Apache Tomcat suffers from denial of service and information disclosure vulnerabilities. Versions 5.5.0 through 5.5.29, 6.0.0 through 6.0.27 and 7.0.0 are affected.
a5aff5aadf481acae877a1d2a5155229ecfe8e755377a60718db10961e4c55b6
Apache Tomcat suffers from an information disclosure vulnerability. Versions 5.5.0 through 5.5.29 and 6.0.0 through 6.0.26 are affected.
71b56d7d50c320916af3d9126ceb755d2f6a8367f5c73af2e17bdd580d4bbda4
Apache Tomcat suffers from an insecure partial deploy after failed deploy vulnerability.
6e42d1072930b0a860fd427cec3601f44c65eee0533acddfbb5bb93668b5b599
Apache Tomcat suffers from an unexpected file deletion in work directory vulnerability. Versions 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 are affected.
b8916693e4e438f1e8ec19e93a66873769e5d428e6db947e2f31149843bb9c15
The Apache Tomcat Windows installer insecurely leaves the default install with a blank administrator password. Versions 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 are affected.
f8608d7a6d60069ffab1e793f603c654c2740a90aa17b497d091322882ca16d5
When using a RequestDispatcher obtained from the Request in Apache Tomcat, the target path was normalized before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory. Versions affected include Tomcat 6.0.0 to 6.0.18, Tomcat 5.5.0 to 5.5.27, and Tomcat 4.1.0 to 4.1.39.
c0a0a2a9804149cddfa6d775c7f68367d06311ea65f71bbd9aad52799158a793
Apache Tomcat suffers from a XML parser replacement related information disclosure vulnerability. Versions affected include Tomcat 6.0.0 to 6.0.18, Tomcat 5.5.0 to 5.5.27, and Tomcat 4.1.0 to 4.1.39.
c2b64deb31914b487990416282c15bcbf60ade318ae9adeff66567f4a45f4d69
If Tomcat receives a request with invalid headers via the Java AJP connector, it does not return an error and instead closes the AJP connection. In case this connector is member of a mod_jk load balancing worker, this member will be put into an error state and will be blocked from use for approximately one minute. Thus the behavior can be used for a denial of service attack using a carefully crafted request. Versions affected include Tomcat 6.0.0 to 6.0.18, Tomcat 5.5.0 to 5.5.27, and Tomcat 4.1.0 to 4.1.39.
c1222adcdce7d85aa41a91cfdf45704103468dc97af6d891ef3a467ed12ed3c9
Due to insufficient error checking in some authentication classes, Tomcat allows for the enumeration (brute force testing) of usernames by supplying illegally URL encoded passwords. Versions affected include Tomcat 6.0.0 to 6.0.18, Tomcat 5.5.0 to 5.5.27, and Tomcat 4.1.0 to 4.1.39.
23d04996953f18e735ec39419f21aa830d1507afe0c131cb6125bc7e54f441ba
Spring Framework versions 1.1.0 through 2.5.6 and 3.0.0.M1 through 3.0.0.M2 suffer from a remote denial of service vulnerability.
43ffa4a8c67305f4bb66e1c03bb625604fc3fa6c8224823165f49d924d7c103c
Apache Tomcat versions 4.1.32 through 4.1.34 and 5.5.10 through 5.5.20 suffer from an information disclosure vulnerability.
768d53d9e66098ca1617ffada6c18d5bb474b2b3a0457418984e05a53b42a23e
This vulnerability was originally reported to the Apache Software Foundation as a Tomcat vulnerability. Investigations quickly identified that the root cause was an issue with the UTF-8 charset implementation within the JVM. The issue existed in multiple JVMs including current versions from Sun, HP, IBM, Apple and Apache. It was decided to continue to report this as a Tomcat vulnerability until such time as the JVM vendors had released fixed versions.
e900270f78788247830b00a35c41b325144bc065b616b71c79bd1ef3ec0ed86b
Apache Tomcat versions 4.1.0 to 4.1.31 and 5.5.0 suffer from an information disclosure vulnerability.
465aad4edd5d33fc410a93390311c63759bed560f67aa892017afbf7cb22422b
Apache Tomcat versions 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16 suffer from an information disclosure vulnerability.
336ae34f18a11aaa4141e2fcd7aeb318b8b924dd30a3de3cafb02c982c3cd061
Tomcat versions 5.5.0 to 5.5.24 and 6.0.0 to 6.0.13 suffer from a cross site scripting vulnerability in the host manager functionality.
84aa48ad32c84fc16f0e577cc862d655e1f81b84b1b780d61e5ec1d8d0ba64d7
Tomcat versions 3.3 to 3.3.2, 4.1.0 to 4.1.36, 5.0.0 to 5.0.30, 5.5.0 to 5.5.24, and 6.0.0 to 6.0.13 suffer from an information leak disclosure in the way they handle \ characters in cookies.
e5589b41bdac2a0cffbf674971524413fe5a6341732f9a0f585fadb94c8d0951
Tomcat versions 3.3 to 3.3.2, 4.1.0 to 4.1.36, 5.0.0 to 5.0.30, 5.5.0 to 5.5.24, and 6.0.0 to 6.0.13 suffer from an information leak disclosure in the way they handle ' characters in cookies.
41519194941a60fb4c6de2f97ec088ad75995c1dece7ff92c6a5b9b74e676145
The Tomcat documentation web application includes a sample application that contains multiple cross site scripting vulnerabilities. Versions affected include Tomcat 4.0.0 to 4.0.6, Tomcat 4.1.0 to 4.1.36, Tomcat 5.0.0 to 5.0.30, Tomcat 5.5.0 to 5.5.23, and Tomcat 6.0.0 to 6.0.10.
968c88845b898089e8b8029963655b7859cb75e7641ac130b217cc79a098793a