The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of MicroFocus Network Node Manager i

security vulnerability CVE-2009-3555 CVE-2009-3910 CVE-2010-0082

Java JRE/JDK/SDK: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Java JRE/JDK/SDK can be used by a malicious applet/application in order to execute code or to obtain information. A legitimate applet/application, handling malicious data, can also be forced to execute code.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 5.
Creation date: 31/03/2010.
Identifiers: BID-39062, BID-39065, BID-39067, BID-39068, BID-39069, BID-39070, BID-39071, BID-39072, BID-39073, BID-39075, BID-39077, BID-39078, BID-39081, BID-39082, BID-39083, BID-39084, BID-39085, BID-39086, BID-39088, BID-39089, BID-39090, BID-39091, BID-39093, BID-39094, BID-39095, BID-39096, BID-39559, c02122104, c03405642, CERTA-2009-AVI-528, CERTA-2010-AVI-149, CERTA-2010-AVI-192, CERTA-2010-AVI-196, CERTA-2010-AVI-239, CERTA-2010-AVI-241, CERTA-2010-AVI-276, CERTA-2010-AVI-365, CERTA-2010-AVI-513, CERTA-2010-AVI-573, CERTA-2011-AVI-253, CERTA-2012-AVI-241, CERTA-2012-AVI-395, CVE-2009-3555, CVE-2009-3910, CVE-2010-0082, CVE-2010-0084, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088, CVE-2010-0089, CVE-2010-0090, CVE-2010-0091, CVE-2010-0092, CVE-2010-0093, CVE-2010-0094, CVE-2010-0095, CVE-2010-0837, CVE-2010-0838, CVE-2010-0839, CVE-2010-0840, CVE-2010-0841, CVE-2010-0842, CVE-2010-0843, CVE-2010-0844, CVE-2010-0845, CVE-2010-0846, CVE-2010-0847, CVE-2010-0848, CVE-2010-0849, CVE-2010-0850, FEDORA-2010-6025, FEDORA-2010-6039, FEDORA-2010-6279, HPSBMU02799, HPSBUX02524, javacpumar2010, MDVSA-2010:084, RHSA-2010:0337-01, RHSA-2010:0338-01, RHSA-2010:0339-01, RHSA-2010:0383-01, RHSA-2010:0408-01, RHSA-2010:0471-01, RHSA-2010:0489-01, RHSA-2010:0574-01, RHSA-2010:0586-01, RHSA-2010:0865-02, SSRT100089, SSRT100867, SUSE-SA:2010:026, SUSE-SA:2010:028, SUSE-SR:2010:008, SUSE-SR:2010:011, SUSE-SR:2010:013, SUSE-SR:2010:017, VIGILANCE-VUL-9550, VMSA-2011-0003, VMSA-2011-0003.1, VMSA-2011-0003.2, VU#507652, ZDI-10-051, ZDI-10-052, ZDI-10-053, ZDI-10-054, ZDI-10-055, ZDI-10-056, ZDI-10-057, ZDI-10-059, ZDI-10-060, ZDI-10-061.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in Java JRE/JDK/SDK. The most severe vulnerabilities lead to code execution.

Twenty four vulnerabilities lead to code execution. [severity:3/4; BID-39062, BID-39065, BID-39067, BID-39068, BID-39069, BID-39070, BID-39071, BID-39072, BID-39073, BID-39075, BID-39077, BID-39078, BID-39081, BID-39082, BID-39083, BID-39084, BID-39085, BID-39086, BID-39088, BID-39089, BID-39090, BID-39091, BID-39094, CERTA-2009-AVI-528, CERTA-2010-AVI-149, CERTA-2010-AVI-196, CERTA-2010-AVI-239, CERTA-2010-AVI-241, CERTA-2010-AVI-276, CERTA-2010-AVI-365, CERTA-2010-AVI-513, CERTA-2010-AVI-573, CERTA-2011-AVI-253, CERTA-2012-AVI-241, CVE-2009-3555, CVE-2010-0082, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088, CVE-2010-0090, CVE-2010-0092, CVE-2010-0093, CVE-2010-0094, CVE-2010-0095, CVE-2010-0837, CVE-2010-0838, CVE-2010-0839, CVE-2010-0840, CVE-2010-0841, CVE-2010-0842, CVE-2010-0843, CVE-2010-0844, CVE-2010-0845, CVE-2010-0846, CVE-2010-0847, CVE-2010-0848, CVE-2010-0849, CVE-2010-0850, VU#507652, ZDI-10-051, ZDI-10-052, ZDI-10-053, ZDI-10-054, ZDI-10-055, ZDI-10-056, ZDI-10-057, ZDI-10-059, ZDI-10-060, ZDI-10-061]

An attacker can obtain sensitive information. [severity:2/4; BID-39093, CERTA-2010-AVI-192, CVE-2010-0084]

An attacker can generate a denial of service of Java Web Start. [severity:2/4; BID-39095, CVE-2010-0089]

An attacker can obtain sensitive information. [severity:2/4; BID-39096, CVE-2010-0091]

A buffer overflow of HsbParser.getSoundBank() leads to code execution. [severity:3/4; BID-39559, CVE-2009-3910]
Full Vigil@nce bulletin... (Free trial)

security weakness CVE-2010-0445

HP NNM: code execution

Synthesis of the vulnerability

A remote attacker can execute a command on the server using a vulnerability of HP Network Node Manager.
Severity: 3/4.
Creation date: 10/02/2010.
Identifiers: BID-38174, c01954593, CERTA-2010-AVI-075, CVE-2010-0445, HPSBMA02484, SSRT090076, VIGILANCE-VUL-9440.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The HP Network Node Manager product is used to manage a computer network.

A remote attacker can execute a command on the server using a vulnerability of HP Network Node Manager.
Full Vigil@nce bulletin... (Free trial)

threat alert CVE-2009-4034 CVE-2009-4136

PostgreSQL: two vulnerabilities

Synthesis of the vulnerability

An attacker can use two vulnerabilities of PostgreSQL, in order to access to user's data.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 15/12/2009.
Identifiers: 274870, 6909139, 6909140, 6909142, BID-37333, BID-37334, c03333585, CERTA-2009-AVI-546, CVE-2009-4034, CVE-2009-4136, DSA-1964-1, FEDORA-2009-13363, FEDORA-2009-13381, HPSBMU02781, MDVSA-2009:333, RHSA-2010:0427-01, RHSA-2010:0428-01, RHSA-2010:0429-01, SSRT100617, SUSE-SR:2010:001, TLSA-2010-2, VIGILANCE-VUL-9285.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Two vulnerabilities were announced in PostgreSQL.

When a SSL certificate is used, an attacker can send a X.509 certificate with a field containing a null character, in order to bypass access restrictions. [severity:2/4; BID-37334, CERTA-2009-AVI-546, CVE-2009-4034]

A local attacker can use an index function, in order to elevate his privileges. [severity:2/4; BID-37333, CVE-2009-4136]
Full Vigil@nce bulletin... (Free trial)

threat bulletin CVE-2009-0217 CVE-2009-1380 CVE-2009-2405

Jboss EAP: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities affect JBoss EAP.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 5.
Creation date: 10/12/2009.
Identifiers: 539495, BID-35671, BID-35958, BID-37276, c03824583, CERTA-2009-AVI-279, CERTA-2009-AVI-312, CERTA-2009-AVI-452, CERTA-2010-AVI-253, CERTA-2013-AVI-440, CVE-2009-0217, CVE-2009-1380, CVE-2009-2405, CVE-2009-2625, CVE-2009-3554, HPSBMU02894, RHSA-2009:1636-01, RHSA-2009:1637-01, RHSA-2009:1649-01, RHSA-2009:1650-01, SUSE-SR:2010:015, VIGILANCE-VUL-9267, VU#466161.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities affect JBoss EAP.

An attacker can bypass the XML signature of Jboss EAP (VIGILANCE-VUL-8864). [severity:3/4; BID-35671, CERTA-2009-AVI-279, CERTA-2009-AVI-452, CERTA-2010-AVI-253, CVE-2009-0217, VU#466161]

The JBoss Application Server Web Console incorrectly validate input data. An attacker can therefore generate a Cross Site Scripting in order to execute JavaScript code in the context of the user. [severity:2/4; BID-37276, CVE-2009-2405]

An attacker can use a vulnerability of Apache Xerces2, in order to generate a denial of service (VIGILANCE-VUL-8925). [severity:3/4; BID-35958, CERTA-2009-AVI-312, CVE-2009-2625]

The twiddle client logs all data passed in the command line in the file twiddle.log. This file is world readable. However, the JMX password is store in plaintext in the log file. An attacker therefore obtain the JMX password by reading the file. [severity:3/4; 539495, BID-37276, CVE-2009-3554]

The JMX Console incorrectly validate input data. An attacker can therefore generate a Cross Site Scripting in order to execute JavaScript code in the context of the user. [severity:2/4; BID-37276, CVE-2009-1380]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2009-3728 CVE-2009-3729 CVE-2009-3864

Java JRE/JDK/SDK: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Java JRE/JDK/SDK can be used by a malicious applet/application in order to execute code or to obtain information. A legitimate applet/application, handling malicious data, can also be forced to execute code.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 16.
Creation date: 04/11/2009.
Revision date: 12/11/2009.
Identifiers: 269868, 269869, 269870, 270474, 270475, 270476, 6631533, 6636650, 6657026, 6657138, 6664512, 6815780, 6822057, 6824265, 6854303, 6862968, 6862969, 6862970, 6863503, 6864911, 6869694, 6869752, 6870531, 6872357, 6872358, 6872824, 6874643, BID-36881, c01997760, c03005726, c03405642, CERTA-2011-AVI-523, CERTA-2011-AVI-651, CERTA-2012-AVI-395, CVE-2009-3728, CVE-2009-3729, CVE-2009-3864, CVE-2009-3865, CVE-2009-3866, CVE-2009-3867, CVE-2009-3868, CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873, CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877, CVE-2009-3879, CVE-2009-3880, CVE-2009-3881, CVE-2009-3882, CVE-2009-3883, CVE-2009-3884, CVE-2009-3886, FEDORA-2009-11486, FEDORA-2009-11490, HPSBMU02703, HPSBMU02799, HPSBUX02503, MDVSA-2010:084, RHSA-2009:1560-01, RHSA-2009:1571-01, RHSA-2009:1584-01, RHSA-2009:1643-01, RHSA-2009:1647-01, RHSA-2009:1662-01, RHSA-2009:1694-01, RHSA-2010:0043-01, RHSA-2010:0408-01, SSRT100019, SSRT100242, SSRT100867, SUSE-SA:2009:058, SUSE-SA:2010:002, SUSE-SA:2010:003, SUSE-SA:2010:004, VIGILANCE-VUL-9156, VMSA-2010-0002, VMSA-2010-0002.1, VMSA-2010-0002.2, VMSA-2010-0002.3, ZDI-09-076, ZDI-09-077, ZDI-09-078, ZDI-09-079, ZDI-09-080.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in Java JRE/JDK/SDK.

The Java Update mechanism on non-english versions does not update the JRE when a new version is available. [severity:1/4; 269868, 6869694, BID-36881, CVE-2009-3864]

A command execution vulnerability in the Java Runtime Environment Deployment Toolkit can be used in order to execute arbitrary code. [severity:3/4; 269869, 6869752, BID-36881, CVE-2009-3865]

A vulnerability in the Java Web Start Installer may be leveraged to allow untrusted Java Web Start Application to run as a trusted application. [severity:3/4; 269870, 6869752, 6872824, BID-36881, CVE-2009-3866, ZDI-09-077]

Multiple buffer and integer overflow vulnerabilities in the Java Runtime Environment with processing audio and image files may allow an untrusted applet or Java Web Start application to escalate privileges. [severity:3/4; 270474, 6854303, 6862968, 6862969, 6862970, 6872357, 6872358, 6874643, BID-36881, CERTA-2011-AVI-523, CERTA-2011-AVI-651, CVE-2009-3867, CVE-2009-3868, CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873, CVE-2009-3874, ZDI-09-076, ZDI-09-078, ZDI-09-079, ZDI-09-080]

A security vulnerability in the Java Runtime Environment with verifying HMAC digests may allow authentication to be bypassed. [severity:3/4; 270475, 6863503, BID-36881, CVE-2009-3875]

A vulnerability in the Java Runtime Environment with decoding DER encoded data may allow a remote client to cause the JRE on the server to run out of memory, resulting in a DoS (Denial of Service) condition. [severity:3/4; 270476, 6864911, BID-36881, CVE-2009-3876]

A vulnerability in the Java Runtime Environment with parsing HTTP headers may allow a remote client to cause the JRE on the server to run out of memory, resulting in a DoS (Denial of Service) condition. [severity:3/4; 270476, 6864911, BID-36881, CVE-2009-3877]

An attacker can use the ICC_Profile.getInstance() method to detect if a file is present. [severity:1/4; 6631533, CVE-2009-3728]

An attacker can use a TrueType font, in order to generate a denial of service. [severity:1/4; 6815780, CVE-2009-3729]

An attacker can use a vulnerability of X11 and Win32GraphicsDevice. [severity:2/4; 6822057, CVE-2009-3879]

An attacker can use Component, KeyboardFocusManager and DefaultKeyboardFocusManager of AWT (Abstract Window Toolkit), in order to obtain sensitive data. [severity:2/4; 6664512, CVE-2009-3880]

An attacker can obtain information via ClassLoader. [severity:3/4; 6636650, CVE-2009-3881]

An attacker can obtain information via Swing. [severity:2/4; 6657026, CVE-2009-3882]

An attacker can obtain information via Windows Pluggable Look and Feel. [severity:2/4; 6657138, CVE-2009-3883]

An attacker can use the TimeZone.getTimeZone() method to detect if a file exists. [severity:2/4; 6824265, CVE-2009-3884]

An attacker can use a vulnerability of a signed JAR. [severity:2/4; 6870531, CVE-2009-3886]
Full Vigil@nce bulletin... (Free trial)

security bulletin CVE-2009-3229 CVE-2009-3230 CVE-2009-3231

PostgreSQL: three vulnerabilities

Synthesis of the vulnerability

Three vulnerabilities of PostgreSQL can be used by an attacker to create a denial of service, to elevate his privileges, or to access to the service.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 3.
Creation date: 09/09/2009.
Identifiers: 270408, 6784052, 6879165, 6879166, 6888545, BID-36314, c03333585, CERTA-2009-AVI-380, CVE-2009-3229, CVE-2009-3230, CVE-2009-3231, DSA-1900-1, FEDORA-2009-9473, FEDORA-2009-9474, HPSBMU02781, http://sunsolve.sun.com/search/document.do?assetkey=1-66-270408-16879165, MDVSA-2009:176, MDVSA-2009:177, MDVSA-2009:251-1, RHSA-2009:1461-01, RHSA-2009:1484-01, RHSA-2009:1485-01, SSRT100617, SUSE-SR:2009:016, SUSE-SR:2009:017, TLSA-2009-29, VIGILANCE-VUL-9015.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Three vulnerabilities of PostgreSQL can be used by an attacker to create a denial of service, to elevate his privileges, or to access to the service.

An authenticated attacker can reload libraries located under $libdir/plugins, in order to stop the service. [severity:1/4; CERTA-2009-AVI-380, CVE-2009-3229]

An authenticated attacker can use RESET SESSION AUTHORIZATION, in order to execute queries with privileges of another user. [severity:2/4; CVE-2009-3230]

When PostgreSQL uses a LDAP configuration allowing anonymous binds, an attacker can authenticate with an empty password. [severity:2/4; CVE-2009-3231]
Full Vigil@nce bulletin... (Free trial)

computer weakness alert CVE-2009-0922

PostgreSQL: denial of service via the encoding conversion

Synthesis of the vulnerability

An attacker authenticated on PostgreSQL can generate an error during the character encoding conversion in order to create a temporary denial of service.
Severity: 1/4.
Creation date: 18/03/2009.
Identifiers: 258808, 488156, 6817870, 6817871, 6818380, BID-34090, c03333585, CERTA-2009-AVI-205, CVE-2009-0922, FEDORA-2009-2927, FEDORA-2009-2959, HPSBMU02781, MDVSA-2009:079, RHSA-2009:1067-01, RHSA-2009:1484-01, RHSA-2009:1485-01, SSRT100617, SUSE-SR:2009:009, TLSA-2009-14, VIGILANCE-VUL-8542.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The "CREATE DEFAULT CONVERSION" command is a PostgreSQL extension to define a conversion between character encodings (LATIN1, UTF8, etc.).

