Homepage

tomcat:catalina@sources vulnerabilities

  • latest version

    5.5.23

  • first published

    20 years ago

  • latest version published

    17 years ago

  • licenses detected

  • package registry

    View on Maven Central Repository
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the tomcat:catalina package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Cross-site Request Forgery (CSRF)

    tomcat:catalina is a library that contains Tomcat Servlet Engine Core Classes and Standard implementations.

    Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). It allows remote attackers to hijack the authentication of administrators for requests that manipulate application deployment via the POST method, as demonstrated by a /manager/html/undeploy?path= URI. NOTE: the vendor disputes the significance of this report, stating that the Apache Tomcat Security team has not accepted any reports of CSRF attacks against the Manager application ... as they require a reckless system administrator.

    How to fix Cross-site Request Forgery (CSRF)?

    There is no fixed version for tomcat:catalina.

    [0,)
    • H
    Authentication Bypass

    tomcat:catalina is a library that contains Tomcat Servlet Engine Core Classes and Standard implementations.

    Affected versions of this package are vulnerable to Authentication Bypass. By default, Tomcat automatically deploys any directories placed in ahost's appBase. This behaviour is controlled by the autoDeploy attributeofwhich defaults to true. Depending on circumstances, files normally protected by one or more security constraints may be deployed without those security constraints, making them accessible without authentication.

    Note: This issue only affects Windows platforms.This was fixed in revision 892815.

    How to fix Authentication Bypass?

    There is no fixed version for tomcat:catalina.

    [0,)
    • M
    Timing Attack

    tomcat:catalina is a library that contains Tomcat Servlet Engine Core Classes and Standard implementations.

    Affected versions of this package are vulnerable to Timing Attack. The setGlobalContext method in ResourceLinkFactory.java does not consider whether callers to this method are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.

    How to fix Timing Attack?

    Upgrade tomcat:catalina to version 5.5.24 or higher.

    [4,5.5.24)
    • M
    Denial of Service (DoS)

    tomcat:catalina Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

    [,5.5.35)
    • M
    Access Restriction Bypass

    tomcat:catalina The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check qop values, which might allow remote attackers to bypass intended integrity-protection requirements via a qop=auth value, a different vulnerability than CVE-2011-1184.

    [,5.5.34)
    Go back to all versions of this package