818 The host is installed with Apache Tomcat 5.5.0 through 5.5.26 or 6.0.0 through 6.0.16 and is prone to cross-site scripting (XSS) vulnerability. A flaw is present in the application, which fails handle the cookie in an https session. Successful exploitation allows remote attackers to inject arbitrary ... oval:org.secpod.oval:def:20819 The host is installed with Apache Tomcat 5.5.0 through 5.5.26 or 6.0.0 through 6.0.16 and is prone to cross-site scripting (XSS) vulnerability. A flaw is present in the application, which fails handle the name parameter to host-manager/html/add. Successful exploitation allows remote attackers to inj ... oval:org.secpod.oval:def:118372 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:1500647 It was found that a fix for a previous security flaw introduced a regression that could cause a denial of service in Tomcat 7. A remote attacker could use this flaw to consume an excessive amount of CPU on the Tomcat server by sending a specially crafted request to that server. It was found that whe ... oval:org.secpod.oval:def:1500676 It was found that, in certain circumstances, it was possible for a malicious web application to replace the XML parsers used by Apache Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs), and tag plug-in configuration files. The injected XML parser(s) could ... oval:org.secpod.oval:def:1500678 Updated tomcat6 packages that fix two security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Low security impact. Common Vulnerability Scoring System base scores, which give detailed severity ratings, are available for each vulnera ... oval:org.secpod.oval:def:1500608 Updated tomcat6 packages that fix three security issues and two bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System base scores, which give detailed severity ratings, ... oval:org.secpod.oval:def:1600155 It was found that when Tomcat processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat would incorrectly handle the request. A remote attacker could use this flaw t ... oval:org.secpod.oval:def:1500571 Updated tomcat6 packages that fix three security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System base scores, which give detailed severity ratings, are available ... oval:org.secpod.oval:def:1701788 A memory leak flaw was found in Apache Tomcat, where an HTTP upgrade connection does not release for WebSocket connections once the WebSocket connection is closed. If a sufficient number of such requests are made, an OutOfMemoryError occurs, leading to a denial of service. The highest threat from th ... oval:org.secpod.oval:def:1701724 A memory leak flaw was found in Apache Tomcat, where an HTTP upgrade connection does not release for WebSocket connections once the WebSocket connection is closed. If a sufficient number of such requests are made, an OutOfMemoryError occurs, leading to a denial of service. The highest threat from th ... oval:org.secpod.oval:def:1701676 A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. Apache Tomcat ... oval:org.secpod.oval:def:1701796 Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer en ... oval:org.secpod.oval:def:1701709 While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this woul ... oval:org.secpod.oval:def:501323 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. It was found that a fix for a previous security flaw introduced a regression that could cause a denial of service in Tomcat 7. A remote attacker could use this flaw to consume an excessive amount of CPU on ... oval:org.secpod.oval:def:501271 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. It was found that when Tomcat processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encodin ... oval:org.secpod.oval:def:3938 The host is installed with Apache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.34, and 7.x before 7.0.23 and is prone to a denial of service vulnerability. A flaw is present in the application, which uses an inefficient approach for handling parameter. Successful exploitation could allow attackers to ... oval:org.secpod.oval:def:3749 The host is installed with Apache Tomcat 5.5.x before 5.5.34 or 6.x before 6.0.33 or 7.x before 7.0.12 and is prone to security bypass vulnerability. A flaw is present in the application, which fails to properly handle Catalina in HTTP Digest Access Authentication implementation. Successful exploita ... oval:org.secpod.oval:def:3750 The host is installed with Apache Tomcat 5.5.x before 5.5.34 or 6.x before 6.0.33 or 7.x before 7.0.12 and is prone to security bypass vulnerability. A flaw is present in the application, which fails to check realm values. Successful exploitation allows remote attackers to bypass intended access res ... oval:org.secpod.oval:def:3751 The host is installed with Apache Tomcat 5.5.x before 5.5.34 or 6.x before 6.0.33 or 7.x before 7.0.12 and is prone to security bypass vulnerability. A flaw is present in the application, which fails to check qop values. Successful exploitation allows remote attackers to bypass intended integrity-pr ... oval:org.secpod.oval:def:3725 The host is installed with Apache Tomcat before 5.5.35 or 6.x before 6.0.35 or 7.x before 7.0.23 and is prone to denial-of-service vulnerability. A flaw is present in the application, which computes hash values for form parameters without restricting the ability to trigger hash collisions. Successfu ... oval:org.secpod.oval:def:1504563 [0:6.0.24-36] - Resolves: CVE-2012-0022 regression. Changes made to patch file. oval:org.secpod.oval:def:500778 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. It was found that the Java hashCode method implementation was susceptible to predictable hash collisions. A remote attacker could use this flaw to cause Tomcat to use an excessive amount of CPU time by send ... oval:org.secpod.oval:def:20833 The host is installed with Apache Tomcat 7.0.x before 7.0.17 and is prone to unspecified vulnerability. A flaw is present in the application, which fails handle a crafted application. Successful exploitation allows remote attackers to read or modify the (1) web.xml, (2) context.xml, or (3) tld files ... oval:org.secpod.oval:def:500009 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. A