Summary
Detail | |||
---|---|---|---|
Vendor | Apache | First view | 2015-06-07 |
Product | Tomcat | Last view | 2020-06-29 |
Version | 7.0.29 | Type | Application |
Update | * | ||
Edition | * | ||
Language | * | ||
Sofware Edition | * | ||
Target Software | * | ||
Target Hardware | * | ||
Other | * | ||
CPE Product | cpe:2.3:a:apache:tomcat |
Activity : Overall
Related : CVE
Date | Alert | Description | |
---|---|---|---|
7.8 | 2020-06-29 | CVE-2020-8022 | A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1. |
8.1 | 2019-04-15 | CVE-2019-0232 | When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/). |
8.1 | 2017-09-19 | CVE-2017-12615 | When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. |
5 | 2015-06-07 | CVE-2014-7810 | The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation. |
CWE : Common Weakness Enumeration
% | id | Name |
---|---|---|
25% (1) | CWE-434 | Unrestricted Upload of File with Dangerous Type |
25% (1) | CWE-284 | Access Control (Authorization) Issues |
25% (1) | CWE-276 | Incorrect Default Permissions |
25% (1) | CWE-78 | Improper Sanitization of Special Elements used in an OS Command ('O... |
Information Assurance Vulnerability Management (IAVM)
id | Description |
---|---|
2015-B-0065 | Apache Tomcat Security Bypass Vulnerability Severity: Category I - VMSKEY: V0060761 |
Snort® IPS/IDS
Date | Description |
---|---|
2014-01-10 | .cmd? access RuleID : 9791 - Type : SERVER-WEBAPP - Revision : 8 |
2014-01-10 | .bat? access RuleID : 976-community - Type : SERVER-WEBAPP - Revision : 21 |
2014-01-10 | .bat? access RuleID : 976 - Type : SERVER-WEBAPP - Revision : 21 |
Nessus® Vulnerability Scanner
id | Description |
---|---|
2018-11-29 | Name: The remote FreeBSD host is missing a security-related update. File: freebsd_pkg_22bc5327f33f11e8be460019dbb15b3f.nasl - Type: ACT_GATHER_INFO |
2018-11-27 | Name: The remote Virtuozzo host is missing a security update. File: Virtuozzo_VZLSA-2017-3080.nasl - Type: ACT_GATHER_INFO |
2018-01-15 | Name: The remote Fedora host is missing a security update. File: fedora_2017-ebb76fc3c9.nasl - Type: ACT_GATHER_INFO |
2017-11-13 | Name: The remote Fedora host is missing a security update. File: fedora_2017-f499ee7b12.nasl - Type: ACT_GATHER_INFO |
2017-11-13 | Name: The remote Fedora host is missing a security update. File: fedora_2017-ef7c118dbc.nasl - Type: ACT_GATHER_INFO |
2017-11-08 | Name: The remote Red Hat host is missing one or more security updates. File: redhat-RHSA-2017-3113.nasl - Type: ACT_GATHER_INFO |
2017-11-02 | Name: The remote Apache Tomcat server is affected by a code execution vulnerability. File: tomcat_6_0_24.nasl - Type: ACT_GATHER_INFO |
2017-11-01 | Name: The remote EulerOS host is missing multiple security updates. File: EulerOS_SA-2017-1262.nasl - Type: ACT_GATHER_INFO |
2017-11-01 | Name: The remote EulerOS host is missing multiple security updates. File: EulerOS_SA-2017-1261.nasl - Type: ACT_GATHER_INFO |
2017-10-31 | Name: The remote Scientific Linux host is missing one or more security updates. File: sl_20171030_tomcat_on_SL7_x.nasl - Type: ACT_GATHER_INFO |
2017-10-31 | Name: The remote CentOS host is missing one or more security updates. File: centos_RHSA-2017-3080.nasl - Type: ACT_GATHER_INFO |
2017-10-31 | Name: The remote CentOS host is missing one or more security updates. File: centos_RHSA-2017-3081.nasl - Type: ACT_GATHER_INFO |
2017-10-31 | Name: The remote Scientific Linux host is missing one or more security updates. File: sl_20171030_tomcat6_on_SL6_x.nasl - Type: ACT_GATHER_INFO |
2017-10-30 | Name: The remote Red Hat host is missing one or more security updates. File: redhat-RHSA-2017-3081.nasl - Type: ACT_GATHER_INFO |
2017-10-30 | Name: The remote Red Hat host is missing one or more security updates. File: redhat-RHSA-2017-3080.nasl - Type: ACT_GATHER_INFO |
2017-10-30 | Name: The remote Oracle Linux host is missing one or more security updates. File: oraclelinux_ELSA-2017-3081.nasl - Type: ACT_GATHER_INFO |
2017-10-30 | Name: The remote Oracle Linux host is missing one or more security updates. File: oraclelinux_ELSA-2017-3080.nasl - Type: ACT_GATHER_INFO |
2017-09-19 | Name: The remote Apache Tomcat server is affected by multiple vulnerabilities. File: tomcat_7_0_81.nasl - Type: ACT_GATHER_INFO |
2017-05-01 | Name: The remote EulerOS host is missing multiple security updates. File: EulerOS_SA-2016-1049.nasl - Type: ACT_GATHER_INFO |
2016-10-12 | Name: The remote CentOS host is missing one or more security updates. File: centos_RHSA-2016-2046.nasl - Type: ACT_GATHER_INFO |
2016-10-12 | Name: The remote Scientific Linux host is missing one or more security updates. File: sl_20161010_tomcat_on_SL7_x.nasl - Type: ACT_GATHER_INFO |
2016-10-11 | Name: The remote Red Hat host is missing one or more security updates. File: redhat-RHSA-2016-2046.nasl - Type: ACT_GATHER_INFO |
2016-10-11 | Name: The remote Oracle Linux host is missing one or more security updates. File: oraclelinux_ELSA-2016-2046.nasl - Type: ACT_GATHER_INFO |
2016-03-28 | Name: The remote Debian host is missing a security-related update. File: debian_DSA-3530.nasl - Type: ACT_GATHER_INFO |
2016-03-24 | Name: The remote Scientific Linux host is missing one or more security updates. File: sl_20160323_tomcat6_on_SL6_x.nasl - Type: ACT_GATHER_INFO |