Gentoo Linux Security Advisory 201705-9 - Multiple vulnerabilities have been found in Apache Tomcat, the worst of which could lead to privilege escalation. Versions less than 8.0.36 are affected.
32a00eece0fedfca7e3d14c18c552d78e1bb762223bc097962ee70ea1c994b64
Red Hat Security Advisory 2016-2807-01 - Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. This release of Red Hat JBoss Web Server 2.1.2 serves as a replacement for Red Hat JBoss Web Server 2.1.1. It contains security fixes for the Tomcat 7 component. Only users of the Tomcat 7 component in JBoss Web Server need to apply the fixes delivered in this release. Security Fix: A CSRF flaw was found in Tomcat's the index pages for the Manager and Host Manager applications. These applications included a valid CSRF token when issuing a redirect as a result of an unauthenticated request to the root of the web application. This token could then be used by an attacker to perform a CSRF attack.
a747ee41bc1c78f0329cb06102ce7044196717407b83c8ba83cdc599fc05f1e6
Red Hat Security Advisory 2016-2808-01 - This release of Red Hat JBoss Web Server 2.1.2 serves as a replacement for Red Hat JBoss Web Server 2.1.1. It contains security fixes for the Tomcat 7 component. Only users of the Tomcat 7 component in JBoss Web Server need to apply the fixes delivered in this release. Security Fix: A CSRF flaw was found in Tomcat's the index pages for the Manager and Host Manager applications. These applications included a valid CSRF token when issuing a redirect as a result of an unauthenticated request to the root of the web application. This token could then be used by an attacker to perform a CSRF attack.
6aabba5392b13a85b44e0e196d13a81b259818172e29bc8bb40c46530f9dfb13
Red Hat Security Advisory 2016-2599-02 - Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. The following packages have been upgraded to a newer upstream version: tomcat. Security Fix: A CSRF flaw was found in Tomcat's the index pages for the Manager and Host Manager applications. These applications included a valid CSRF token when issuing a redirect as a result of an unauthenticated request to the root of the web application. This token could then be used by an attacker to perform a CSRF attack.
eb4b78c2f1daa3013b5a8463412acf3f72bbf7cecd1cb000754357f150091883
Red Hat Security Advisory 2016-2045-01 - Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.
609cecfe793f7ba2060d8e359b0c28df529745da895283da5842ba6287323e62
Ubuntu Security Notice 3024-1 - It was discovered that Tomcat incorrectly handled pathnames used by web applications in a getResource, getResourceAsStream, or getResourcePaths call. A remote attacker could use this issue to possibly list a parent directory . This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.10. It was discovered that the Tomcat mapper component incorrectly handled redirects. A remote attacker could use this issue to determine the existence of a directory. This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.10. Various other issues were also addressed.
4370e181c653b8239d33a7ca5224666cb7d29084f3014c7e307c339e87ecd273
Debian Linux Security Advisory 3609-1 - Multiple security vulnerabilities have been discovered in the Tomcat servlet and JSP engine, which may result in information disclosure, the bypass of CSRF protections, bypass of the SecurityManager or denial of service.
dc0dfa37ac8428b022149f7007f8c04701baa05b455c582b2b3162c0543ee491
HP Security Bulletin HPSBOV03615 1 - Potential security vulnerabilities have been identified in OpenVMS CSWS running the Apache Tomcat 7 Servlet Engine. These vulnerabilities could be exploited remotely resulting in access restriction bypass, Cross-Site Request Forgery (CSRF), directory traversal, unauthorized read access to data, execution of arbitrary code with privilege elevation, or Denial of Service (DoS). Revision 1 of this advisory.
ede618831ba4bd88562474a907f609650ab7e6942ea6ff0205c3ea9f43a8cc05
HP Security Bulletin HPSBUX03606 1 - Potential security vulnerabilities have been identified in HP-UX running the Apache Tomcat 7 Servlet Engine. These vulnerabilities could be exploited remotely resulting in URL redirection, access restriction bypass, Cross-Site Request Forgery (CSRF), directory traversal, unauthorized read access to data, execution of arbitrary code with privilege elevation, or Denial of Service (DoS). Revision 1 of this advisory.
df62ff6655a43fb30ff150baa36bd88eeea1345a5f855edc60c502d45bb1d955
Red Hat Security Advisory 2016-1088-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.0.3 serves as a replacement for Red Hat JBoss Web Server 3.0.2, and includes bug fixes and enhancements, which are documented in the Release Notes documented linked to in the References.
4794c3698f75c399fd8e56a93178cf1d6428ab89a65144f4783b6186670d6dd7
Red Hat Security Advisory 2016-1087-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.0.3 serves as a replacement for Red Hat JBoss Web Server 3.0.2, and includes bug fixes and enhancements, which are documented in the Release Notes documented linked to in the References.
b7bd3ec66ec724db03317de31401f5cfbf0df255890d170f9025765106bac939
Red Hat Security Advisory 2016-1089-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.0.3 serves as a replacement for Red Hat JBoss Web Server 3.0.2, and includes bug fixes and enhancements, which are documented in the Release Notes documented linked to in the References.
9406c3d8ed760c85a4d0cbf50bb6b97066f995e281ab809f70e60509429650aa
Debian Linux Security Advisory 3552-1 - Multiple security vulnerabilities have been discovered in the Tomcat servlet and JSP engine, which may result in information disclosure, the bypass of CSRF protections and bypass of the SecurityManager.
1b018da117488b19261b9d974ed2fe2088c108c4c83626583134bb1f11f147c8
HP Security Bulletin HPSBUX03561 1 - Potential security vulnerabilities has been identified in the HP-UX Tomcat-based Servlet Engine. These vulnerabilities could be exploited remotely to create Denial of Service (DoS), access restriction bypass, unauthorized read access to files, arbitrary code execution, and execution of arbitrary code with privilege elevation. Revision 1 of this advisory.
b5ecc5252638e66ff1f2f7a910bebebcd847eea2f66b38f774d1ef2569c89a5a
Debian Linux Security Advisory 3530-1 - Multiple security vulnerabilities have been fixed in the Tomcat servlet and JSP engine, which may result on bypass of security manager restrictions, information disclosure, denial of service or session fixation.
77795095ecabfbe0b7faeebcf56310cbe664e59cc59399f4ca8042fe47af5751
Apache Tomcat provides several session persistence mechanisms. The StandardManager persists session over a restart. The PersistentManager is able to persist sessions to files, a database or a custom Store. The Cluster implementation persists sessions to one or more additional nodes in the cluster. All of these mechanisms could be exploited to bypass a security manager. Session persistence is performed by Tomcat code with the permissions assigned to Tomcat internal code. By placing a carefully crafted object into a session, a malicious web application could trigger the execution of arbitrary code. Apache Tomcat versions 6.0.0 through 6.0.44, 7.0.0 through 7.0.67, 8.0.0.RC1 through 8.0.30, and 9.0.0.M1 are affected.
d8b973e72649ee49a60e92929010021e4dfc8736401a1288bdb928d8309d8597