denial of service flaw was found in the way certain strings were converted to Double objects. A remote attacker could use this flaw to cause Tomcat to hang via a specially-crafted HTTP request. A flaw wa ... oval:org.secpod.oval:def:1503426 Updated tomcat6 packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System base scores, which give detailed severity ratings, ar ... oval:org.secpod.oval:def:20832 The host is installed with Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.26 or 7.0.0 and is prone to denial of service vulnerability. A flaw is present in the application, which fails handle a crafted header. Successful exploitation allows remote attackers to cause a denial of service (appli ... oval:org.secpod.oval:def:20828 The host is installed with Apache Tomcat 5.5.0 through 5.5.28 or 6.0.0 through 6.0.20 and is prone to directory traversal vulnerability. A flaw is present in the application, which fails handle a .. (dot dot) in an entry in a WAR file. Successful exploitation allows remote attackers to create or ove ... oval:org.secpod.oval:def:20817 The host is installed with Apache Tomcat 5.5.0 through 5.5.20 or 6.0.0 through 6.0.8 and is prone to information disclosure vulnerability. A flaw is present in the application, which fails handle the cookie in an https session. Successful exploitation allows remote attackers to obtain sensitive info ... oval:org.secpod.oval:def:95152 The host is installed with Apache Tomcat 7.x through 7.0.105 and is prone to a denial of service vulnerability. A flaw is present in the application, which does not properly handle issues in partial HTTP requests. Successful exploitation allows attackers to cause a denial of service (daemon outage) ... oval:org.secpod.oval:def:14058 The host is installed with Apache Tomcat 6.x before 6.0.37 or 7.x before 7.0.30 and is prone to denial of service vulnerability. A flaw is present in the application, which fails to properly handle chunk extensions in chunked transfer coding. Successful exploitation allows attackers to cause a denia ... oval:org.secpod.oval:def:202890 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. A flaw was found in the way the tomcat6 init script handled the tomcat6-initd.log log file. A malicious web application deployed on Tomcat could use this flaw to perform a symbolic link attack to change the ... oval:org.secpod.oval:def:14060 The host is installed with Apache Tomcat 6.0.21 through 6.0.36 or 7.x before 7.0.33 and is prone to session fixation vulnerability. A flaw is present in the application, which fails to properly handle the relationships between authentication requirements and sessions. Successful exploitation allows ... oval:org.secpod.oval:def:1500116 Updated tomcat6 packages that fix multiple security issues are nowavailable for Red Hat Enterprise Linux 6.The Red Hat Security Response Team has rated this update as havingimportant security impact. Common Vulnerability Scoring System basescores, which give detailed severity ratings, are available ... oval:org.secpod.oval:def:501061 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. A flaw was found in the way the tomcat6 init script handled the tomcat6-initd.log log file. A malicious web application deployed on Tomcat could use this flaw to perform a symbolic link attack to change the ... oval:org.secpod.oval:def:1503937 Updated tomcat6 packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available ... oval:org.secpod.oval:def:7944 The host is installed with Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, or 7.x before 7.0.30 and is prone to security bypass vulnerability. A flaw is present in the application, which fails to properly handle the replay-countermeasure functionality in the HTTP Digest Access Authentication i ... oval:org.secpod.oval:def:501072 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. A session fixation flaw was found in the Tomcat FormAuthenticator module. During a narrow window of time, if a remote attacker sent requests while a user was logging in, it could possibly result in the atta ... oval:org.secpod.oval:def:8233 The host is installed with Apache Tomcat 6.x before 6.0.36 or 7.x before 7.0.30 and is prone to security bypass vulnerability. A flaw is present in the application, which is caused when FORM authentication is used. Successful exploitation allows remote attackers to bypass security-constraint checks ... oval:org.secpod.oval:def:501021 Apache Tomcat is a servlet container. It was found that when an application used FORM authentication, along with another component that calls request.setUserPrincipal before the call to FormAuthenticator#authenticate , it was possible to bypass the security constraint checks in the FORM authenticato ... oval:org.secpod.oval:def:1500182 Updated tomcat6 packages that fix two security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System base scores, which give detailed severity ratings, are available ... oval:org.secpod.oval:def:3752 The host is installed with Apache Tomcat 5.5.x before 5.5.34 or 6.x before 6.0.33 or 7.x before 7.0.12 and is prone to security bypass vulnerability. A flaw is present in the application, which does not have the expected countermeasures against replay attacks. Successful exploitation allows remote a ... oval:org.secpod.oval:def:202639 Apache Tomcat is a servlet container. It was found that when an application used FORM authentication, along with another component that calls request.setUserPrincipal before the call to FormAuthenticator#authenticate , it was possible to bypass the security constraint checks in the FORM authenticato ... oval:org.secpod.oval:def:107624 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:1600256 The tomcat5, tomcat6, and tomcat7 init scripts, as used in the RPM distribution of Tomcat for JBoss Enterprise Web Server 1.0.2 and 2.0.0, and Red Hat Enterprise Linux 5 and 6, allow local users to change the ownership of arbitrary files via a symlink attack on tomcat5-initd.log, tomcat6-initd. ... oval:org.secpod.oval:def:1701748 If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false , Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack pos ... oval:org.secpod.oval:def:89048010 This update for tomcat fixes the following issues: - CVE-2022-42252: Fixed a request smuggling . oval:org.secpod.oval:def:1701734 If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false , Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack pos ... oval:org.secpod.oval:def:89047947 This update for tomcat fixes the following issues: - CVE-2022-42252: Fixed a request smuggling . oval:org.secpod.oval:def:54962 The host is installed with Apache Tomcat versions 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 or 7.0.0 to 7.0.93 and is prone to a cross-site scripting vulnerability. A flaw is present in the application which fails to handle the issue in SSI printenv. Successful exploitation allows an attacker to perform c ... oval:org.secpod.oval:def:54292 The host is installed with Apache Tomcat versions 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 or 7.0.0 to 7.0.93 and is prone to a remote code execution vulnerability. A flaw is present in the application which fails to handle the issue in CGI servlet. Successful exploitation allows a remote attacker to exe ... oval:org.secpod.oval:def:116193 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:53946 The host is installed with Apache Tomcat versions 9.0.0.M1 to 9.0.14 or 8.5.0 to 8.5.37 and is prone to a denial of service vulnerability. A flaw is present in the application which fails to handle the issue during the HTTP/2 implementation. Successful exploitation allows attackers to cause server-s ... oval:org.secpod.oval:def:204892 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * tomcat: A bug in the UTF-8 decoder can lead to DoS For more details about the security issue, including the impact, a CVSS score, and other related information, refer to the CVE page listed ... oval:org.secpod.oval:def:113978 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:114015 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:204699 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * A vulnerability was discovered in Tomcat"s handling of pipelined requests when "Sendfile" was used. If sendfile processing completed quickly, it was possible for the Processor to b ... oval:org.secpod.oval:def:89044662 This update for tomcat fixes the following issues: Security issues fixed: - CVE-2017-5664: A problem in handling error pages was fixed, to avoid potential file overwrites during error page handling. - CVE-2017-7674: A CORS Filter issue could lead to client and server side cache poisoning - CVE-2017 ... oval:org.secpod.oval:def:204472 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid character ... oval:org.secpod.oval:def:204462 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid character ... oval:org.secpod.oval:def:111608 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:111607 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:204677 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. The following packages have been upgraded to a later upstream version: tomcat . Security Fix: * The Realm implementations did not process the supplied password if the supplied user name did not exist. This ... oval:org.secpod.oval:def:502188 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * A vulnerability was discovered in Tomcat"s handling of pipelined requests when "Sendfile" was used. If sendfile processing completed quickly, it was possible for the Processor to b ... oval:org.secpod.oval:def:502190 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * A vulnerability was discovered in Tomcat"s handling of pipelined requests when "Sendfile" was used. If sendfile processing completed quickly, it was possible for the Processor to b ... oval:org.secpod.oval:def:89044827 This update for tomcat fixes the following issues: - CVE-2017-5647 Pipelined requests could lead to information disclosure - CVE-2017-5648 Untrusted application could retain listener leading to information disclosure - CVE-2016-8745 shared Processor on Connector code could lead to information disc ... oval:org.secpod.oval:def:204700 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * A vulnerability was discovered in Tomcat"s handling of pipelined requests when "Sendfile" was used. If sendfile processing completed quickly, it was possible for the Processor to b ... oval:org.secpod.oval:def:1502052 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502051 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:40404 The host is installed with Apache Tomcat 8.5.x before 8.5.13 or 9.x before 9.0.0.M19 and is prone to an denial of service vulnerability. A flaw is present in the Application, which fails to handle an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were ... oval:org.secpod.oval:def:40405 The host is installed with Apache Tomcat 8.5.x before 8.5.13 or 9.x before 9.0.0.M19 and is prone to an denial of service vulnerability. A flaw is present in the Application, which fails to properly handle send file process. Successful exploitation could result in the same Processor being used for m ... oval:org.secpod.oval:def:40406 The host is installed with Apache Tomcat 7.x before 7.0.76, 8.x before 8.0.42, 8.5.x before 8.5.12 or 9.x before 9.0.0.M18 and is prone to an information disclosure vulnerability. A flaw is present in the Application, which did not use the appropriate facade object. Successful exploitation allows un ... oval:org.secpod.oval:def:113662 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:204545 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * A vulnerability was discovered in the error page mechanism in Tomcat"s DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the remova ... oval:org.secpod.oval:def:113407 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:113408 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:111769 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:111761 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:111758 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:40403 The host is installed with Apache Tomcat 6.0 before 6.0.52, 7.x before 7.0.76, 8.x before 8.0.42, 8.5.x before 8.5.12 or 9.x before 9.0.0.M19 and is prone to an unspecified vulnerability. A flaw is present in the Application, which fails to handle pipelined requests. Successful exploitation could re ... oval:org.secpod.oval:def:89044770 This update for tomcat6 fixes the following issues: Tomcat was updated to version 6.0.53: The full changelog is: http://tomcat.apache.org/tomcat-6.0-doc/changelog.html Security issues fixed: - CVE-2017-5647: A bug in the handling of pipelined requests could lead to information disclosure (bsc#103664 ... oval:org.secpod.oval:def:39740 The host is installed with Apache Tomcat 6.0.x to 6.0.47, 7.x to 7.0.72, 8.0.0 to 8.0.38, 8.5.x to 8.5.6 or 9.0.0.M1 to 9.0.0.M11 and is prone to a cross-site scripting vulnerability. A flaw is present in the application, which does not properly handle certain inconsistent HTTP request headers. Succ ... oval:org.secpod.oval:def:39741 The host is installed with Apache Tomcat 8.5.7 to 8.5.9 or 9.0.0.M11 to 9.0.0.M15 and is prone to an information disclosure vulnerability. A flaw is present in the reverse-proxy configurations, which fails to handle different requests. Successful exploitation allows remote attackers to read data tha ... oval:org.secpod.oval:def:89045371 This update for tomcat fixes the following issues: Feature changes: The embedded Apache Commons DBCP component was updated to version 2.0. Security fixes: - CVE-2016-0762: Realm Timing Attack - CVE-2016-5018: Security Manager Bypass - CVE-2016-6794: System Property Disclosure - CVE-2016-6796: Se ... oval:org.secpod.oval:def:1501407 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. This update ... oval:org.secpod.oval:def:110343 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:89045245 This update for tomcat6 fixes the following issues: The version was updated from 6.0.41 to 6.0.45. Security issues fixed: * CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java in Apache Tomcat allowed remote authenticated users to bypass intended SecurityManager restrictions and lis ... oval:org.secpod.oval:def:20843 The host is installed with Apache Tomcat 6.0.x before 6.0.40, 7.x before 7.0.54 or 8.x before 8.0.6 and is prone to information disclosure vulnerability. A flaw is present in the application, which fails to handle a crafted web application. Successful exploitation allows remote attackers to (1) read ... oval:org.secpod.oval:def:20841 The host is installed with Apache Tomcat 6.0.x before 6.0.40, 7.x before 7.0.53 or 8.x before 8.0.4 and is prone to information disclosure vulnerability. A flaw is present in the application, which does not properly restrict XSLT stylesheets. Successful exploitation allows remote attackers to bypas ... oval:org.secpod.oval:def:20842 The host is installed with Apache Tomcat 6.0.x before 6.0.40, 7.x before 7.0.53 or 8.x before 8.0.4 and is prone to information disclosure vulnerability. A flaw is present in the application, which fails to handle a crafted Content-Length HTTP header. Successful exploitation allows remote attackers ... oval:org.secpod.oval:def:204021 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicio ... oval:org.secpod.oval:def:33121 The host is installed with Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31 or 9.x before 9.0.0.M3 and is prone to a security bypass vulnerability. A flaw is present in the setGlobalContext method, which does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized. Success ... oval:org.secpod.oval:def:33120 The host is installed with Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31 or 9.x before 9.0.0.M2 and is prone to a security bypass vulnerability. A flaw is present in the application, which does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catal ... oval:org.secpod.oval:def:501791 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. This updat ... oval:org.secpod.oval:def:33119 The host is installed with Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31 or 9.x before 9.0.0.M2 and is prone to a security bypass vulnerability. A flaw is present in the session-persistence implementation, which mishandles session attributes. Successful exploitation allows re ... oval:org.secpod.oval:def:1200188 It was discovered that the ChunkedInputFilter in Tomcat did not fail subsequent attempts to read input after malformed chunked encoding was detected. A remote attacker could possibly use this flaw to make Tomcat process part of the request body as new request, or cause a denial of service. oval:org.secpod.oval:def:108433 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:205726 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1503939 Updated tomcat packages that fix three security issues are now available for Red Hat Enterprise Linux 7. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System base scores, which give detailed severity ratings, are available ... oval:org.secpod.oval:def:501360 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. It was found that several application-provided XML files, such as web.xml, content.xml, *.tld, *.tagx, and *.jspx, resolved external entities, permitting XML External Entity attacks. An attacker able to de ... oval:org.secpod.oval:def:501362 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. It was found that, in certain circumstances, it was possible for a malicious web application to replace the XML parsers used by Apache Tomcat to process XSLTs for the default servlet, JSP documents, tag lib ... oval:org.secpod.oval:def:400782 This update for tomcat fixes the following issues: Tomcat 8 was updated from 8.0.23 to 8.0.32, to fix bugs and security issues. Fixed security issues: * CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java in Apache Tomcat allowed remote authenticated users to bypass intended Securit ... oval:org.secpod.oval:def:1600331 It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. It was found that Tomcat would keep connections open after processing requests with a large enough reques ... oval:org.secpod.oval:def:20835 The host is installed with Apache Tomcat 6.0.x before 6.0.39, 7.x before 7.0.47 or 8.x before 8.0.0-RC3 and is prone to information disclosure vulnerability. A flaw is present in the application, which does not properly handle certain inconsistent HTTP request headers. Successful exploitation allows ... oval:org.secpod.oval:def:20838 The host is installed with Apache Tomcat 6.0.33 before 6.0.38 and is prone to information disclosure vulnerability. A flaw is present in the application, which fails to handle a crafted URL. Successful exploitation allows remote attackers to conduct session fixation attacks. oval:org.secpod.oval:def:20839 The host is installed with Apache Tomcat 6.0.x before 6.0.40, 7.x before 7.0.53 or 8.x before 8.0.4 and is prone to denial of service vulnerability. A flaw is present in the application, which fails to handle a malformed chunk size in chunked transfer coding of a request. Successful exploitation all ... oval:org.secpod.oval:def:20836 The host is installed with Apache Tomcat 6.0.x before 6.0.39, 7.x before 7.0.50 or 8.x before 8.0.0-RC10 and is prone to denial of service vulnerability. A flaw is present in the application, which does not properly handle (1) a large total amount of chunked data or (2) whitespace characters in an H ... oval:org.secpod.oval:def:20837 The host is installed with Apache Tomcat 6.0.x before 6.0.39, 7.x before 7.0.50 or 8.x before 8.0.0-RC10 and is prone to information disclosure vulnerability. A flaw is present in the application, which fails to handle an untrusted web application. Successful exploitation allows remote attackers to ... oval:org.secpod.oval:def:501564 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. It was discovered that the ChunkedInputFilter in Tomcat did not fail subsequent attempts to read input after malformed chunked encoding was detected. A remote attacker could possibly use this flaw to make T ... oval:org.secpod.oval:def:501325 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. It was discovered that Apache Tomcat did not limit the length of chunk sizes when using chunked transfer encoding. A remote attacker could use this flaw to perform a denial of service attack against Tomcat ... oval:org.secpod.oval:def:501570 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. It was discovered that the ChunkedInputFilter in Tomcat did not fail subsequent attempts to read input after malformed chunked encoding was detected. A remote attacker could possibly use this flaw to make T ... oval:org.secpod.oval:def:501332 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. It was discovered that Apache Tomcat did not limit the length of chunk sizes when using chunked transfer encoding. A remote attacker could use this flaw to perform a denial of service attack against Tomcat ... oval:org.secpod.oval:def:400638 This update for tomcat fixes the following security issues. Tomcat has been updated from 7.0.55 to 7.0.68. * CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java in Apache Tomcat allowed remote authenticated users to bypass intended SecurityManager restrictions and list a parent dire ... oval:org.secpod.oval:def:1600384 A directory traversal vulnerability in RequestUtil.java was discovered which allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths cal ... oval:org.secpod.oval:def:1501009 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. It was discovered that the ChunkedInputFilter in Tomcat did not fail subsequent attempts to read input after malformed chunked encoding was detected. A remote attacker could possibly use this flaw to make T ... oval:org.secpod.oval:def:1501007 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. It was discovered that the ChunkedInputFilter in Tomcat did not fail subsequent attempts to read input after malformed chunked encoding was detected. A remote attacker could possibly use this flaw to make T ... oval:org.secpod.oval:def:501880 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application de ... oval:org.secpod.oval:def:33123 The host is installed with Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30 or 9.x before 9.0.0.M2 and is prone to a session fixation vulnerability. A flaw is present in the session-persistence implementation, which fails to handle different session settings used for deployments of multiple versio ... oval:org.secpod.oval:def:33122 The host is installed with Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31 or 9.x before 9.0.0.M2 and is prone to a security bypass vulnerability. A flaw is present in the Manager and Host Manager applications, which establish sessions and send CSRF tokens for arbitrary new requests. Successful e ... oval:org.secpod.oval:def:33124 The host is installed with Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.67, 8.x before 8.0.30 or 9.x before 9.0.0.M2 and is prone to an information disclosure vulnerability. A flaw is present in the Mapper component, which processes redirects before considering security constraints and Filters. S ... oval:org.secpod.oval:def:204023 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application de ... oval:org.secpod.oval:def:1501600 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application dep ... oval:org.secpod.oval:def:1900433 It was discovered that a program libming-dev error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting ... oval:org.secpod.oval:def:112060 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:501881 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicio ... oval:org.secpod.oval:def:1600425 Tomcat"s CGI support used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly ... oval:org.secpod.oval:def:112161 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:1501599 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application dep ... oval:org.secpod.oval:def:113146 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:113143 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:502071 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * A vulnerability was discovered in the error page mechanism in Tomcat"s DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the remova ... oval:org.secpod.oval:def:112510 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:112509 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:1600688 Incorrect handling of pipelined requests when send file was used:A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost wh ... oval:org.secpod.oval:def:1501935 