Vulnerability CVE-2009-0783
Published: 2009-06-05   Modified: 2012-02-13

Description:
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application.

See advisories in our WLB2 database:
Topic
Author
Date
Low
Apache Tomcat Information disclosure
Mark Thomas
09.06.2009

Type:

CWE-200

 (Information Exposure)

CVSS2 => (AV:L/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.6/10
6.4/10
3.9/10
Exploit range
Attack complexity
Authentication
Local
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Apache -> Tomcat 

 References:
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html
http://marc.info/?l=bugtraq&m=127420533226623&w=2
http://marc.info/?l=bugtraq&m=129070310906557&w=2
http://marc.info/?l=bugtraq&m=136485229118404&w=2
http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1
http://support.apple.com/kb/HT4077
http://svn.apache.org/viewvc?rev=652592&view=rev
http://svn.apache.org/viewvc?rev=681156&view=rev
http://svn.apache.org/viewvc?rev=739522&view=rev
http://svn.apache.org/viewvc?rev=781542&view=rev
http://svn.apache.org/viewvc?rev=781708&view=rev
http://tomcat.apache.org/security-4.html
http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-6.html
http://www.debian.org/security/2011/dsa-2207
http://www.mandriva.com/security/advisories?name=MDVSA-2009:136
http://www.mandriva.com/security/advisories?name=MDVSA-2009:138
http://www.mandriva.com/security/advisories?name=MDVSA-2010:176
http://www.securityfocus.com/archive/1/504090/100/0/threaded
http://www.securityfocus.com/archive/1/507985/100/0/threaded
http://www.securityfocus.com/bid/35416
http://www.securitytracker.com/id?1022336
http://www.vmware.com/security/advisories/VMSA-2009-0016.html
http://www.vupen.com/english/advisories/2009/1856
http://www.vupen.com/english/advisories/2009/3316
http://www.vupen.com/english/advisories/2010/3056
https://exchange.xforce.ibmcloud.com/vulnerabilities/51195
https://issues.apache.org/bugzilla/show_bug.cgi?id=29936
https://issues.apache.org/bugzilla/show_bug.cgi?id=45933
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10716
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18913
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6450
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html
Copyright 2024, cxsecurity.com

 

Back to Top