Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
Summary of Vulnerable Dependencies (click to show all)
* indicates the dependency has a known exploited vulnerability
Description:
checker-qual contains annotations (type qualifiers) that a programmerwrites to specify Java code for type-checking by the Checker Framework.
License:
The MIT License: http://opensource.org/licenses/MITFile Path: C:\Users\Jeremy\.m2\repository\org\checkerframework\checker-qual\3.53.0\checker-qual-3.53.0.jar
Description:
Error Prone is a static analysis tool for Java that catches common programming mistakes at compile-time.
License:
Apache 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jeremy\.m2\repository\com\google\errorprone\error_prone_annotations\2.46.0\error_prone_annotations-2.46.0.jar
Description:
A set of annotations that provide additional information to the J2ObjC
translator to modify the result of translation.
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jeremy\.m2\repository\com\google\j2objc\j2objc-annotations\3.1\j2objc-annotations-3.1.jar
Description:
JSR305 Annotations for Findbugs
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jeremy\.m2\repository\com\google\code\findbugs\jsr305\3.0.2\jsr305-3.0.2.jar
File Path: C:\Users\Jeremy\.m2\repository\org\projectlombok\lombok\1.18.42\lombok-1.18.42.jar\lombok\launch\mavenEcjBootstrapAgent.jar
MD5: 885d5d6be90a5dcd4b82cdf741e3f31a
SHA1: e1f7f1779f40157fd0b984c1bc32a0cb45cae66e
SHA256:74a80a6ee84e5c6fe497dfcc46a46dbe30578525e747eb531e918ee0750c8da9
Referenced In Project/Scope: tomcat9-config:provided
Description:
Spice up your java: Automatic Resource Management, automatic generation of getters, setters, equals, hashCode and toString, and more!
License:
The MIT License: https://projectlombok.org/LICENSEFile Path: C:\Users\Jeremy\.m2\repository\org\projectlombok\lombok\1.18.42\lombok-1.18.42.jar
File Path: C:\Users\Jeremy\.m2\repository\org\gaul\modernizer-maven-annotations\3.2.0\modernizer-maven-annotations-3.2.0.jar
MD5: 127396b14eb51fd93eb587308f079768
SHA1: 23a99089ff682152e86ab1691a8232db325def09
SHA256:9f9396f361f0d45d435355c1f2b57980307abd81f3131083ec18f54fbbaa5ecb
Referenced In Project/Scope: tomcat9-config:provided
modernizer-maven-annotations-3.2.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.hazendaz.tomcat/tomcat9-config@9.0.115
Description:
Annotations the SpotBugs tool supports
License:
GNU LESSER GENERAL PUBLIC LICENSE, Version 2.1: https://www.gnu.org/licenses/old-licenses/lgpl-2.1.en.htmlFile Path: C:\Users\Jeremy\.m2\repository\com\github\spotbugs\spotbugs-annotations\4.9.8\spotbugs-annotations-4.9.8.jar
License:
https://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.115\tomcat-9.0.115.tar.gz\tomcat-9.0.115.tar\apache-tomcat-9.0.115\lib\annotations-api.jar
File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.115\tomcat-9.0.115.tar.gz\tomcat-9.0.115.tar\apache-tomcat-9.0.115\bin\bootstrap.jar
MD5: eca1700ab20bc14bdff1c1b2ed8223fa
SHA1: 7c9f38f02f299f4e95f049a8b847f03e852ec7ff
SHA256:590c54979afb80bf7836cdebbe832476557a4313087502663f6b1f11127ba3f8
Referenced In Project/Scope: tomcat9-config:provided
File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.115\tomcat-9.0.115.tar.gz\tomcat-9.0.115.tar\apache-tomcat-9.0.115\lib\catalina-ant.jar
MD5: 01bc11cee839ddf70f32b04f693f9b41
SHA1: f0c0990c57003d52ee3f25a22473e843fab1e088
SHA256:af27a466f668c6de7975fa51fcaa1e1894e3f30e915e4351805a480853b32d93
Referenced In Project/Scope: tomcat9-config:provided
License:
https://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.115\tomcat-9.0.115.tar.gz\tomcat-9.0.115.tar\apache-tomcat-9.0.115\lib\catalina-ha.jar
License:
https://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.115\tomcat-9.0.115.tar.gz\tomcat-9.0.115.tar\apache-tomcat-9.0.115\lib\catalina.jar
Description:
Apache Commons Daemon software is a set of utilities and Java support
classes for running Java applications as server processes. These are
commonly known as 'daemon' processes in Unix terminology (hence the
name). On Windows they are called 'services'.
License:
https://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.115\tomcat-9.0.115.tar.gz\tomcat-9.0.115.tar\apache-tomcat-9.0.115\bin\commons-daemon.jar
File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.115\tomcat-9.0.115.tar.gz\tomcat-9.0.115.tar\apache-tomcat-9.0.115\lib\ecj-4.20.jar
MD5: ee47966a67cd4019f1b8ccac74ba8dca
SHA1: 4837be609a3368a0f7e7cf0dc1bdbc7fe94993de
SHA256:ac0ba5876eaf7ebb47749a0d1be179c51f194b9dd0b875d1c09e1b530f5a2db5
Referenced In Project/Scope: tomcat9-config:provided
License:
https://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.115\tomcat-9.0.115.tar.gz\tomcat-9.0.115.tar\apache-tomcat-9.0.115\lib\el-api.jar
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CISA Known Exploited Vulnerability:
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.CWE-44 Path Equivalence: 'file.name' (Internal Dot), CWE-502 Deserialization of Untrusted Data, CWE-706 Use of Incorrectly-Resolved Name or Reference
Vulnerable Software & Versions: (show all)
A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1.CWE-276 Incorrect Default Permissions
Vulnerable Software & Versions: (show all)
Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.CWE-254 7PK - Security Features
Vulnerable Software & Versions:
The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the administrative user, which allows remote attackers to gain privileges.CWE-255 Credentials Management Errors
Vulnerable Software & Versions: (show all)
The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issueCWE-20 Improper Input Validation
Vulnerable Software & Versions: (show all)
Multiple cross-site scripting (XSS) vulnerabilities in the (1) examples and (2) ROOT web applications for Jakarta Tomcat 3.x through 3.3.1a allow remote attackers to insert arbitrary web script or HTML.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file.CWE-94 Improper Control of Generation of Code ('Code Injection')
Vulnerable Software & Versions: (show all)
Cross-site request forgery (CSRF) vulnerability in the Manager application in Apache Tomcat 5.5.25 and earlier allows remote attackers to hijack the authentication of administrators for requests that manipulate application deployment via the POST method, as demonstrated by a /manager/html/undeploy?path= URI. NOTE: the vendor disputes the significance of this report, stating that "the Apache Tomcat Security team has not accepted any reports of CSRF attacks against the Manager application ... as they require a reckless system administrator.CWE-352 Cross-Site Request Forgery (CSRF)
Vulnerable Software & Versions: (show all)
The Snoop servlet in Jakarta Tomcat 3.1 and 3.0 under Apache reveals sensitive system information when a remote attacker requests a nonexistent URL with a .snp extension.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header. NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090.CWE-20 Improper Input Validation
Vulnerable Software & Versions: (show all)
The default configuration of Jakarta Tomcat does not restrict access to the /admin context, which allows remote attackers to read arbitrary files by directly calling the administrative servlets to add a context for the root directory.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
Directory traversal vulnerability in source.jsp of Apache Tomcat before 3.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the argument to source.jsp.NVD-CWE-Other
Vulnerable Software & Versions:
Apache Software Foundation Tomcat Servlet prior to 3.2.2 allows a remote attacker to read the source code to arbitrary 'jsp' files via a malformed URL request which does not end with an HTTP protocol specification (i.e. HTTP/1.0).NVD-CWE-Other
Vulnerable Software & Versions:
The default servlet (org.apache.catalina.servlets.DefaultServlet) in Tomcat 4.0.4 and 4.1.10 and earlier allows remote attackers to read source code for server files via a direct request to the servlet.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
The default installation of Apache Tomcat 4.0 through 4.1 and 3.0 through 3.3.1 allows remote attackers to obtain the installation path and other sensitive system information via the (1) SnoopServlet or (2) TroubleShooter example servlets.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, allows remote attackers to list directories even with an index.html or other file present, or obtain unprocessed source code for a JSP file, via a URL containing a null character.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, uses trusted privileges when processing the web.xml file, which could allow remote attackers to read portions of some files through the web.xml file.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
Jakarta Tomcat before 3.3.1a on certain Windows systems may allow remote attackers to cause a denial of service (thread hang and resource consumption) via a request for a JSP page containing an MS-DOS device name, such as aux.jsp.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
Apache Tomcat before 5.x allows remote attackers to cause a denial of service (application crash) via a crafted AJP12 packet to TCP port 8007.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.CWE-16 Configuration
Vulnerable Software & Versions:
Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data.CWE-189 Numeric Errors
Vulnerable Software & Versions: (show all)
Multiple cross-site scripting (XSS) vulnerabilities in the example web applications for Jakarta Tomcat 5.5.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) el/functions.jsp, (2) el/implicit-objects.jsp, and (3) jspx/textRotate.jspx in examples/jsp2/, as demonstrated via script in a request to snp/snoop.jsp. NOTE: other XSS issues in the manager were simultaneously reported, but these require admin access and do not cross privilege boundaries.CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions:
Cross-site scripting (XSS) vulnerability in the calendar application example in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.15 allows remote attackers to inject arbitrary web script or HTML via the time parameter to cal2.jsp and possibly unspecified other vectors. NOTE: this may be related to CVE-2006-0254.1.CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions: (show all)
Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary web script or HTML via the portion of the URI after the ';' character, as demonstrated by a URI containing a "snp/snoop.jsp;" sequence.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions:
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544.CWE-20 Improper Input Validation
Vulnerable Software & Versions: (show all)
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Vulnerable Software & Versions: (show all)
java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.CWE-264 Permissions, Privileges, and Access Controls
Vulnerable Software & Versions: (show all)
Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.CWE-189 Numeric Errors
Vulnerable Software & Versions: (show all)
Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.CWE-264 Permissions, Privileges, and Access Controls
Vulnerable Software & Versions: (show all)
Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616".CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions: (show all)
License:
https://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.115\tomcat-9.0.115.tar.gz\tomcat-9.0.115.tar\apache-tomcat-9.0.115\lib\jasper-el.jar
License:
https://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.115\tomcat-9.0.115.tar.gz\tomcat-9.0.115.tar\apache-tomcat-9.0.115\lib\jasper.jar
License:
https://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.115\tomcat-9.0.115.tar.gz\tomcat-9.0.115.tar\apache-tomcat-9.0.115\lib\jaspic-api.jar
License:
https://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.115\tomcat-9.0.115.tar.gz\tomcat-9.0.115.tar\apache-tomcat-9.0.115\lib\jsp-api.jar
File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.115\tomcat-9.0.115.tar.gz\tomcat-9.0.115.tar\apache-tomcat-9.0.115\webapps\docs\appdev\sample\sample.war
MD5: 570f196c4a1025a717269d16d11d6f37
SHA1: 80f5053b166c69d81697ba21113c673f8372aca0
SHA256:89b33caa5bf4cfd235f060c396cb1a5acb2734a1366db325676f48c5f5ed92e5
Referenced In Project/Scope: tomcat9-config:provided
License:
https://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.115\tomcat-9.0.115.tar.gz\tomcat-9.0.115.tar\apache-tomcat-9.0.115\lib\servlet-api.jar
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CISA Known Exploited Vulnerability:
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.CWE-44 Path Equivalence: 'file.name' (Internal Dot), CWE-502 Deserialization of Untrusted Data, CWE-706 Use of Incorrectly-Resolved Name or Reference
Vulnerable Software & Versions: (show all)
Tomcat 4.0 through 4.1.12, using mod_jk 1.2.1 module on Apache 1.3 through 1.3.27, allows remote attackers to cause a denial of service (desynchronized communications) via an HTTP GET request with a Transfer-Encoding chunked field with invalid values.CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Vulnerable Software & Versions: (show all)
A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1.CWE-276 Incorrect Default Permissions
Vulnerable Software & Versions: (show all)
Apache Tomcat 4.0.5 and earlier, when using both the invoker servlet and the default servlet, allows remote attackers to read source code for server files or bypass certain protections, a variant of CAN-2002-1148.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the administrative user, which allows remote attackers to gain privileges.CWE-255 Credentials Management Errors
Vulnerable Software & Versions: (show all)
The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issueCWE-20 Improper Input Validation
Vulnerable Software & Versions: (show all)
Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file.CWE-94 Improper Control of Generation of Code ('Code Injection')
Vulnerable Software & Versions: (show all)
Cross-site request forgery (CSRF) vulnerability in the Manager application in Apache Tomcat 5.5.25 and earlier allows remote attackers to hijack the authentication of administrators for requests that manipulate application deployment via the POST method, as demonstrated by a /manager/html/undeploy?path= URI. NOTE: the vendor disputes the significance of this report, stating that "the Apache Tomcat Security team has not accepted any reports of CSRF attacks against the Manager application ... as they require a reckless system administrator.CWE-352 Cross-Site Request Forgery (CSRF)
Vulnerable Software & Versions: (show all)
Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header. NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090.CWE-20 Improper Input Validation
Vulnerable Software & Versions: (show all)
The default servlet (org.apache.catalina.servlets.DefaultServlet) in Tomcat 4.0.4 and 4.1.10 and earlier allows remote attackers to read source code for server files via a direct request to the servlet.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
The default installation of Apache Tomcat 4.0 through 4.1 and 3.0 through 3.3.1 allows remote attackers to obtain the installation path and other sensitive system information via the (1) SnoopServlet or (2) TroubleShooter example servlets.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
