Author: kkolinko
Date: Thu Sep 22 23:51:23 2011
New Revision: 1174453
URL: http://svn.apache.org/viewvc?rev=1174453&view=rev
Log:
Simplify the markup
Rearranged entries in "not in Tomcat" section in security-4.xml: newer ones are
at the top.
Modified:
tomcat/site/trunk/docs/security-3.html
tomcat/site/trunk/docs/security-4.html
tomcat/site/trunk/xdocs/security-3.xml
tomcat/site/trunk/xdocs/security-4.xml
Modified: tomcat/site/trunk/docs/security-3.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-3.html?rev=1174453&r1=1174452&r2=1174453&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-3.html (original)
+++ tomcat/site/trunk/docs/security-3.html Thu Sep 22 23:51:23 2011
@@ -284,8 +284,8 @@
<a href="mailto:[email protected]";>Tomcat Security
Team</a>.</p>
<p>Please note that Tomcat 3 is no longer supported. Further
vulnerabilities
- in the 3.x branches will not be fixed. Users should upgrade to 5.5.x or
- 6.x to obtain security fixes.</p>
+ in the 3.x branches will not be fixed. Users should upgrade to 5.5.x,
+ 6.x or 7.x to obtain security fixes.</p>
</blockquote>
</p>
@@ -611,7 +611,6 @@
<p>
<strong>moderate: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0590";
rel="nofollow">CVE-2001-0590</a>
-<br/>
</p>
<p>A specially crafted URL can be used to obtain the source for JSPs.</p>
@@ -647,7 +646,6 @@
<p>
<strong>low: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0759";
rel="nofollow">CVE-2000-0759</a>
-<br/>
</p>
<p>Requesting a JSP that does not exist results in an error page that
@@ -658,7 +656,6 @@
<p>
<strong>important: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0672";
rel="nofollow">CVE-2000-0672</a>
-<br/>
</p>
<p>Access to the admin context is not protected. This context allows an
@@ -697,7 +694,6 @@
<p>
<strong>important: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1210";
rel="nofollow">CVE-2000-1210</a>
-<br/>
</p>
<p>source.jsp, provided as part of the examples, allows an attacker to read
Modified: tomcat/site/trunk/docs/security-4.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-4.html?rev=1174453&r1=1174452&r2=1174453&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-4.html (original)
+++ tomcat/site/trunk/docs/security-4.html Thu Sep 22 23:51:23 2011
@@ -306,7 +306,7 @@
<p>Please note that Tomcat 4.0.x and 4.1.x are no longer supported. Further
vulnerabilities in the 4.0.x and 4.1.x branches will not be fixed. Users
- should upgrade to 5.5.x or 6.x to obtain security fixes.</p>
+ should upgrade to 5.5.x, 6.x or 7.x to obtain security fixes.</p>
</blockquote>
</p>
@@ -388,11 +388,8 @@
content that would otherwise be protected by a security constraint or by
locating it in under the WEB-INF directory.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=782763&view=rev";>
- revision 782763</a> and
- <a href="http://svn.apache.org/viewvc?rev=783292&view=rev";>
- revision 783292</a>.</p>
+ <p>This was fixed in revisions <a
href="http://svn.apache.org/viewvc?view=rev&rev=782763";>782763</a> and
+ <a
href="http://svn.apache.org/viewvc?view=rev&rev=783292";>783292</a>.</p>
<p>Affects: 4.1.0-4.1.39</p>
@@ -408,9 +405,7 @@
from use for approximately one minute. Thus the behaviour can be used
for
a denial of service attack using a carefully crafted request.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=781362&view=rev";>
- revision 781362</a>.</p>
+ <p>This was fixed in <a
href="http://svn.apache.org/viewvc?view=rev&rev=781362";>revision
781362</a>.</p>
<p>Affects: 4.1.0-4.1.39</p>
@@ -426,9 +421,7 @@
Note that in early versions, the DataSourceRealm and JDBCRealm were also
affected.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=781382&view=rev";>
- revision 781382</a>.</p>
+ <p>This was fixed in <a
href="http://svn.apache.org/viewvc?view=rev&rev=781382";>revision
781382</a>.</p>
<p>Affects: 4.1.0-4.1.39 (Memory Realm), 4.1.0-4.1.31 (JDBC Realm),
4.1.17-4.1.31 (DataSource Realm)</p>
@@ -442,9 +435,7 @@
XSS flaw due to invalid HTML which renders the XSS filtering protection
ineffective.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=750927&view=rev";>
- revision 750927</a>.</p>
+ <p>This was fixed in <a
href="http://svn.apache.org/viewvc?view=rev&rev=750927";>revision
750927</a>.</p>
<p>Affects: 4.1.0-4.1.39</p>
@@ -453,18 +444,14 @@
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783";
rel="nofollow">CVE-2009-0783</a>
</p>
- <p>Bugs <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=29936";>
- 29936</a> and
- <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=45933";>
- 45933</a> allowed a web application to replace the XML parser used by
+ <p>Bugs <a
href="https://issues.apache.org/bugzilla/show_bug.cgi?id=29936";>29936</a> and
<a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=45933";>45933</a>
+ allowed a web application to replace the XML parser used by
Tomcat to process web.xml and tld files. In limited circumstances these
bugs may allow a rogue web application to view and/or alter the web.xml
and tld files of other web applications deployed on the Tomcat instance.
</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=781708&view=rev";>
- revision 781708</a>.</p>
+ <p>This was fixed in <a
href="http://svn.apache.org/viewvc?view=rev&rev=781708";>revision
781708</a>.</p>
<p>Affects: 4.1.0-4.1.39</p>
@@ -506,9 +493,7 @@
transmitted to any content that is - by purpose or error - requested via
http from the same server. </p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=684900&view=rev";>
- revision 684900</a>.</p>
+ <p>This was fixed in <a
href="http://svn.apache.org/viewvc?view=rev&rev=684900";>revision
684900</a>.</p>
<p>Affects: 4.1.0-4.1.37</p>
@@ -525,9 +510,7 @@
XSS attack, unfiltered user supplied data must be included in the
message
argument.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=680947&view=rev";>
- revision 680947</a>.</p>
+ <p>This was fixed in <a
href="http://svn.apache.org/viewvc?view=rev&rev=680947";>revision
680947</a>.</p>
<p>Affects: 4.1.0-4.1.37</p>
@@ -542,9 +525,7 @@
protected by a security constraint or by locating it in under the
WEB-INF
directory.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=680950&view=rev";>
- revision 680950</a>.</p>
+ <p>This was fixed in <a
href="http://svn.apache.org/viewvc?view=rev&rev=680950";>revision
680950</a>.</p>
<p>Affects: 4.1.0-4.1.37</p>
@@ -1252,7 +1233,6 @@
<strong>low: Installation path disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4703";
rel="nofollow">CVE-2005-4703</a>,
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2008";
rel="nofollow">CVE-2002-2008</a>
-<br/>
</p>
<p>This issue only affects Windows operating systems. It can not be
@@ -1267,7 +1247,6 @@
<p>
<strong>important: Denial of service</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1895";
rel="nofollow">CVE-2002-1895</a>
-<br/>
</p>
<p>This issue only affects configurations that use IIS in conjunction with
@@ -1305,17 +1284,6 @@
<p>
<blockquote>
<p>
-<strong>Denial of service vulnerability</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0936";
rel="nofollow">CVE-2002-0936</a>
-</p>
-
- <p>The issue described requires an attacker to be able to plant a JSP page
- on the Tomcat server. If an attacker can do this then the server is
- already compromised. In this case an attacker could just as easily add a
- page that called System.exit(1) rather than relying on a bug in an
- internal Sun class.</p>
-
- <p>
<strong>important: Directory traversal</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938";
rel="nofollow">CVE-2008-2938</a>
</p>
@@ -1342,11 +1310,22 @@
status of this issue for your JVM, contact your JVM vendor.</p>
<p>A workaround was implemented in
- <a href="http://svn.apache.org/viewvc?rev=681065&view=rev";>
- revision 681065</a> that protects against this and any similar character
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=681065";>revision
681065</a>
+ that protects against this and any similar character
encoding issues that may still exist in the JVM. This work around is
included in Tomcat 4.1.39 onwards.</p>
+ <p>
+<strong>Denial of service vulnerability</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0936";
rel="nofollow">CVE-2002-0936</a>
+</p>
+
+ <p>The issue described requires an attacker to be able to plant a JSP page
+ on the Tomcat server. If an attacker can do this then the server is
+ already compromised. In this case an attacker could just as easily add a
+ page that called System.exit(1) rather than relying on a bug in an
+ internal Sun class.</p>
+
</blockquote>
</p>
</td>
Modified: tomcat/site/trunk/xdocs/security-3.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-3.xml?rev=1174453&r1=1174452&r2=1174453&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-3.xml (original)
+++ tomcat/site/trunk/xdocs/security-3.xml Thu Sep 22 23:51:23 2011
@@ -25,15 +25,14 @@
<a href="mailto:[email protected]";>Tomcat Security
Team</a>.</p>
<p>Please note that Tomcat 3 is no longer supported. Further
vulnerabilities
- in the 3.x branches will not be fixed. Users should upgrade to 5.5.x or
- 6.x to obtain security fixes.</p>
+ in the 3.x branches will not be fixed. Users should upgrade to 5.5.x,
+ 6.x or 7.x to obtain security fixes.</p>
</section>
<section name="Not fixed in Apache Tomcat 3.x">
<p><strong>important: Denial of service</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0808";
- rel="nofollow">CVE-2005-0808</a></p>
+ <cve>CVE-2005-0808</cve></p>
<p>Tomcat 3.x can be remotely caused to crash or shutdown by a connection
sending the right sequence of bytes to the AJP12 protocol port (TCP 8007
@@ -44,8 +43,7 @@
<p>Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3a-3.3.2</p>
<p><strong>low: Session hi-jacking</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3382";
- rel="nofollow">CVE-2007-3382</a></p>
+ <cve>CVE-2007-3382</cve></p>
<p>Tomcat incorrectly treated a single quote character (') in a cookie
value as a delimiter. In some circumstances this lead to the leaking of
@@ -54,8 +52,7 @@
<p>Affects: 3.3-3.3.2</p>
<p><strong>low: Cross site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3384";
- rel="nofollow">CVE-2007-3384</a></p>
+ <cve>CVE-2007-3384</cve></p>
<p>When reporting error messages, Tomcat does not filter user supplied data
before display. This enables an XSS attack. A source patch is available
@@ -66,8 +63,7 @@
<p>Affects: 3.3-3.3.2</p>
<p><strong>low: Session hi-jacking</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385";
- rel="nofollow">CVE-2007-3385</a></p>
+ <cve>CVE-2007-3385</cve></p>
<p>Tomcat incorrectly handled the character sequence \" in a cookie value.
In some circumstances this lead to the leaking of information such as
@@ -79,8 +75,7 @@
<section name="Fixed in Apache Tomcat 3.3.2">
<p><strong>moderate: Cross site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0044";
- rel="nofollow">CVE-2003-0044</a></p>
+ <cve>CVE-2003-0044</cve></p>
<p>The root web application and the examples web application contained a
number a cross-site scripting vulnerabilities. Note that is it
@@ -92,8 +87,7 @@
<section name="Fixed in Apache Tomcat 3.3.1a">
<p><strong>important: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0043";
- rel="nofollow">CVE-2003-0043</a></p>
+ <cve>CVE-2003-0043</cve></p>
<p>When used with JDK 1.3.1 or earlier, web.xml files were read with
trusted privileges enabling files outside of the web application to be
@@ -102,8 +96,7 @@
<p>Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3a-3.3.1</p>
<p><strong>important: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0042";
- rel="nofollow">CVE-2003-0042</a></p>
+ <cve>CVE-2003-0042</cve></p>
<p>URLs containing null characters could result in file contents being
returned or a directory listing being returned even when a welcome file
@@ -114,8 +107,7 @@
<section name="Fixed in Apache Tomcat 3.3.1">
<p><strong>important: Denial of service</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0045";
- rel="nofollow">CVE-2003-0045</a></p>
+ <cve>CVE-2003-0045</cve></p>
<p>JSP page names that match a Windows DOS device name, such as aux.jsp,
may
cause the thread processing the request to become unresponsive. A
@@ -127,8 +119,7 @@
<section name="Fixed in Apache Tomcat 3.3a">
<p><strong>moderate: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2007";
- rel="nofollow">CVE-2002-2007</a></p>
+ <cve>CVE-2002-2007</cve></p>
<p>Non-standard requests to the sample applications installed by default
could result in unexpected directory listings or disclosure of the full
@@ -137,10 +128,8 @@
<p>Affects: 3.2.3-3.2.4</p>
<p><strong>low: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2006";
- rel="nofollow">CVE-2002-2006</a>,
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0760";
- rel="nofollow">CVE-2000-0760</a></p>
+ <cve>CVE-2002-2006</cve>,
+ <cve>CVE-2000-0760</cve></p>
<p>The snoop servlet installed as part of the examples includes output that
identifies the Tomcat installation path. There are no plans to issue a
an
@@ -151,8 +140,7 @@
<section name="Fixed in Apache Tomcat 3.2.4">
<p><strong>moderate: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1563";
- rel="nofollow">CVE-2001-1563</a><br/></p>
+ <cve>CVE-2001-1563</cve><br/></p>
<p>No specifics are provided in the vulnerability report. This may be a
summary of other issues reported against 3.2.x</p>
@@ -162,8 +150,7 @@
<section name="Fixed in Apache Tomcat 3.2.2">
<p><strong>moderate: Cross site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0829";
- rel="nofollow">CVE-2001-0829</a></p>
+ <cve>CVE-2001-0829</cve></p>
