This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Apache First view 2015-06-07
Product Tomcat Last view 2020-06-29
Version 7.0.32 Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:apache:tomcat

Activity : Overall

Related : CVE

  Date Alert Description
7.8 2020-06-29 CVE-2020-8022

A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1.

8.1 2019-04-15 CVE-2019-0232

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).

8.1 2017-09-19 CVE-2017-12615

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

5 2015-06-07 CVE-2014-7810

The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.

CWE : Common Weakness Enumeration

%idName
25% (1) CWE-434 Unrestricted Upload of File with Dangerous Type
25% (1) CWE-284 Access Control (Authorization) Issues
25% (1) CWE-276 Incorrect Default Permissions
25% (1) CWE-78 Improper Sanitization of Special Elements used in an OS Command ('O...

Information Assurance Vulnerability Management (IAVM)

id Description
2015-B-0065 Apache Tomcat Security Bypass Vulnerability
Severity: Category I - VMSKEY: V0060761

Snort® IPS/IDS

Date Description
2014-01-10 .cmd? access
RuleID : 9791 - Type : SERVER-WEBAPP - Revision : 8
2014-01-10 .bat? access
RuleID : 976-community - Type : SERVER-WEBAPP - Revision : 21
2014-01-10 .bat? access
RuleID : 976 - Type : SERVER-WEBAPP - Revision : 21

Nessus® Vulnerability Scanner

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
id Description
2018-11-29 Name: The remote FreeBSD host is missing a security-related update.
File: freebsd_pkg_22bc5327f33f11e8be460019dbb15b3f.nasl - Type: ACT_GATHER_INFO
2018-11-27 Name: The remote Virtuozzo host is missing a security update.
File: Virtuozzo_VZLSA-2017-3080.nasl - Type: ACT_GATHER_INFO
2018-01-15 Name: The remote Fedora host is missing a security update.
File: fedora_2017-ebb76fc3c9.nasl - Type: ACT_GATHER_INFO
2017-11-13 Name: The remote Fedora host is missing a security update.
File: fedora_2017-f499ee7b12.nasl - Type: ACT_GATHER_INFO
2017-11-13 Name: The remote Fedora host is missing a security update.
File: fedora_2017-ef7c118dbc.nasl - Type: ACT_GATHER_INFO
2017-11-08 Name: The remote Red Hat host is missing one or more security updates.
File: redhat-RHSA-2017-3113.nasl - Type: ACT_GATHER_INFO
2017-11-02 Name: The remote Apache Tomcat server is affected by a code execution vulnerability.
File: tomcat_6_0_24.nasl - Type: ACT_GATHER_INFO
2017-11-01 Name: The remote EulerOS host is missing multiple security updates.
File: EulerOS_SA-2017-1262.nasl - Type: ACT_GATHER_INFO
2017-11-01 Name: The remote EulerOS host is missing multiple security updates.
File: EulerOS_SA-2017-1261.nasl - Type: ACT_GATHER_INFO
2017-10-31 Name: The remote Scientific Linux host is missing one or more security updates.
File: sl_20171030_tomcat_on_SL7_x.nasl - Type: ACT_GATHER_INFO
2017-10-31 Name: The remote CentOS host is missing one or more security updates.
File: centos_RHSA-2017-3080.nasl - Type: ACT_GATHER_INFO
2017-10-31 Name: The remote CentOS host is missing one or more security updates.
File: centos_RHSA-2017-3081.nasl - Type: ACT_GATHER_INFO
2017-10-31 Name: The remote Scientific Linux host is missing one or more security updates.
File: sl_20171030_tomcat6_on_SL6_x.nasl - Type: ACT_GATHER_INFO
2017-10-30 Name: The remote Red Hat host is missing one or more security updates.
File: redhat-RHSA-2017-3081.nasl - Type: ACT_GATHER_INFO
2017-10-30 Name: The remote Red Hat host is missing one or more security updates.
File: redhat-RHSA-2017-3080.nasl - Type: ACT_GATHER_INFO
2017-10-30 Name: The remote Oracle Linux host is missing one or more security updates.
File: oraclelinux_ELSA-2017-3081.nasl - Type: ACT_GATHER_INFO
2017-10-30 Name: The remote Oracle Linux host is missing one or more security updates.
File: oraclelinux_ELSA-2017-3080.nasl - Type: ACT_GATHER_INFO
2017-09-19 Name: The remote Apache Tomcat server is affected by multiple vulnerabilities.
File: tomcat_7_0_81.nasl - Type: ACT_GATHER_INFO
2017-05-01 Name: The remote EulerOS host is missing multiple security updates.
File: EulerOS_SA-2016-1049.nasl - Type: ACT_GATHER_INFO
2016-10-12 Name: The remote CentOS host is missing one or more security updates.
File: centos_RHSA-2016-2046.nasl - Type: ACT_GATHER_INFO
2016-10-12 Name: The remote Scientific Linux host is missing one or more security updates.
File: sl_20161010_tomcat_on_SL7_x.nasl - Type: ACT_GATHER_INFO
2016-10-11 Name: The remote Red Hat host is missing one or more security updates.
File: redhat-RHSA-2016-2046.nasl - Type: ACT_GATHER_INFO
2016-10-11 Name: The remote Oracle Linux host is missing one or more security updates.
File: oraclelinux_ELSA-2016-2046.nasl - Type: ACT_GATHER_INFO
2016-03-28 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-3530.nasl - Type: ACT_GATHER_INFO
2016-03-24 Name: The remote Scientific Linux host is missing one or more security updates.
File: sl_20160323_tomcat6_on_SL6_x.nasl - Type: ACT_GATHER_INFO