The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Apache Tomcat

vulnerability CVE-2019-0221

Apache Tomcat: Cross Site Scripting via SSI printenv

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via SSI printenv of Apache Tomcat, in order to run JavaScript code in the context of the web site.
Impacted products: Tomcat, Debian, Fedora, openSUSE Leap, Solaris, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 17/05/2019.
Identifiers: bulletinjul2019, CVE-2019-0221, DLA-1810-1, DLA-1883-1, FEDORA-2019-1a3f878d27, FEDORA-2019-d66febb5df, openSUSE-SU-2019:1673-1, openSUSE-SU-2019:1808-1, SUSE-SU-2019:1693-1, SUSE-SU-2019:1866-1, SUSE-SU-2019:1895-1, USN-4128-1, USN-4128-2, VIGILANCE-VUL-29350.

Description of the vulnerability

An attacker can trigger a Cross Site Scripting via SSI printenv of Apache Tomcat, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2018-11759

Apache Tomcat JK mod_jk: information disclosure via Reverse Proxy

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via Reverse Proxy of Apache Tomcat JK mod_jk, in order to obtain sensitive information.
Impacted products: Tomcat, Debian, openSUSE Leap, Solaris, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 05/11/2018.
Identifiers: bulletinjan2019, CVE-2018-11759, DLA-1609-1, DSA-4357-1, openSUSE-SU-2018:4032-1, SUSE-SU-2018:3963-1, SUSE-SU-2018:3963-2, SUSE-SU-2018:3969-1, SUSE-SU-2018:3970-1, VIGILANCE-VUL-27665.

Description of the vulnerability

An attacker can bypass access restrictions to data via Reverse Proxy of Apache Tomcat JK mod_jk, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2018-11784

Apache Tomcat: open redirect via Directory Redirect

Synthesis of the vulnerability

An attacker can deceive the user via Directory Redirect of Apache Tomcat, in order to redirect him to a malicious site.
Impacted products: Tomcat, Business Objects, Debian, Fedora, QRadar SIEM, ePO, McAfee Web Gateway, Snap Creator Framework, SnapManager, openSUSE Leap, Oracle Communications, Solaris, RHEL, SAP ERP, NetWeaver, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Consequences: user access/rights, data reading.
Provenance: internet client.
Creation date: 04/10/2018.
Identifiers: bulletinoct2018, cpuapr2019, CVE-2018-11784, DLA-1544-1, DLA-1545-1, FEDORA-2018-b18f9dd65b, FEDORA-2018-b89746cb9b, ibm10874888, NTAP-20181014-0002, openSUSE-SU-2018:3453-1, openSUSE-SU-2018:4042-1, openSUSE-SU-2019:0084-1, openSUSE-SU-2019:1547-1, openSUSE-SU-2019:1814-1, RHSA-2019:0130-01, RHSA-2019:0131-01, RHSA-2019:0485-01, RHSA-2019:1529-01, SB10257, SB10264, SUSE-SU-2018:3261-1, SUSE-SU-2018:3388-1, SUSE-SU-2018:3393-1, SUSE-SU-2018:3935-1, SUSE-SU-2018:3968-1, USN-3787-1, VIGILANCE-VUL-27396.

Description of the vulnerability

An attacker can deceive the user via Directory Redirect of Apache Tomcat, in order to redirect him to a malicious site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2018-8034

Apache Tomcat: Man-in-the-Middle via WebSocket Client

Synthesis of the vulnerability

An attacker can act as a Man-in-the-Middle via WebSocket Client on Apache Tomcat, in order to read or write data in the session.
Impacted products: Tomcat, Blue Coat CAS, Debian, Fedora, QRadar SIEM, openSUSE Leap, RHEL, JBoss EAP by Red Hat, SUSE Linux Enterprise Desktop, SLES, Symantec Content Analysis, Ubuntu.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: internet server.
Creation date: 23/07/2018.
Identifiers: CERTFR-2018-AVI-584, CVE-2018-8034, DLA-1453-1, DLA-1491-1, DSA-4281-1, FEDORA-2018-b1832101b8, ibm10742719, openSUSE-SU-2018:2740-1, openSUSE-SU-2018:3054-1, RHSA-2019:0130-01, RHSA-2019:0131-01, RHSA-2019:0450-01, RHSA-2019:0451-01, RHSA-2019:1159-01, RHSA-2019:1160-01, RHSA-2019:1161-01, RHSA-2019:1162-01, RHSA-2019:1529-01, RHSA-2019:2205-01, SUSE-SU-2018:2699-1, SUSE-SU-2018:3011-2, SUSE-SU-2018:3261-1, SUSE-SU-2018:3388-1, SYMSA1463, USN-3723-1, VIGILANCE-VUL-26817.

Description of the vulnerability

An attacker can act as a Man-in-the-Middle via WebSocket Client on Apache Tomcat, in order to read or write data in the session.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2018-8037

Apache Tomcat: information disclosure via User Sessions Reuse

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via User Sessions Reuse of Apache Tomcat, in order to obtain sensitive information.
Impacted products: Tomcat, Debian, Fedora, QRadar SIEM, openSUSE Leap, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 23/07/2018.
Identifiers: CERTFR-2018-AVI-356, CERTFR-2018-AVI-584, CVE-2018-8037, DSA-4281-1, FEDORA-2018-b1832101b8, ibm10742719, openSUSE-SU-2018:2740-1, openSUSE-SU-2018:3054-1, RHSA-2018:2867-01, RHSA-2018:2868-01, RHSA-2019:1529-01, SUSE-SU-2018:2699-1, SUSE-SU-2018:3011-2, SUSE-SU-2018:3388-1, VIGILANCE-VUL-26816.

Description of the vulnerability

An attacker can bypass access restrictions to data via User Sessions Reuse of Apache Tomcat, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2018-1336

Apache Tomcat: infinite loop via UTF-8 Decoder

Synthesis of the vulnerability

An attacker can generate an infinite loop via UTF-8 Decoder of Apache Tomcat, in order to trigger a denial of service.
Impacted products: Tomcat, Blue Coat CAS, Debian, openSUSE Leap, RHEL, JBoss EAP by Red Hat, SUSE Linux Enterprise Desktop, SLES, Symantec Content Analysis, Ubuntu.
Severity: 2/4.
Consequences: denial of service on service, denial of service on client.
Provenance: document.
Creation date: 23/07/2018.
Identifiers: CERTFR-2018-AVI-356, CVE-2018-1336, DLA-1491-1, DSA-4281-1, openSUSE-SU-2018:2740-1, openSUSE-SU-2018:3054-1, RHSA-2018:2700-01, RHSA-2018:2701-01, RHSA-2018:2740-01, RHSA-2018:2741-01, RHSA-2018:2742-01, RHSA-2018:2743-01, RHSA-2018:2921-01, RHSA-2018:2930-01, SUSE-SU-2018:2699-1, SUSE-SU-2018:3011-2, SUSE-SU-2018:3261-1, SUSE-SU-2018:3388-1, SYMSA1463, USN-3723-1, VIGILANCE-VUL-26815.

Description of the vulnerability

An attacker can generate an infinite loop via UTF-8 Decoder of Apache Tomcat, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2018-8014

Apache Tomcat: privilege escalation via CORS Filter SupportsCredentials All Origins

Synthesis of the vulnerability

An attacker can bypass restrictions via CORS Filter SupportsCredentials All Origins of Apache Tomcat, in order to escalate his privileges.
Impacted products: Tomcat, Debian, Fedora, openSUSE Leap, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: privileged access/rights, data reading.
Provenance: intranet client.
Creation date: 17/05/2018.
Identifiers: bulletinjul2018, CVE-2018-8014, DLA-1400-1, DLA-1400-2, DLA-1883-1, FEDORA-2018-b1832101b8, openSUSE-SU-2018:2740-1, openSUSE-SU-2018:3054-1, RHSA-2018:2469-01, RHSA-2018:2470-01, RHSA-2019:0450-01, RHSA-2019:0451-01, RHSA-2019:1529-01, RHSA-2019:2205-01, SUSE-SU-2018:2699-1, SUSE-SU-2018:3011-2, SUSE-SU-2018:3261-1, SUSE-SU-2018:3388-1, USN-3665-1, VIGILANCE-VUL-26154.

Description of the vulnerability

An attacker can bypass restrictions via CORS Filter SupportsCredentials All Origins of Apache Tomcat, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 25883

Tomcat: Cross Site Scripting via Manager Application IE

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Manager Application IE of Tomcat, in order to run JavaScript code in the context of the web site.
Impacted products: Tomcat.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 17/04/2018.
Identifiers: VIGILANCE-VUL-25883.

Description of the vulnerability

The Tomcat product offers a web service.

However, it does not filter received data via Manager Application IE before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via Manager Application IE of Tomcat, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2017-15706

Apache Tomcat: code execution via Documented CGI Search Algorithm

Synthesis of the vulnerability

An attacker can use a vulnerability via Documented CGI Search Algorithm of Apache Tomcat, in order to run code.
Impacted products: Tomcat, openSUSE Leap, Solaris, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 30/03/2018.
Identifiers: bulletinapr2018, CVE-2017-15706, openSUSE-SU-2018:0852-1, SUSE-SU-2018:3261-1, SUSE-SU-2018:3388-1, USN-3665-1, VIGILANCE-VUL-25725.

Description of the vulnerability

An attacker can use a vulnerability via Documented CGI Search Algorithm of Apache Tomcat, in order to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2018-1323

Apache Tomcat JK ISAPI Connector: directory traversal

Synthesis of the vulnerability

An attacker can traverse directories of Apache Tomcat JK ISAPI Connector, in order to read a file outside the service root path.
Impacted products: Tomcat, Solaris.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 12/03/2018.
Identifiers: bulletinjan2019, CVE-2018-1323, VIGILANCE-VUL-25528.

Description of the vulnerability

An attacker can traverse directories of Apache Tomcat JK ISAPI Connector, in order to read a file outside the service root path.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Apache Tomcat: