A privilege escalation flaw was found in Tomcat when the JMX Remote Lifecycle Listener was enabled. A local attacker without access to the Tomcat process or configuration files could be able to manipulate the RMI registry to perform a man-in-the-middle attack. The attacker could then capture user names and passwords used to access the JMX interface and gain complete control over the Tomcat instance. (CVE-2019-12418) When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability. (CVE-2019-17563) A flaw was found in Apache Tomcat, where the payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-13935) The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output. (CVE-2022-45143) Apache Commons FileUpload prior to 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured. (CVE-2023-24998) When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. (CVE-2023-28708)
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apache tomcat |
||
apache tomcat 9.0.0 |
||
apache tomcat 10.0.0 |
||
debian debian linux 9.0 |
||
debian debian linux 10.0 |
||
netapp oncommand system manager |
||
opensuse leap 15.1 |
||
opensuse leap 15.2 |
||
canonical ubuntu linux 16.04 |
||
canonical ubuntu linux 20.04 |
||
mcafee epolicy orchestrator 5.9.0 |
||
mcafee epolicy orchestrator 5.9.1 |
||
mcafee epolicy orchestrator 5.10.0 |
||
oracle agile engineering data management 6.2.1.0 |
||
oracle agile plm 9.3.3 |
||
oracle agile plm 9.3.5 |
||
oracle agile plm 9.3.6 |
||
oracle blockchain platform |
||
oracle commerce guided search 11.3.2 |
||
oracle communications cloud native core policy 1.14.0 |
||
oracle communications instant messaging server 10.0.1.5.0 |
||
oracle fmw platform 12.2.1.3.0 |
||
oracle fmw platform 12.2.1.4.0 |
||
oracle instantis enterprisetrack 17.1 |
||
oracle instantis enterprisetrack 17.2 |
||
oracle instantis enterprisetrack 17.3 |
||
oracle managed file transfer 12.2.1.3.0 |
||
oracle managed file transfer 12.2.1.4.0 |
||
oracle mysql enterprise monitor |
||
oracle siebel ui framework |
||
oracle workload manager 12.2.0.1 |
||
oracle workload manager 18c |
||
oracle workload manager 19c |