The Catalina org.apache.catalina.connector.http package in Tomcat 4.0.x up to 4.0.3 allows remote attackers to cause a denial of service via several requests that do not follow the HTTP protocol, which causes Tomcat to reject later requests.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.CWE-16 Configuration
Vulnerable Software & Versions:
Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data.CWE-189 Numeric Errors
Vulnerable Software & Versions: (show all)
Multiple cross-site scripting (XSS) vulnerabilities in the example web applications for Jakarta Tomcat 5.5.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) el/functions.jsp, (2) el/implicit-objects.jsp, and (3) jspx/textRotate.jspx in examples/jsp2/, as demonstrated via script in a request to snp/snoop.jsp. NOTE: other XSS issues in the manager were simultaneously reported, but these require admin access and do not cross privilege boundaries.CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions:
Cross-site scripting (XSS) vulnerability in the calendar application example in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.15 allows remote attackers to inject arbitrary web script or HTML via the time parameter to cal2.jsp and possibly unspecified other vectors. NOTE: this may be related to CVE-2006-0254.1.CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions: (show all)
Multiple cross-site scripting (XSS) vulnerabilities in the appdev/sample/web/hello.jsp example application in Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.23, and 6.0.0 through 6.0.10 allow remote attackers to inject arbitrary web script or HTML via the test parameter and unspecified vectors.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary web script or HTML via the portion of the URI after the ';' character, as demonstrated by a URI containing a "snp/snoop.jsp;" sequence.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
Cross-site scripting (XSS) vulnerability in SendMailServlet in the examples web application (examples/jsp/mail/sendmail.jsp) in Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.36 allows remote attackers to inject arbitrary web script or HTML via the From field and possibly other fields, related to generation of error messages.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Vulnerable Software & Versions: (show all)
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions:
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544.CWE-20 Improper Input Validation
Vulnerable Software & Versions: (show all)
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Vulnerable Software & Versions: (show all)
java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.CWE-264 Permissions, Privileges, and Access Controls
Vulnerable Software & Versions: (show all)
Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.CWE-189 Numeric Errors
Vulnerable Software & Versions: (show all)
Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.CWE-264 Permissions, Privileges, and Access Controls
Vulnerable Software & Versions: (show all)
Multiple cross-site scripting (XSS) vulnerabilities in the (1) Manager and (2) Host Manager web applications in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote authenticated users to inject arbitrary web script or HTML via a parameter name to manager/html/upload, and other unspecified vectors.CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions: (show all)
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Vulnerable Software & Versions: (show all)
Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616".CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions: (show all)
The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat allows remote attackers to obtain sensitive information via an arbitrary request from an HTTP client, in opportunistic circumstances involving (1) a request from a different client that included a Content-Length header but no POST data or (2) a rapid series of requests, related to noncompliance with the AJP protocol's requirements for requests containing Content-Length headers.CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Vulnerable Software & Versions: (show all)
Description:
An implementation of the JSP Standard Tag Library (JSTL).
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.115\tomcat-9.0.115.tar.gz\tomcat-9.0.115.tar\apache-tomcat-9.0.115\webapps\examples\WEB-INF\lib\taglibs-standard-impl-1.2.5.jar
License:
https://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.115\tomcat-9.0.115.tar.gz\tomcat-9.0.115.tar\apache-tomcat-9.0.115\lib\tomcat-api.jar
File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.115\tomcat-9.0.115.tar.gz\tomcat-9.0.115.tar\apache-tomcat-9.0.115\lib\tomcat-i18n-cs.jar
MD5: 5482b417dc512ea78a67c46cad23fdd4
SHA1: c2d6357093e9905fc470692fef3ae40697f45235
SHA256:2e9d06c4b82fc712d350d2ae4a6b361b1d833c074a429a74a99a21cd684ea98f
Referenced In Project/Scope: tomcat9-config:provided
File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.115\tomcat-9.0.115.tar.gz\tomcat-9.0.115.tar\apache-tomcat-9.0.115\lib\tomcat-i18n-fr.jar
MD5: 787a682bee65dc2a68627628e4a84b4c
SHA1: 38704e7947af1af9ba2293976be84237b7cb8f25
SHA256:4ba2d51eee4f5f4f98e52d29b34307d1b5d4b390ccbe451e407558116371124c
Referenced In Project/Scope: tomcat9-config:provided
License:
https://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.115\tomcat-9.0.115.tar.gz\tomcat-9.0.115.tar\apache-tomcat-9.0.115\bin\tomcat-juli.jar
License:
https://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.115\tomcat-9.0.115.tar.gz\tomcat-9.0.115.tar\apache-tomcat-9.0.115\lib\websocket-api.jar