Executive Summary

Informations
NameCVE-2010-3718First vendor Publication2011-02-10
VendorCveLast vendor Modification2019-03-25

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:H/Au:N/C:N/I:P/A:N)
Cvss Base Score1.2Attack RangeLocal
Cvss Impact Score2.9Attack ComplexityHigh
Cvss Expoit Score1.9AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Apache Tomcat 7.0.0 through 7.0.3, 6.0.x, and 5.5.x, when running within a SecurityManager, does not make the ServletContext attribute read-only, which allows local web applications to read or write files outside of the intended working directory, as demonstrated using a directory traversal attack.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3718

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:19379
 
Oval ID: oval:org.mitre.oval:def:19379
Title: HP-UX Apache Running Tomcat Servlet Engine, Remote Denial of Service (DoS), Access Restriction Bypass, Unauthorized Modification and Other Vulnerabilities
Description: Apache Tomcat 7.0.0 through 7.0.3, 6.0.x, and 5.5.x, when running within a SecurityManager, does not make the ServletContext attribute read-only, which allows local web applications to read or write files outside of the intended working directory, as demonstrated using a directory traversal attack.
Family: unix Class: vulnerability
Reference(s): CVE-2010-3718
Version: 11
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13969
 
Oval ID: oval:org.mitre.oval:def:13969
Title: HP-UX Apache Running Tomcat Servlet Engine, Remote Information Disclosure, Authentication Bypass, Cross-Site Scripting (XSS), Unauthorized Access, Denial of Service (DoS)
Description: Apache Tomcat 7.0.0 through 7.0.3, 6.0.x, and 5.5.x, when running within a SecurityManager, does not make the ServletContext attribute read-only, which allows local web applications to read or write files outside of the intended working directory, as demonstrated using a directory traversal attack.
Family: unix Class: vulnerability
Reference(s): CVE-2010-3718
Version: 11
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12517
 
Oval ID: oval:org.mitre.oval:def:12517
Title: HP-UX Apache Web Server, Remote Information Disclosure, Cross-Site Scripting (XSS), Denial of Service (DoS)
Description: Apache Tomcat 7.0.0 through 7.0.3, 6.0.x, and 5.5.x, when running within a SecurityManager, does not make the ServletContext attribute read-only, which allows local web applications to read or write files outside of the intended working directory, as demonstrated using a directory traversal attack.
Family: unix Class: vulnerability
Reference(s): CVE-2010-3718
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application63

OpenVAS Exploits

DateDescription
2012-08-10Name : Gentoo Security Advisory GLSA 201206-24 (apache tomcat)
File : nvt/glsa_201206_24.nasl
2012-07-30Name : CentOS Update for tomcat5 CESA-2011:1845 centos5 x86_64
File : nvt/gb_CESA-2011_1845_tomcat5_centos5_x86_64.nasl
2012-06-06Name : RedHat Update for tomcat6 RHSA-2011:0791-01
File : nvt/gb_RHSA-2011_0791-01_tomcat6.nasl
2011-12-23Name : RedHat Update for tomcat5 RHSA-2011:1845-01
File : nvt/gb_RHSA-2011_1845-01_tomcat5.nasl
2011-12-23Name : CentOS Update for tomcat5 CESA-2011:1845 centos5 i386
File : nvt/gb_CESA-2011_1845_tomcat5_centos5_i386.nasl
2011-10-21Name : Fedora Update for tomcat6 FEDORA-2011-13457
File : nvt/gb_fedora_2011_13457_tomcat6_fc14.nasl
2011-10-20Name : Mac OS X v10.6.8 Multiple Vulnerabilities (2011-006)
File : nvt/gb_macosx_su11-006.nasl
2011-05-05Name : HP-UX Update for Apache Web Server HPSBUX02645
File : nvt/gb_hp_ux_HPSBUX02645.nasl
2011-04-01Name : Ubuntu Update for tomcat6 vulnerabilities USN-1097-1
File : nvt/gb_ubuntu_USN_1097_1.nasl
2011-03-07Name : Debian Security Advisory DSA 2160-1 (tomcat6)
File : nvt/deb_2160_1.nasl
2011-02-22Name : Mandriva Update for tomcat5 MDVSA-2011:030 (tomcat5)
File : nvt/gb_mandriva_MDVSA_2011_030.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
71558Apache Tomcat SecurityManager ServletContext Attribute Traversal Arbitrary Fi...

Nessus® Vulnerability Scanner

DateDescription
2014-06-13Name : The remote openSUSE host is missing a security update.
File : suse_11_3_tomcat6-110211.nasl - Type : ACT_GATHER_INFO
2013-07-12Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2011-1845.nasl - Type : ACT_GATHER_INFO
2012-08-01Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20110519_tomcat6_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2012-08-01Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20111220_tomcat5_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-06-25Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201206-24.nasl - Type : ACT_GATHER_INFO
2011-12-21Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2011-1845.nasl - Type : ACT_GATHER_INFO
2011-12-21Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2011-1845.nasl - Type : ACT_GATHER_INFO
2011-10-21Name : The remote Fedora host is missing a security update.
File : fedora_2011-13457.nasl - Type : ACT_GATHER_INFO
2011-10-13Name : The remote host is missing a Mac OS X update that fixes several security issues.
File : macosx_SecUpd2011-006.nasl - Type : ACT_GATHER_INFO
2011-05-20Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2011-0791.nasl - Type : ACT_GATHER_INFO
2011-05-05Name : The remote openSUSE host is missing a security update.
File : suse_11_2_tomcat6-110211.nasl - Type : ACT_GATHER_INFO
2011-03-30Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1097-1.nasl - Type : ACT_GATHER_INFO
2011-03-18Name : The remote SuSE 9 host is missing a security-related patch.
File : suse9_12687.nasl - Type : ACT_GATHER_INFO
2011-03-03Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_tomcat5-7337.nasl - Type : ACT_GATHER_INFO
2011-02-20Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2011-030.nasl - Type : ACT_GATHER_INFO
2011-02-14Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2160.nasl - Type : ACT_GATHER_INFO
2011-02-14Name : The remote web server is affected by multiple vulnerabilities.
File : tomcat_6_0_30.nasl - Type : ACT_GATHER_INFO
2011-02-11Name : The remote web server is affected by a security bypass vulnerability.
File : tomcat_7_0_4.nasl - Type : ACT_GATHER_INFO
2010-07-16Name : The remote Apache Tomcat server is affected by multiple vulnerabilities.
File : tomcat_transfer_encoding.nasl - Type : ACT_ATTACK

Sources (Detail)

SourceUrl
APPLE http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html
BID http://www.securityfocus.com/bid/46177
BUGTRAQ http://www.securityfocus.com/archive/1/516211/100/0/threaded
CONFIRM http://support.apple.com/kb/HT5002
http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_50985...
DEBIAN http://www.debian.org/security/2011/dsa-2160
HP http://marc.info/?l=bugtraq&m=130168502603566&w=2
http://marc.info/?l=bugtraq&m=132215163318824&w=2
http://marc.info/?l=bugtraq&m=136485229118404&w=2
http://marc.info/?l=bugtraq&m=139344343412337&w=2
MANDRIVA http://www.mandriva.com/security/advisories?name=MDVSA-2011:030
MISC http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-7.html
MLIST https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efb...
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c8...
REDHAT http://www.redhat.com/support/errata/RHSA-2011-0791.html
http://www.redhat.com/support/errata/RHSA-2011-0896.html
http://www.redhat.com/support/errata/RHSA-2011-0897.html
http://www.redhat.com/support/errata/RHSA-2011-1845.html
SECTRACK http://www.securitytracker.com/id?1025025
SREASON http://securityreason.com/securityalert/8072
SUSE http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html
XF https://exchange.xforce.ibmcloud.com/vulnerabilities/65159

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
DateInformations
2019-03-25 17:18:57
  • Multiple Updates
2019-03-21 21:19:09
  • Multiple Updates
2019-03-19 12:03:45
  • Multiple Updates
2018-10-11 00:19:58
  • Multiple Updates
2017-09-19 09:24:00
  • Multiple Updates
2017-08-17 09:23:07
  • Multiple Updates
2016-08-23 09:24:39
  • Multiple Updates
2016-04-26 20:08:59
  • Multiple Updates
2014-06-14 13:29:29
  • Multiple Updates
2014-03-18 13:21:57
  • Multiple Updates
2014-03-08 13:21:38
  • Multiple Updates
2014-02-17 10:57:51
  • Multiple Updates
2014-02-12 13:22:00
  • Multiple Updates
2013-12-05 17:19:05
  • Multiple Updates
2013-11-15 13:19:46
  • Multiple Updates
2013-09-10 17:22:50
  • Multiple Updates
2013-06-05 13:19:29
  • Multiple Updates
2013-05-10 23:34:17
  • Multiple Updates
2012-11-07 05:19:34
  • Multiple Updates