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:112317 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:112319 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:114237 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:114236 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:1700092 An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. oval:org.secpod.oval:def:502374 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * tomcat: A bug in the UTF-8 decoder can lead to DoS For more details about the security issue, including the impact, a CVSS score, and other related information, refer to the CVE page listed ... oval:org.secpod.oval:def:1504566 [0:7.0.76-9] - Resolves: rhbz#1641873 CVE-2018-11784 tomcat: Open redirect in default servlet - Resolves: rhbz#1552375 CVE-2018-1304 tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended expo sure of resources - Resolves: rhbz#1552374 CVE-2018-1305 tomcat: Lat ... oval:org.secpod.oval:def:205275 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources * tomcat: Late application of security constraints can lead to resource e ... oval:org.secpod.oval:def:503302 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources * tomcat: Late application of security constraints can lead to resource e ... oval:org.secpod.oval:def:1502344 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:45753 The host is installed with Apache Tomcat 9.x before 9.0.9, 7.0.41 before 7.0.89, 8.x before 8.0.53 or 8.5.x before 8.5.32 and is prone to a security bypass vulnerability. A flaw is present in application, which fails to properly handle CORS filter settings issue. Successful exploitation allow attack ... oval:org.secpod.oval:def:115028 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:502624 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * tomcat: Open redirect in default servlet For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page ... oval:org.secpod.oval:def:205171 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * tomcat: Open redirect in default servlet For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page ... oval:org.secpod.oval:def:1700152 When the default servlet in Apache Tomcat returned a redirect to a directory a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. oval:org.secpod.oval:def:47875 The host is installed with Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 or 7.0.23 to 7.0.90 and is prone to an open redirection vulnerability. A flaw is present in the application which fails to handle the issue in default servlet which returned a redirect to a directory. Successful ex ... oval:org.secpod.oval:def:115930 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:1701655 The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a productio ... oval:org.secpod.oval:def:55556 The host is installed with Apache Tomcat versions 9.0.0.M1 to 9.0.19 or 8.5.0 to 8.5.40 and is prone to a denial of service vulnerability. A flaw is present in the application which fails to handle the issue in HTTP/2 connection. Successful exploitation allows attackers to cause server-side threads ... oval:org.secpod.oval:def:89000556 This update for tomcat fixes the following issues: - Update to Tomcat 9.0.35. See changelog at oval:org.secpod.oval:def:1701774 A deserialization flaw was discovered in Apache Tomcat's use of a FileStore. Under specific circumstances, an attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control. The highest threat from the vulnerability is to data co ... oval:org.secpod.oval:def:1701732 A deserialization flaw was discovered in Apache Tomcat's use of a FileStore. Under specific circumstances, an attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control. The highest threat from the vulnerability is to data co ... oval:org.secpod.oval:def:205582 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * tomcat: deserialization flaw in session persistence storage leading to RCE For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related ... oval:org.secpod.oval:def:1501797 CVE-2016-6816 : The code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the a ... oval:org.secpod.oval:def:502085 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. The following packages have been upgraded to a later upstream version: tomcat . Security Fix: * The Realm implementations did not process the supplied password if the supplied user name did not exist. This ... oval:org.secpod.oval:def:502011 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid character ... oval:org.secpod.oval:def:1600518 It was discovered that the code that parsed the HTTP request line permittedinvalid characters. This could be exploited, in conjunction with a proxy thatalso permitted the invalid characters but with a different interpretation, toinject data into the HTTP response. By manipulating the HTTP response t ... oval:org.secpod.oval:def:501993 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid character ... oval:org.secpod.oval:def:1501829 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1501959 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1600482 CVE-2016-6816 tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests CVE-2016-8735 tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener oval:org.secpod.oval:def:1600473 It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. A malicious web applic ... oval:org.secpod.oval:def:97889 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: tomcat: HTTP request smuggling via malformed trailer headers For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, ref ... oval:org.secpod.oval:def:1701780 URL Redirection to Untrusted Site vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92.The vulnerability is limited to the ROOT web ... oval:org.secpod.oval:def:1701745 URL Redirection to Untrusted Site vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92.The vulnerability is limited to the ROOT web ... oval:org.secpod.oval:def:89051096 This update for tomcat fixes the following issues: * CVE-2023-42795: Fixed a potential information leak due to insufficient cleanup . * CVE-2023-45648: Fixed a request smuggling issue due to an incorrect parsing of HTTP trailer headers . * CVE-2023-41080: Fixed URL Redirection to Untrusted Site vul ... oval:org.secpod.oval:def:89051054 This update for tomcat fixes the following issues: * CVE-2023-42795: Fixed a potential information leak due to insufficient cleanup . * CVE-2023-45648: Fixed a request smuggling issue due to an incorrect parsing of HTTP trailer headers . oval:org.secpod.oval:def:89050180 This update for tomcat fixes the following issues: * CVE-2023-41080: Fixed URL Redirection to Untrusted Site vulnerability in FORM authentication feature . oval:org.secpod.oval:def:89000430 This update for tomcat fixes the following issues: CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence If an attacker was able to control the contents and name of a file on a server configured to use the PersistenceManager, then the attacker could have triggered a remote code ... oval:org.secpod.oval:def:1501655 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. The following packages have been upgraded to a newer upstream version: tomcat . Security Fix: * A CSRF flaw was found in Tomcat"s the index pages for the Manager and Host Manager applications. These applic ... oval:org.secpod.oval:def:45287 The host is installed with Apache Tomcat 7.x before 7.0.81 and is prone to a security bypass vulnerability. A flaw is present in the application, which fails to properly handle a specially crafted request. Successful exploitation allows attackers to bypass security constraints and/or view the source ... oval:org.secpod.oval:def:111284 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:111287 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:89048716 This update for tomcat fixes the following issues: * CVE-2022-45143: Fixed JsonErrorReportValve injection . oval:org.secpod.oval:def:35821 The host is installed with Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3 or 9.x before 9.0.0.M7 and is prone to a denial of service vulnerability. A flaw is present in the MultipartStream class in Apache Commons Fileupload, which fails to handle a long boundary string. Succe ... oval:org.secpod.oval:def:88224 The host is installed with Apache Tomcat 11.0.0-M1 through 11.0.0-M2, 10.1.0-M1 through 10.1.5, 9.0.0.M1 through 9.0.71 or 8.5.0 through 8.5.85 and is prone to an information disclosure vulnerability. A flaw is present in the application, which fails to properly handle the RemoteIpFilter with reques ... oval:org.secpod.oval:def:89048536 This update for tomcat fixes the following issues: * CVE-2023-28708: Fixed information disclosure by not including the secure attribute . oval:org.secpod.oval:def:204119 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. The following packages have been upgraded to a newer upstream version: tomcat . Security Fix: * A CSRF flaw was found in Tomcat"s the index pages for the Manager and Host Manager applications. These applic ... oval:org.secpod.oval:def:89048673 This update for tomcat fixes the following issues: * CVE-2023-28708: Fixed information disclosure by not including the secure attribute . oval:org.secpod.oval:def:501905 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. The following packages have been upgraded to a newer upstream version: tomcat . Security Fix: * A CSRF flaw was found in Tomcat"s the index pages for the Manager and Host Manager applications. These applic ... oval:org.secpod.oval:def:1701671 The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections ... oval:org.secpod.oval:def:61640 The host is installed with Apache Tomcat 9.x before 9.0.31, 7.x before 7.0.100 or 8.5.x before 8.5.51 and is prone to an AJP request injection vulnerability. A flaw is present in application, which fails to properly handle a regression introduced due to refactoring. Successful exploitation allows re ... oval:org.secpod.oval:def:1701740 The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind ... oval:org.secpod.oval:def:1502847 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502850 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:89000392 This update for tomcat to version 9.0.31 fixes the following issues: Security issues fixed: - CVE-2019-17569: Fixed a regression in the handling of Transfer-Encoding headers that would have allowed HTTP Request Smuggling . - CVE-2020-1935: Fixed an HTTP Request Smuggling issue . - CVE-2020-1938: Fix ... oval:org.secpod.oval:def:61584 The host is installed with Apache Tomcat 9.x before 9.0.31, 7.x before 7.0.100 or 8.5.x before 8.5.51 and is prone to an AJP request injection vulnerability. A flaw is present in application, which fails to properly handle a regression introduced due to refactoring. Successful exploitation allows re ... oval:org.secpod.oval:def:61583 The host is installed with Apache Tomcat 9.x before 9.0.31, 7.x before 7.0.100 or 8.5.x before 8.5.51 and is prone to an HTTP request smuggling vulnerability. A flaw is present in application, which fails to properly handle an improper end-of-line parsing. Successful exploitation allows attackers to ... oval:org.secpod.oval:def:503570 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, re ... oval:org.secpod.oval:def:81758 The host is installed with Apache Tomcat 8.5.0 through 8.5.75 or 9.0.0.M1 through 9.0.20 and is prone to an improper resource shutdown vulnerability. A flaw is present in application, which fails to handle a WebSocket message sent concurrently with the WebSocket connection closed. Successful exploit ... oval:org.secpod.oval:def:205461 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, re ... oval:org.secpod.oval:def:205462 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, re ... oval:org.secpod.oval:def:1702109 Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43.Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue oval:org.secpod.oval:def:1702089 Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43.Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue oval:org.secpod.oval:def:509093 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: tomcat: Open Redirect vulnerability in FORM authentication tomcat: FileUpload: DoS due to accumulation of temporary files on Windows tomcat: improper cleaning of recycled objects could lead ... oval:org.secpod.oval:def:509076 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: tomcat: Open Redirect vulnerability in FORM authentication tomcat: FileUpload: DoS due to accumulation of temporary files on Windows tomcat: improper cleaning of recycled objects could lead ... oval:org.secpod.oval:def:509087 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: tomcat: HTTP request smuggling via malformed trailer headers For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, ref ... oval:org.secpod.oval:def:1701301 When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribut ... oval:org.secpod.oval:def:3302403 Security update for tomcat oval:org.secpod.oval:def:2600512 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. oval:org.secpod.oval:def:1507379 [1:9.0.62-37.el9_3.2] - Resolves: #2252050 HTTP request smuggling via malformed trailer headers oval:org.secpod.oval:def:89051398 This update for tomcat fixes the following issues: Security fixes: * CVE-2023-46589: Fixed HTTP request smuggling due to incorrect headers parsing. Other fixes: * Streamline how patches are handled in the spec file of the package oval:org.secpod.oval:def:89051400 This update for tomcat fixes the following issues: Security fixes: * CVE-2023-46589: Fixed HTTP request smuggling due to incorrect headers parsing. Other fixes: * Streamline how patches are handled in the spec file of the package oval:org.secpod.oval:def:89051458 This update for tomcat fixes the following issues: Updated to Tomcat 9.0.85: * CVE-2023-45648: Improve trailer header parsing . * CVE-2023-42794: FileUpload: remove tmp files to avoid DoS on Windows . * CVE-2023-42795: Improve handling of failures during recycle methods . * CVE-2023-46589: Fixed HTT ... oval:org.secpod.oval:def:89051637 This update for tomcat fixes the following issues: * CVE-2024-21733: Fixed leaking of unrelated request bodies in default error page . oval:org.secpod.oval:def:1701846 Incomplete Cleanup vulnerability in Apache Tomcat. When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling p ... oval:org.secpod.oval:def:1701845 Incomplete Cleanup vulnerability in Apache Tomcat. When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling p ... oval:org.secpod.oval:def:1507111 [1:9.0.62-5.2] - HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack oval:org.secpod.oval:def:94006 An update for tomcat is now available for Red Hat Enterprise Linux 9. oval:org.secpod.oval:def:89050980 This update for tomcat fixes the following issues: Tomcat was updated to version 9.0.82 : * Security issues fixed: * CVE-2023-41080: Avoid protocol relative redirects in FORM authentication. * CVE-2023-44487: Fix HTTP/2 Rapid Reset Attack. * Update to Tomcat 9.0.82: * Catalina * Add: 65770: Provid ... oval:org.secpod.oval:def:205653 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS * tomcat: session fixation when using FORM authentication For more details about the security i ... oval:org.secpod.oval:def:2600384 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. oval:org.secpod.oval:def:90287 The host is installed with Apache Tomcat 11.0.0-M1 through 11.0.0-M4, 10.1.5 through 10.1.7, 9.0.71 through 9.0.73 or 8.5.85 through 8.5.87 or Atlassian Confluence Server 7.13.15 before 7.13.19, 7.19.7 before 7.19.11 or 8.1.1 before 8.4.1 and is prone to a denial of service vulnerability. A flaw is ... oval:org.secpod.oval:def:89048635 This update for tomcat fixes the following issues: * CVE-2023-28708: Fixed information disclosure by not including the secure attribute . * CVE-2023-24998: Fixed FileUpload deny-of-service with excessive parts . oval:org.secpod.oval:def:1701752 A privilege escalation flaw was found in Tomcat when the JMX Remote Lifecycle Listener was enabled. A local attacker without access to the Tomcat process or configuration files could be able to manipulate the RMI registry to perform a man-in-the-middle attack. The attacker could then capture user na ... oval:org.secpod.oval:def:1701757 The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted tha ... oval:org.secpod.oval:def:89048916 This update for tomcat fixes the following issues: * CVE-2023-28709: Mended an incomplete fix for CVE-2023-24998 . oval:org.secpod.oval:def:89048921 This update for tomcat fixes the following issues: * CVE-2023-28709: Mended an incomplete fix for CVE-2023-24998 . oval:org.secpod.oval:def:89048952 This update for tomcat fixes the following issues: * CVE-2023-28709: Mended an incomplete fix for CVE-2023-24998 . oval:org.secpod.oval:def:89048951 This update for tomcat fixes the following issues: Updated to version 9.0.75: \- CVE-2023-28709: Mended an incomplete fix for CVE-2023-24998 . oval:org.secpod.oval:def:1701708 A privilege escalation flaw was found in Tomcat when the JMX Remote Lifecycle Listener was enabled. A local attacker without access to the Tomcat process or configuration files could be able to manipulate the RMI registry to perform a man-in-the-middle attack. The attacker could then capture user na ... oval:org.secpod.oval:def:1701710 The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted tha ... oval:org.secpod.oval:def:89048596 This update for tomcat fixes the following issues: * CVE-2023-24998: Fixed FileUpload DoS with excessive parts . oval:org.secpod.oval:def:2501243 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. oval:org.secpod.oval:def:89048552 This update for tomcat fixes the following issues: * CVE-2023-24998: Fixed FileUpload DoS with excessive parts . oval:org.secpod.oval:def:89048541 This update for tomcat fixes the following issues: * CVE-2023-24998: Fixed FileUpload DoS with excessive parts . oval:org.secpod.oval:def:89051771 This update for tomcat fixes the following issues: * CVE-2024-24549: Fixed denial of service during header validation for HTTP/2 stream * CVE-2024-23672: Fixed denial of service due to malicious WebSocket client keeping connection open Other fixes: \- Update to Tomcat 9.0.87 * Catalina \+ Fix: Min ... oval:org.secpod.oval:def:89051745 This update for tomcat fixes the following issues: * CVE-2024-24549: Fixed denial of service during header validation for HTTP/2 stream * CVE-2024-23672: Fixed denial of service due to malicious WebSocket client keeping connection open |