<p>The default 404 error page does not escape URLs. This allows XSS
attacks using specially crafted URLs.</p>
@@ -171,8 +158,7 @@
<p>Affects: 3.0, 3.1-3.1.1, 3.2-3.2.1</p>
<p><strong>moderate: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0590";
- rel="nofollow">CVE-2001-0590</a><br/></p>
+ <cve>CVE-2001-0590</cve></p>
<p>A specially crafted URL can be used to obtain the source for JSPs.</p>
@@ -181,8 +167,7 @@
<section name="Fixed in Apache Tomcat 3.2">
<p><strong>low: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0759";
- rel="nofollow">CVE-2000-0759</a><br/></p>
+ <cve>CVE-2000-0759</cve></p>
<p>Requesting a JSP that does not exist results in an error page that
includes the full file system page of the current context.</p>
@@ -190,8 +175,7 @@
<p>Affects: 3.1</p>
<p><strong>important: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0672";
- rel="nofollow">CVE-2000-0672</a><br/></p>
+ <cve>CVE-2000-0672</cve></p>
<p>Access to the admin context is not protected. This context allows an
attacker to mount an arbitary file system path as a context. Any files
@@ -203,8 +187,7 @@
<section name="Fixed in Apache Tomcat 3.1">
<p><strong>important: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1210";
- rel="nofollow">CVE-2000-1210</a><br/></p>
+ <cve>CVE-2000-1210</cve></p>
<p>source.jsp, provided as part of the examples, allows an attacker to read
arbitrary files via a .. (dot dot) in the argument to source.jsp.</p>
Modified: tomcat/site/trunk/xdocs/security-4.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-4.xml?rev=1174453&r1=1174452&r2=1174453&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-4.xml (original)
+++ tomcat/site/trunk/xdocs/security-4.xml Thu Sep 22 23:51:23 2011
@@ -26,14 +26,13 @@
<p>Please note that Tomcat 4.0.x and 4.1.x are no longer supported. Further
vulnerabilities in the 4.0.x and 4.1.x branches will not be fixed. Users
- should upgrade to 5.5.x or 6.x to obtain security fixes.</p>
+ should upgrade to 5.5.x, 6.x or 7.x to obtain security fixes.</p>
</section>
<section name="Will not be fixed in Apache Tomcat 4.1.x">
<p><strong>moderate: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4836";
- rel="nofollow">CVE-2005-4836</a></p>
+ <cve>CVE-2005-4836</cve></p>
<p>The deprecated HTTP/1.1 connector does not reject request URIs
containing
null bytes when used with contexts that are configured with
@@ -49,8 +48,7 @@
<section name="Fixed in Apache Tomcat 4.1.40">
<p><strong>Important: Information Disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515";
- rel="nofollow">CVE-2008-5515</a></p>
+ <cve>CVE-2008-5515</cve></p>
<p>When using a RequestDispatcher obtained from the Request, the target
path
was normalised before the query string was removed. A request that
@@ -58,17 +56,13 @@
content that would otherwise be protected by a security constraint or by
locating it in under the WEB-INF directory.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=782763&view=rev";>
- revision 782763</a> and
- <a href="http://svn.apache.org/viewvc?rev=783292&view=rev";>
- revision 783292</a>.</p>
+ <p>This was fixed in revisions <revlink rev="782763">782763</revlink> and
+ <revlink rev="783292">783292</revlink>.</p>
<p>Affects: 4.1.0-4.1.39</p>
<p><strong>Important: Denial of Service</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033";
- rel="nofollow">CVE-2009-0033</a></p>
+ <cve>CVE-2009-0033</cve></p>
<p>If Tomcat receives a request with invalid headers via the Java AJP
connector, it does not return an error and instead closes the AJP
@@ -77,15 +71,12 @@
from use for approximately one minute. Thus the behaviour can be used
for
a denial of service attack using a carefully crafted request.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=781362&view=rev";>
- revision 781362</a>.</p>
+ <p>This was fixed in <revlink rev="781362">revision 781362</revlink>.</p>
<p>Affects: 4.1.0-4.1.39</p>
<p><strong>low: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580";
- rel="nofollow">CVE-2009-0580</a></p>
+ <cve>CVE-2009-0580</cve></p>
<p>Due to insufficient error checking in some authentication classes,
Tomcat
allows for the enumeration (brute force testing) of user names by
@@ -94,43 +85,33 @@
Note that in early versions, the DataSourceRealm and JDBCRealm were also
affected.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=781382&view=rev";>
- revision 781382</a>.</p>
+ <p>This was fixed in <revlink rev="781382">revision 781382</revlink>.</p>
<p>Affects: 4.1.0-4.1.39 (Memory Realm), 4.1.0-4.1.31 (JDBC Realm),
4.1.17-4.1.31 (DataSource Realm)</p>
<p><strong>low: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781";
- rel="nofollow">CVE-2009-0781</a></p>
+ <cve>CVE-2009-0781</cve></p>
<p>The calendar application in the examples web application contains an
XSS flaw due to invalid HTML which renders the XSS filtering protection
ineffective.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=750927&view=rev";>
- revision 750927</a>.</p>
+ <p>This was fixed in <revlink rev="750927">revision 750927</revlink>.</p>
<p>Affects: 4.1.0-4.1.39</p>
<p><strong>low: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783";
- rel="nofollow">CVE-2009-0783</a></p>
+ <cve>CVE-2009-0783</cve></p>
- <p>Bugs <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=29936";>
- 29936</a> and
- <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=45933";>
- 45933</a> allowed a web application to replace the XML parser used by
+ <p>Bugs <bug>29936</bug> and <bug>45933</bug>
+ allowed a web application to replace the XML parser used by
Tomcat to process web.xml and tld files. In limited circumstances these
bugs may allow a rogue web application to view and/or alter the web.xml
and tld files of other web applications deployed on the Tomcat instance.
</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=781708&view=rev";>
- revision 781708</a>.</p>
+ <p>This was fixed in <revlink rev="781708">revision 781708</revlink>.</p>
<p>Affects: 4.1.0-4.1.39</p>
@@ -139,23 +120,19 @@
<section name="Fixed in Apache Tomcat 4.1.39">
<p><strong>moderate: Session hi-jacking</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0128";
- rel="nofollow">CVE-2008-0128</a></p>
+ <cve>CVE-2008-0128</cve></p>
<p>When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is
transmitted without the "secure" attribute, resulting in it being
transmitted to any content that is - by purpose or error - requested via
http from the same server. </p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=684900&view=rev";>
- revision 684900</a>.</p>
+ <p>This was fixed in <revlink rev="684900">revision 684900</revlink>.</p>
<p>Affects: 4.1.0-4.1.37</p>
<p><strong>low: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232";
- rel="nofollow">CVE-2008-1232</a></p>
+ <cve>CVE-2008-1232</cve></p>
<p>The message argument of HttpServletResponse.sendError() call is not only
displayed on the error page, but is also used for the reason-phrase of
@@ -165,15 +142,12 @@
XSS attack, unfiltered user supplied data must be included in the
message
argument.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=680947&view=rev";>
- revision 680947</a>.</p>
+ <p>This was fixed in <revlink rev="680947">revision 680947</revlink>.</p>
<p>Affects: 4.1.0-4.1.37</p>
<p><strong>important: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370";
- rel="nofollow">CVE-2008-2370</a></p>
+ <cve>CVE-2008-2370</cve></p>
<p>When using a RequestDispatcher the target path was normalised before
the
query string was removed. A request that included a specially crafted
@@ -181,9 +155,7 @@
protected by a security constraint or by locating it in under the
WEB-INF
directory.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=680950&view=rev";>
- revision 680950</a>.</p>
+ <p>This was fixed in <revlink rev="680950">revision
680950</revlink>.</p>
<p>Affects: 4.1.0-4.1.37</p>
@@ -191,8 +163,7 @@
<section name="Fixed in Apache Tomcat 4.1.37">
<p><strong>important: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3164";
- rel="nofollow">CVE-2005-3164</a></p>
+ <cve>CVE-2005-3164</cve></p>
<p>If a client specifies a Content-Length but disconnects before sending
any of the request body, the deprecated AJP connector processes the
@@ -203,8 +174,7 @@
<p>Affects: 4.0.1-4.0.6, 4.1.0-4.1.36</p>
<p><strong>moderate: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355";
- rel="nofollow">CVE-2007-1355</a></p>
+ <cve>CVE-2007-1355</cve></p>
<p>The JSP and Servlet included in the sample application within the Tomcat
documentation webapp did not escape user provided data before including
@@ -214,8 +184,7 @@
<p>Affects: 4.0.1-4.0.6, 4.1.0-4.1.36</p>
<p><strong>low: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2449";
- rel="nofollow">CVE-2007-2449</a></p>
+ <cve>CVE-2007-2449</cve></p>
<p>JSPs within the examples web application did not escape user provided
data before including it in the output. This enabled a XSS attack. These
@@ -228,8 +197,7 @@
<p>Affects: 4.0.0-4.0.6, 4.1.0-4.1.36</p>
<p><strong>low: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2450";
- rel="nofollow">CVE-2007-2450</a></p>
+ <cve>CVE-2007-2450</cve></p>
<p>The Manager web application did not escape user provided data before
including it in the output. This enabled a XSS attack. This application
@@ -240,8 +208,7 @@
<p>Affects: 4.0.1-4.0.6, 4.1.0-4.1.36</p>
<p><strong>low: Session hi-jacking</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3382";
- rel="nofollow">CVE-2007-3382</a></p>
+ <cve>CVE-2007-3382</cve></p>
<p>Tomcat incorrectly treated a single quote character (') in a cookie
value as a delimiter. In some circumstances this lead to the leaking of
@@ -250,8 +217,7 @@
<p>Affects: 4.1.0-4.1.36</p>
<p><strong>low: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3383";
- rel="nofollow">CVE-2007-3383</a></p>
+ <cve>CVE-2007-3383</cve></p>
<p>When reporting error messages, the SendMailServlet (part of the examples
web application) did not escape user provided data before including it
in
@@ -264,8 +230,7 @@
<p>Affects: 4.0.0-4.0.6, 4.1.0-4.1.36</p>
<p><strong>low: Session hi-jacking</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385";
- rel="nofollow">CVE-2007-3385</a></p>
+ <cve>CVE-2007-3385</cve></p>
<p>Tomcat incorrectly handled the character sequence \" in a cookie value.
In some circumstances this lead to the leaking of information such as
@@ -274,19 +239,16 @@
<p>Affects: 4.1.0-4.1.36</p>
<p><strong>low: Session hi-jacking</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333";
- rel="nofollow">CVE-2007-5333</a></p>
+ <cve>CVE-2007-5333</cve></p>
<p>The previous fix for
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385";
- rel="nofollow">CVE-2007-3385</a> was incomplete. It did not consider the
+ <cve>CVE-2007-3385</cve> was incomplete. It did not consider the
use of quotes or %5C within a cookie value.</p>
<p>Affects: 4.1.0-4.1.36</p>
<p><strong>important: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5461";
- rel="nofollow">CVE-2007-5461</a></p>
+ <cve>CVE-2007-5461</cve></p>
<p>When Tomcat's WebDAV servlet is configured for use with a context and
has been enabled for write, some WebDAV requests that specify an entity
@@ -299,8 +261,7 @@
<section name="Fixed in Apache Tomcat 4.1.36">
<p><strong>important: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090";
- rel="nofollow">CVE-2005-2090</a></p>
+ <cve>CVE-2005-2090</cve></p>
<p>Requests with multiple content-length headers should be rejected as
invalid. When multiple components (firewalls, caches, proxies and
Tomcat)
@@ -316,13 +277,11 @@
<p>Affects: 4.0.0-4.0.6, 4.1.0-4.1.34</p>
<p><strong>important: Directory traversal</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450";
- rel="nofollow">CVE-2007-0450</a></p>
+ <cve>CVE-2007-0450</cve></p>
<p>The fix for this issue was insufficient. A fix was also required in the
JK connector module for httpd. See
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1860";
- rel="nofollow">CVE-2007-1860</a> for further information.</p>
+ <cve>CVE-2007-1860</cve> for further information.</p>
<p>Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is
used behind a proxy (including, but not limited to, Apache HTTP server
@@ -355,8 +314,7 @@
<p>Affects: 4.0.0-4.0.6, 4.1.0-4.1.34</p>
<p><strong>low: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358";
- rel="nofollow">CVE-2007-1358</a></p>
+ <cve>CVE-2007-1358</cve></p>
<p>Web pages that display the Accept-Language header value sent by the
client are susceptible to a cross-site scripting attack if they assume
@@ -373,8 +331,7 @@
<section name="Fixed in Apache Tomcat 4.1.35">
<p><strong>low: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4308";
- rel="nofollow">CVE-2008-4308</a></p>
+ <cve>CVE-2008-4308</cve></p>
<p><a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=40771";>Bug
40771</a> may result in the disclosure of POSTed content from a previous
@@ -389,8 +346,7 @@
<section name="Fixed in Apache Tomcat 4.1.32">
<p><strong>low: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3271";
- rel="nofollow">CVE-2008-3271</a></p>
+ <cve>CVE-2008-3271</cve></p>
<p><a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=25835";>
Bug 25835</a> can, in rare circumstances - this has only been reproduced
@@ -402,8 +358,7 @@
<p>Affects: 4.1.0-4.1.31</p>
<p><strong>important: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1858";
- rel="nofollow">CVE-2007-1858</a></p>
+ <cve>CVE-2007-1858</cve></p>
<p>The default SSL configuration permitted the use of insecure cipher
suites
including the anonymous cipher suite. The default configuration no
@@ -412,8 +367,7 @@
<p>Affects: 4.1.28-4.1.31</p>
<p><strong>low: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7196";
- rel="nofollow">CVE-2006-7196</a></p>
+ <cve>CVE-2006-7196</cve></p>
<p>The calendar application included as part of the JSP examples is
susceptible to a cross-site scripting attack as it does not escape
@@ -422,8 +376,7 @@
<p>Affects: 4.0.0-4.0.6, 4.1.0-4.1.31</p>
<p><strong>low: Directory listing</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3835";
- rel="nofollow">CVE-2006-3835</a></p>
+ <cve>CVE-2006-3835</cve></p>
<p>This is expected behaviour when directory listings are enabled. The
semicolon (;) is the separator for path parameters so inserting one
@@ -435,8 +388,7 @@
<p>Affects: 4.0.0-4.0.6, 4.1.0-4.1.31</p>
<p><strong>low: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4838";
- rel="nofollow">CVE-2005-4838</a></p>
+ <cve>CVE-2005-4838</cve></p>
<p>Various JSPs included as part of the JSP examples and the Tomcat Manager
are susceptible to a cross-site scripting attack as they do not escape
@@ -445,8 +397,7 @@
<p>Affects: 4.0.0-4.0.6, 4.1.0-4.1.31</p>
<p><strong>important: Denial of service</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3510";
- rel="nofollow">CVE-2005-3510</a></p>
+ <cve>CVE-2005-3510</cve></p>
<p>The root cause is the relatively expensive calls required to generate
the content for the directory listings. If directory listings are
@@ -462,8 +413,7 @@
<section name="Fixed in Apache Tomcat 4.1.29">
<p><strong>moderate: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1567";
- rel="nofollow">CVE-2002-1567</a></p>
+ <cve>CVE-2002-1567</cve></p>
<p>The unmodified requested URL is included in the 404 response header. The
new lines in this URL appear to the client to be the end of the header
@@ -477,22 +427,19 @@
<section name="Fixed in Apache Tomcat 4.1.13, 4.0.6">
<p><strong>important: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1394";
- rel="nofollow">CVE-2002-1394</a></p>
+ <cve>CVE-2002-1394</cve></p>
<p>A specially crafted URL using the invoker servlet in conjunction with
the
default servlet can enable an attacker to obtain the source of JSP pages
or, under special circumstances, a static resource that would otherwise
have been protected by a security constraint without the need to be
properly authenticated. This is a variation of
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1148";
- rel="nofollow">CVE-2002-1148</a></p>
+ <cve>CVE-2002-1148</cve></p>
<p>Affects: 4.0.0-4.0.5, 4.1.0-4.1.12</p>
<p><strong>moderate: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0682";
- rel="nofollow">CVE-2002-0682</a></p>
+ <cve>CVE-2002-0682</cve></p>
<p>A specially crafted URL using the invoker servlet and various internal
classess causes Tomcat to throw an exception that includes unescaped
@@ -503,8 +450,7 @@
<section name="Fixed in Apache Tomcat 4.1.12, 4.0.5">
<p><strong>important: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1148";
- rel="nofollow">CVE-2002-1148</a></p>
+ <cve>CVE-2002-1148</cve></p>
<p>A specially crafted URL using the default servlet can enable an attacker
to obtain the source of JSP pages.</p>
@@ -514,8 +460,7 @@
<section name="Fixed in Apache Tomcat 4.1.3">
<p><strong>important: Denial of service</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0935";
- rel="nofollow">CVE-2002-0935</a></p>
+ <cve>CVE-2002-0935</cve></p>
<p>A malformed HTTP request can cause the request processing thread to
become unresponsive. A sequence of such requests will cause all request
@@ -527,8 +472,7 @@
<section name="Fixed in Apache Tomcat 4.1.0">
<p><strong>important: Denial of service</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0866";
- rel="nofollow">CVE-2003-0866</a></p>
+ <cve>CVE-2003-0866</cve></p>
<p>A malformed HTTP request can cause the request processing thread to
become unresponsive. A sequence of such requests will cause all request
@@ -537,8 +481,7 @@
<p>Affects: 4.0.0-4.0.6</p>
<p><strong>low: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2006";
- rel="nofollow">CVE-2002-2006</a></p>
+ <cve>CVE-2002-2006</cve></p>
<p>The snoop and trouble shooting servlets installed as part of the
examples
include output that identifies the Tomcat installation path.</p>
@@ -549,10 +492,8 @@
<section name="Fixed in Apache Tomcat 4.0.2">
<p><strong>low: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2009";
- rel="nofollow">CVE-2002-2009</a>,
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0917";
- rel="nofollow">CVE-2001-0917</a></p>
+ <cve>CVE-2002-2009</cve>,
+ <cve>CVE-2001-0917</cve></p>
<p>Requests for JSP files where the file name is preceded by '+/', '>/',
'</' or '%20/' or a request for a JSP with a long file name would
@@ -564,8 +505,7 @@
<section name="Fixed in Apache Tomcat 4.0.0">
<p><strong>moderate: Security manager bypass</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0493";
- rel="nofollow">CVE-2002-0493</a></p>
+ <cve>CVE-2002-0493</cve></p>
<p>If errors are encountered during the parsing of web.xml and Tomcat is
configured to use a security manager it is possible for Tomcat to start
@@ -576,10 +516,8 @@
<section name="Unverified">
<p><strong>low: Installation path disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4703";
- rel="nofollow">CVE-2005-4703</a>,
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2008";
- rel="nofollow">CVE-2002-2008</a><br/></p>
+ <cve>CVE-2005-4703</cve>,
+ <cve>CVE-2002-2008</cve></p>
<p>This issue only affects Windows operating systems. It can not be
reproduced on Windows XP Home with JDKs 1.3.1, 1.4.2, 1.5.0 or 1.6.0.
@@ -591,8 +529,7 @@
<p>Affects: 4.0.3?</p>
<p><strong>important: Denial of service</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1895";
- rel="nofollow">CVE-2002-1895</a><br/></p>
+ <cve>CVE-2002-1895</cve></p>
<p>This issue only affects configurations that use IIS in conjunction with
Tomcat and the AJP1.3 connector. It can not be reproduced using Windows
@@ -604,19 +541,8 @@
</section>
<section name="Not a vulnerability in Tomcat">
- <p><strong>Denial of service vulnerability</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0936";
- rel="nofollow">CVE-2002-0936</a></p>
-
- <p>The issue described requires an attacker to be able to plant a JSP page
- on the Tomcat server. If an attacker can do this then the server is
- already compromised. In this case an attacker could just as easily add a
- page that called System.exit(1) rather than relying on a bug in an
- internal Sun class.</p>
-
<p><strong>important: Directory traversal</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938";
- rel="nofollow">CVE-2008-2938</a></p>
+ <cve>CVE-2008-2938</cve></p>
<p>Originally reported as a Tomcat vulnerability the root cause of this
issue is that the JVM does not correctly decode UTF-8 encoded URLs to
@@ -640,11 +566,20 @@
status of this issue for your JVM, contact your JVM vendor.</p>
<p>A workaround was implemented in
- <a href="http://svn.apache.org/viewvc?rev=681065&view=rev";>
- revision 681065</a> that protects against this and any similar character
+ <revlink rev="681065">revision 681065</revlink>
+ that protects against this and any similar character
encoding issues that may still exist in the JVM. This work around is
included in Tomcat 4.1.39 onwards.</p>
+ <p><strong>Denial of service vulnerability</strong>
+ <cve>CVE-2002-0936</cve></p>
+
+ <p>The issue described requires an attacker to be able to plant a JSP page
+ on the Tomcat server. If an attacker can do this then the server is
+ already compromised. In this case an attacker could just as easily add a
+ page that called System.exit(1) rather than relying on a bug in an
+ internal Sun class.</p>
+
</section>
</body>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
