org.apache.tomcat:tomcat-util-scan@8.0.3 vulnerabilities

latest version

10.1.20
latest non vulnerable version

11.0.0-M9
first published

10 years ago
latest version published

2 months ago
licenses detected
- Apache-2.0
  [8.0.0-RC10,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.apache.tomcat:tomcat-util-scan package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Information Exposure org.apache.tomcat:tomcat-util-scan is a Common code shared by Catalina and Jasper for scanning JARS and processing XML descriptors. Affected versions of this package are vulnerable to Information Exposure. It was discovered that when a SecurityManager is configured Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. How to fix Information Exposure? Upgrade `org.apache.tomcat:tomcat-util-scan` to version 8.0.37, 8.5.5, 9.0.0.M10 or higher.	[8,8.0.37) [8.5.0,8.5.5) [9-alpha,9.0.0.M10)
M Arbitrary File Read org.apache.tomcat:tomcat-util-scan is a Common code shared by Catalina and Jasper for scanning JARS and processing XML descriptors. Affected versions of this package are vulnerable to Arbitrary File Read. Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application. How to fix Arbitrary File Read? Upgrade `org.apache.tomcat:tomcat-util-scan` to version 8.0.6 or higher.	[8.0.0,8.0.6)

Information Exposure

org.apache.tomcat:tomcat-util-scan is a Common code shared by Catalina and Jasper for scanning JARS and processing XML descriptors.

Affected versions of this package are vulnerable to Information Exposure. It was discovered that when a SecurityManager is configured Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.

How to fix Information Exposure?

Upgrade org.apache.tomcat:tomcat-util-scan to version 8.0.37, 8.5.5, 9.0.0.M10 or higher.

[8,8.0.37) [8.5.0,8.5.5) [9-alpha,9.0.0.M10)

Arbitrary File Read

org.apache.tomcat:tomcat-util-scan is a Common code shared by Catalina and Jasper for scanning JARS and processing XML descriptors.

Affected versions of this package are vulnerable to Arbitrary File Read. Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.

How to fix Arbitrary File Read?

Upgrade org.apache.tomcat:tomcat-util-scan to version 8.0.6 or higher.

[8.0.0,8.0.6)

Go back to all versions of this package

org.apache.tomcat:tomcat-util-scan@8.0.3 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities