12/13/2023 0 Comments Apache tomcat 7.0 88NOTE: this vulnerability exists because of a CVE-2009-0783 regression.Īpache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.17, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file.Īpache Tomcat 7.0.12 and 7.0.13 processes the first request to a servlet without following security constraints that have been configured through annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088.Īpache Tomcat 7.0.x before 7.0.17 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application. The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check qop values, which might allow remote attackers to bypass intended integrity-protection requirements via a qop=auth value, a different vulnerability than CVE-2011-1184.Ĭertain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request.Īpache Tomcat 7.x before 7.0.11, when web.xml has no security constraints, does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application. The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check realm values, which might allow remote attackers to bypass intended access restrictions by leveraging the availability of a protection space with weaker authentication or authorization requirements, a different vulnerability than CVE-2011-1184. Please consider applying the latest version as soon as possible.ĬVE-2018-8037 Apache Tomcat - Information you have any information regarding this alert, please contact JPCERT/CC.DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184. SolutionThe Apache Software Foundation has released a version of Apache Tomcat that addresses these vulnerabilities. Affected ProductsFollowing versions of Apache Tomcat are affected by these vulnerabilities. Please update the software as soon as possible by referring to the information provided in "III. In the vulnerability CVE-2018-1336,an improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service.įor details on these vulnerabilities, please refer to the information provided by the Apache Software Foundation.ĬVE-2018-1336 Apache Tomcat - Denial of Software FoundationĬVE-2018-8034 Apache Tomcat - Security Constraint Software FoundationĬVE-2018-8037 Apache Tomcat - Information Apache Software Foundation has assigned a "Important" rating to the vulnerability CVE-2018-1336 and CVE-2018-8037, and a "Low" rating to the vulnerability CVE-2018-8034. OverviewOn J(US time), the Apache Software Foundation released information on vulnerabilities (CVE-2018-1336, CVE-2018-8034 and CVE-2018-8037) in Apache Tomcat.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |