Executive Summary
| Summary | |
|---|---|
| Title | New tomcat packages fix source disclosure vulnerability |
| Informations | |||
|---|---|---|---|
| Name | DSA-225 | First vendor Publication | 2002-01-09 |
| Vendor | Debian | Last vendor Modification | 2002-01-09 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 7.5 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| A security vulnerability has been confirmed to exist in Apache Tomcat 4.0.x releases, which allows to use a specially crafted URL to return the unprocessed source of a JSP page, or, under special circumstances, a static resource which would otherwise have been protected by a security constraint, without the need for being properly authenticated. This is based on a variant of the exploit that was identified as CAN-2002-1148. For the current stable distribution (woody) this problem has been fixed in version 4.0.3-3woody2. The old stable distribution (potato) does not contain tomcat packages. For the unstable distribution (sid) this problem does not exist in the current version 4.1.16-1. We recommend that you upgrade your tomcat packages. Installation Instructions |
Original Source
| Url : http://www.debian.org/security/2002/dsa-225 |
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2008-01-17 | Name : Debian Security Advisory DSA 225-1 (tomcat4) File : nvt/deb_225_1.nasl |
| 2005-11-03 | Name : Tomcat 4.x JSP Source Exposure File : nvt/tomcat_source_exposure.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 9705 | Apache Tomcat Invoker/Default Servlet Source Disclosure |
| 8773 | Apache Tomcat Catalina org.apache.catalina.servlets.DefaultServlet Source Cod... Apache Tomcat contains a flaw that may allow a remote attacker to gain access to file source code. The issue is due to the default servlet (org.apache.catalina.servlets.DefaultServlet) allowing requests directly to it, which will allow an attacker to view the source code for server files. |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2004-09-29 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-170.nasl - Type : ACT_GATHER_INFO |
| 2004-09-29 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-225.nasl - Type : ACT_GATHER_INFO |
| 2002-11-28 | Name : The remote web server is affected by an information disclosure vulnerability. File : tomcat_source_exposure.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:30:13 |
|
| 2013-05-11 12:18:04 |
|
