LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

tomcat: multiple vulnerabilities

Package(s):tomcat CVE #(s):CVE-2008-1232 CVE-2008-2370 CVE-2008-2938
Created:August 27, 2008 Updated:February 17, 2009
Description:

From the Red Hat advisory:

A cross-site scripting vulnerability was discovered in the HttpServletResponse.sendError() method. A remote attacker could inject arbitrary web script or HTML via forged HTTP headers. (CVE-2008-1232)

A traversal vulnerability was discovered when using a RequestDispatcher in combination with a servlet or JSP. A remote attacker could utilize a specially-crafted request parameter to access protected web resources. (CVE-2008-2370)

An additional traversal vulnerability was discovered when the "allowLinking" and "URIencoding" settings were activated. A remote attacker could use a UTF-8-encoded request to extend their privileges and obtain local files accessible to the Tomcat process. (CVE-2008-2938)

Alerts:
SuSE SUSE-SR:2009:004 2009-02-17
Red Hat RHSA-2008:0864-02 2008-10-02
Red Hat RHSA-2008:0862-02 2008-10-02
SuSE SUSE-SR:2008:018 2008-09-19
Fedora FEDORA-2008-8113 2008-09-16
Fedora FEDORA-2008-8130 2008-09-16
Fedora FEDORA-2008-7977 2008-09-11
Mandriva MDVSA-2008:188 2008-09-05
CentOS CESA-2008:0648 2008-08-28
Red Hat RHSA-2008:0648-01 2008-08-27
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds