tomcat:tomcat-coyote 5.5.4 vulnerabilities

Known vulnerabilities in the tomcat:tomcat-coyote package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Information Exposure tomcat:tomcat-coyote is a discontinued coyote plugin for Tomcat. Affected versions of this package are vulnerable to Information Exposure. The previous fix for `CVE-2007-3385` was incomplete. It did not consider the use of quotes or `%5C` within a cookie value which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. How to fix Information Exposure? There is no fixed version for `tomcat:tomcat-coyote`.	[4.1.0,)
H Access Restriction Bypass `tomcat:tomcat-coyote` Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request.	[5.5.4,)
M Information Exposure tomcat:tomcat-coyote is a discontinued coyote plugin for Tomcat. Affected versions of this package are vulnerable to Information Exposure. Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header. NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090. How to fix Information Exposure? There is no fixed version for `tomcat:tomcat-coyote`.	[0,)
M Denial of Service (DoS) tomcat:tomcat-coyote is a discontinued coyote plugin for Tomcat. Affected versions of this package are vulnerable to Denial of Service (DoS). Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544. How to fix Denial of Service (DoS)? Upgrade `tomcat:tomcat-coyote` to version 5.5.24 or higher.	[3.3.2,5.5.24)
M Information Exposure tomcat:tomcat-coyote is a discontinued coyote plugin for Tomcat. Affected versions of this package are vulnerable to Information Exposure. Does not properly handle an invalid Transfer-Encoding header, which allows remote attackers to cause a denial of service (application outage) or obtain sensitive information via a crafted header that interferes with "recycling of a buffer." How to fix Information Exposure? Upgrade `tomcat:tomcat-coyote` to version 5.5.30 or higher.	[5.5,5.5.30)

Vulnerability

Vulnerable Version

Information Exposure

tomcat:tomcat-coyote is a discontinued coyote plugin for Tomcat.

Affected versions of this package are vulnerable to Information Exposure. The previous fix for CVE-2007-3385 was incomplete. It did not consider the use of quotes or %5C within a cookie value which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks.

How to fix Information Exposure?

There is no fixed version for tomcat:tomcat-coyote.

[4.1.0,)

Access Restriction Bypass

tomcat:tomcat-coyote Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request.

[5.5.4,)

Information Exposure

tomcat:tomcat-coyote is a discontinued coyote plugin for Tomcat.

Affected versions of this package are vulnerable to Information Exposure. Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header.

NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090.

How to fix Information Exposure?

There is no fixed version for tomcat:tomcat-coyote.

[0,)

Denial of Service (DoS)

tomcat:tomcat-coyote is a discontinued coyote plugin for Tomcat.

Affected versions of this package are vulnerable to Denial of Service (DoS). Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544.

How to fix Denial of Service (DoS)?

Upgrade tomcat:tomcat-coyote to version 5.5.24 or higher.

[3.3.2,5.5.24)

Information Exposure

tomcat:tomcat-coyote is a discontinued coyote plugin for Tomcat.

Affected versions of this package are vulnerable to Information Exposure. Does not properly handle an invalid Transfer-Encoding header, which allows remote attackers to cause a denial of service (application outage) or obtain sensitive information via a crafted header that interferes with "recycling of a buffer."

How to fix Information Exposure?

Upgrade tomcat:tomcat-coyote to version 5.5.30 or higher.

[5.5,5.5.30)

tomcat:tomcat-coyote@5.5.4 vulnerabilities

latest version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?