When an error occurs, PostgreSQL returns an error message to the client, which is converted in his encoding (defined by "set client_encoding"). This conversion is done by conversion functions defined by "CREATE DEFAULT CONVERSION".

However, a local attacker can use "CREATE DEFAULT CONVERSION" to create an invalid function. Then, the next error uses this invalid function, which creates an error, etc. An infinite recursion thus occurs and temporarily locks the database.

An attacker authenticated on PostgreSQL can therefore generate an error during the character encoding conversion in order to create a temporary denial of service.
Full Vigil@nce bulletin... (Free trial)

threat alert CVE-2007-5333 CVE-2007-5342 CVE-2007-5461

Apache Tomcat 6.0.14/15: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities affect Apache Tomcat 6.0.14/15.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 5.
Creation date: 11/02/2008.
Identifiers: BID-26070, BID-27006, BID-27703, BID-27706, BID-49470, c03824583, CERTA-2007-AVI-470, CERTA-2007-AVI-569, CERTA-2008-AVI-066, CERTA-2013-AVI-440, CVE-2007-5333, CVE-2007-5342, CVE-2007-5461, CVE-2007-5641-ERROR, CVE-2007-6286, CVE-2008-0002, HPSBMU02894, KB25966, MDVSA-2010:176, RHSA-2008:0524-01, RHSA-2009:1562-01, RHSA-2009:1563-01, RHSA-2010:0602-02, SNS Advisory No.97, SUSE-SR:2008:005, VIGILANCE-VUL-7569, VMSA-2009-0016, VMSA-2009-0016.1, VMSA-2009-0016.2, VMSA-2009-0016.3, VMSA-2009-0016.4, VMSA-2009-0016.5.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities affect Apache Tomcat 6.0.14/15.

Patch for VIGILANCE-VUL-7084 vulnerability was incomplete. [severity:2/4; BID-27706, CERTA-2008-AVI-066, CVE-2007-5333, SNS Advisory No.97]

A malicious application can use JULI in order to alter some files (VIGILANCE-VUL-7456). [severity:1/4; BID-27006, CERTA-2007-AVI-569, CVE-2007-5342]

An attacker allowed with a write access via WebDAV can read a file located on the system (VIGILANCE-VUL-7260). [severity:2/4; BID-26070, CERTA-2007-AVI-470, CVE-2007-5461, CVE-2007-5641-ERROR]

When the native (APR) connector is used, an attacker can connect to the SSL port and obtain data of another session. [severity:1/4; BID-49470, CVE-2007-6286]

If the client disconnects, sent parameters can be processed by the next request. [severity:1/4; BID-27703, CVE-2008-0002]
Full Vigil@nce bulletin... (Free trial)

weakness announce CVE-2007-5333 CVE-2007-5342 CVE-2007-5461

Apache Tomcat 5.5.25: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities affect Apache Tomcat 5.5.25.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 4.
Creation date: 11/02/2008.
Identifiers: BID-26070, BID-27006, BID-27706, BID-49470, c03824583, CERTA-2007-AVI-470, CERTA-2007-AVI-569, CERTA-2008-AVI-066, CERTA-2013-AVI-440, CVE-2007-5333, CVE-2007-5342, CVE-2007-5461, CVE-2007-5641-ERROR, CVE-2007-6286, FEDORA-2008-1467, FEDORA-2008-1603, HPSBMU02894, KB25966, MDVSA-2008:188, MDVSA-2009:018, MDVSA-2010:176, RHSA-2008:0042-01, RHSA-2008:0195-01, RHSA-2008:0261-01, RHSA-2008:0524-01, RHSA-2008:0862-02, RHSA-2009:1164-01, RHSA-2009:1454-01, RHSA-2009:1562-01, RHSA-2009:1563-01, RHSA-2009:1616-01, RHSA-2010:0602-02, SNS Advisory No.97, SUSE-SR:2008:005, VIGILANCE-VUL-7568, VMSA-2008-00010.3, VMSA-2009-0016, VMSA-2009-0016.1, VMSA-2009-0016.2, VMSA-2009-0016.3, VMSA-2009-0016.4, VMSA-2009-0016.5.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities affect Apache Tomcat 5.5.25.

Patch for VIGILANCE-VUL-7084 vulnerability was incomplete. [severity:2/4; BID-27706, CERTA-2008-AVI-066, CVE-2007-5333, SNS Advisory No.97]

A malicious application can use JULI in order to alter some files (VIGILANCE-VUL-7456). [severity:1/4; BID-27006, CERTA-2007-AVI-569, CVE-2007-5342]

An attacker allowed with a write access via WebDAV can read a file located on the system (VIGILANCE-VUL-7260). [severity:2/4; BID-26070, CERTA-2007-AVI-470, CVE-2007-5461, CVE-2007-5641-ERROR]

When the native (APR) connector is used, an attacker can connect to the SSL port and obtain data of another session. [severity:1/4; BID-49470, CVE-2007-6286]
Full Vigil@nce bulletin... (Free trial)

cybersecurity weakness CVE-2005-3164 CVE-2007-1355 CVE-2007-2449

Apache Tomcat 4.1.36: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities affect Apache Tomcat 4.1.36.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 8.
Creation date: 11/02/2008.
Identifiers: 239312, BID-24058, BID-24999, BID-25316, BID-26070, BID-27706, c03824583, CERTA-2007-AVI-267, CERTA-2007-AVI-362, CERTA-2007-AVI-470, CERTA-2008-AVI-066, CERTA-2008-AVI-343, CERTA-2011-AVI-221, CERTA-2013-AVI-440, CVE-2005-3164, CVE-2007-1355, CVE-2007-2449, CVE-2007-2450, CVE-2007-3382, CVE-2007-3383, CVE-2007-3385, CVE-2007-5333, CVE-2007-5461, CVE-2007-5641-ERROR, HPSBMU02894, KB25966, MDVSA-2010:176, RHSA-2008:0524-01, RHSA-2009:1562-01, RHSA-2009:1563-01, RHSA-2010:0602-02, SNS Advisory No.97, SUSE-SR:2008:005, SUSE-SR:2008:007, VIGILANCE-VUL-7567, VMSA-2009-0016, VMSA-2009-0016.1, VMSA-2009-0016.2, VMSA-2009-0016.3, VMSA-2009-0016.4, VMSA-2009-0016.5, VU#862600, VU#993544.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities affect Apache Tomcat 4.1.36.

Two vulnerabilities of HTTP and AJP connectors permit an attacker to obtain information (VIGILANCE-VUL-6808). [severity:1/4; CERTA-2008-AVI-343, CVE-2005-3164]

An attacker can use the example provided in the documentation in order to generate a Cross Site Scripting attack (VIGILANCE-VUL-6819). [severity:1/4; BID-24058, CERTA-2007-AVI-362, CVE-2007-1355]

An attacker can exploit two Cross Site Scripting attacks on Apache Tomcat (VIGILANCE-VUL-6915). [severity:2/4; CERTA-2007-AVI-267, CVE-2007-2449, CVE-2007-2450]

An attacker can obtain value of victim's cookies by using special characters (VIGILANCE-VUL-7084). [severity:2/4; BID-25316, CVE-2007-3382, VU#993544]

The SendMailServlet example can be used to generate Cross Site Scripting attacks (VIGILANCE-VUL-7083). [severity:1/4; BID-24999, CVE-2007-3383, VU#862600]

An attacker can obtain value of victim's cookies by using special characters (VIGILANCE-VUL-7084). [severity:2/4; BID-25316, CERTA-2011-AVI-221, CVE-2007-3385, VU#993544]

Patch for VIGILANCE-VUL-7084 vulnerability was incomplete. [severity:2/4; BID-27706, CERTA-2008-AVI-066, CVE-2007-5333, SNS Advisory No.97]

An attacker allowed with a write access via WebDAV can read a file located on the system (VIGILANCE-VUL-7260). [severity:2/4; BID-26070, CERTA-2007-AVI-470, CVE-2007-5461, CVE-2007-5641-ERROR]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about MicroFocus Network Node Manager i: