Version 6.0.53
catalina
No description available.
Install Instructions
mvn install catalina
Language Java
Package URL (purl) pkg:maven/org.apache.tomcat:catalina@6.0.53
Find catalina vulnerabilities in your supply chain.
catalina Vulnerabilities
Sort by
CVE (Latest)
CVE (Latest)
-
CVE (Latest)
-
CVE (Oldest)
-
CVSS Score (Highest)
-
CVSS Score (Lowest)
CVE  |
CVSS Score |
CWE(s) |
EPSS Score |
EPSS % |
Impacted Versions |
|---|---|---|---|---|---|
| CVE-2008-5515 | Medium 5 | CWE-22 | 0.00551 | 0.77347 |
|
| CVE-2009-0580 | High 7.5 | CWE-200 | 0.96902 | 0.99824 |
|
| CVE-2009-0781 | Medium 4.3 | CWE-79 | 0.09833 | 0.94841 |
|
| CVE-2009-0783 | Medium 4.2 | CWE-200 | 0.00222 | 0.59959 |
|
| CVE-2009-2901 | Medium 4.3 | CWE-264 | 0.00407 | 0.73453 |
|
| CVE-2009-2902 | Medium 4.3 | CWE-22 | 0.00705 | 0.80158 |
|
| CVE-2010-1157 | Low 3.7 | CWE-200 | 0.13997 | 0.95644 |
|
| CVE-2010-3718 | Low 1.2 | CWE-22 | 0.00163 | 0.53307 |
|
| CVE-2010-4172 | Medium 4.3 | CWE-79 | 0.16569 | 0.95995 |
|
| CVE-2011-0013 | Medium 4.3 | CWE-79 | 0.0127 | 0.85394 |
|
| CVE-2011-1184 | Medium 5.3 | CWE-264 | 0.00181 | 0.55497 |
|
| CVE-2011-2204 | Low 3.3 | CWE-200 | 0.00045 | 0.17761 |
|
| CVE-2011-2526 | Medium 5.3 | CWE-20 | 0.00046 | 0.18904 |
|
| CVE-2011-4858 | Medium 5.3 | CWE-399 | 0.80925 | 0.98577 |
|
| CVE-2011-5062 | Medium 5.3 | CWE-264 | 0.00181 | 0.55497 |
|
| CVE-2011-5063 | Medium 4.3 | CWE-287 | 0.0036 | 0.71915 |
|
| CVE-2011-5064 | Medium 4.3 | CWE-310 | 0.00321 | 0.70238 |
|
| CVE-2012-0022 | Medium 5.3 | CWE-189 | 0.12966 | 0.95493 |
|
| CVE-2012-3546 | Medium 4.3 | CWE-264 | 0.00291 | 0.6861 |
|
| CVE-2012-4431 | Medium 4.3 | CWE-264 | 0.00121 | 0.46816 |
|
| CVE-2012-5885 | Medium 5.3 | CWE-264 | 0.0017 | 0.54272 |
|
| CVE-2012-5886 | Medium 5.3 | CWE-287 | 0.00403 | 0.7335 |
|
| CVE-2012-5887 | Medium 5.3 | CWE-287 | 0.00403 | 0.7335 |
|
| CVE-2013-1571 | Low 3.7 | CWE-1021 | 0.78626 | 0.98478 |
|
| CVE-2013-4590 | Medium 4.3 | CWE-200 | 0.00597 | 0.78253 |
|
| CVE-2014-0096 | Medium 4.3 | CWE-264 | 0.00126 | 0.47718 |
|
| CVE-2014-0119 | Medium 4.3 | CWE-264 | 0.00167 | 0.53772 |
|
| CVE-2014-0230 | High 7.5 | CWE-399 | 0.07366 | 0.94034 |
|
| CVE-2015-5174 | Medium 4.3 | CWE-22 | 0.00234 | 0.61011 |
|
| CVE-2015-5345 | Medium 5.3 | CWE-22 | 0.0052 | 0.76666 |
|
| CVE-2016-0706 | Medium 4.3 | CWE-200 | 0.00726 | 0.80477 |
|
| CVE-2016-0714 | High 8.8 | CWE-264 | 0.00561 | 0.77526 |
|
| CVE-2016-0762 | Medium 5.9 | CWE-264, CWE-208 | 0.00324 | 0.70386 |
|
| CVE-2016-6797 | High 7.5 | CWE-284 | 0.00324 | 0.70386 |
|
| CVE-2008-0002 | High 7.5 | CWE-200 | 0.00201 | 0.57787 |
|
| CVE-2013-2067 | Medium 6.3 | CWE-287 | 0.01464 | 0.86436 |
|
| CVE-2011-3375 | Medium 5.3 | CWE-200 | 0.0025 | 0.64038 |
|
| CVE-2014-0033 | Medium 4.3 | CWE-20 | 0.00337 | 0.7099 |
|
catalina Vulnerability Remediation Guidance
| CVE | Description | Full list of Impacted Versions | Fix |
|---|---|---|---|
| CVE-2016-6797 | The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. | 6.0.18, 6.0.13, 6.0.26, 6.0.20, 6.0.24, 6.0.14, 6.0.16, 6.0.39 (Show all) | Patch → 6.0.53 |
| CVE-2016-0762 | The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. | 6.0.18, 6.0.13, 6.0.26, 6.0.20, 6.0.24, 6.0.14, 6.0.16, 6.0.39 (Show all) | Patch → 6.0.53 |
| CVE-2016-0714 | The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. | 6.0.18, 6.0.13, 6.0.26, 6.0.20, 6.0.24, 6.0.14, 6.0.16, 6.0.39 (Show all) | Patch → 6.0.53 |
| CVE-2016-0706 | Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. | 6.0.18, 6.0.13, 6.0.26, 6.0.20, 6.0.24, 6.0.14, 6.0.16, 6.0.39 (Show all) | Patch → 6.0.53 |
| CVE-2015-5345 | The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. | 6.0.18, 6.0.13, 6.0.26, 6.0.20, 6.0.24, 6.0.14, 6.0.16, 6.0.39 (Show all) | Patch → 6.0.53 |
| CVE-2015-5174 | Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. | 6.0.18, 6.0.13, 6.0.26, 6.0.20, 6.0.24, 6.0.14, 6.0.16, 6.0.39 (Show all) | Patch → 6.0.53 |
| CVE-2014-0230 | Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts. | 6.0.18, 6.0.13, 6.0.26, 6.0.20, 6.0.24, 6.0.14, 6.0.16, 6.0.39 (Show all) | Patch → 6.0.53 |
| CVE-2014-0119 | Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application. | 6.0.18, 6.0.13, 6.0.26, 6.0.20, 6.0.24, 6.0.14, 6.0.16, 6.0.39 (Show all) | Patch → 6.0.53 |
| CVE-2014-0096 | java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | 6.0.18, 6.0.13, 6.0.26, 6.0.20, 6.0.24, 6.0.14, 6.0.16, 6.0.39 (Show all) | Patch → 6.0.53 |
| CVE-2014-0033 | org/apache/catalina/connector/CoyoteAdapter.java in Apache Tomcat 6.0.33 through 6.0.37 does not consider the disableURLRewriting setting when handling a session ID in a URL, which allows remote attackers to conduct session fixation attacks via a crafted URL. | 6.0.33, 6.0.37, 6.0.36, 6.0.35 | Patch → 6.0.53 |
| CVE-2013-4590 | Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | 6.0.18, 6.0.13, 6.0.26, 6.0.20, 6.0.24, 6.0.14, 6.0.16, 6.0.39 (Show all) | Patch → 6.0.53 |
| CVE-2013-2067 | java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack. | 6.0.26, 6.0.24, 6.0.32, 6.0.33, 6.0.30, 6.0.29, 6.0.36, 6.0.35 (Show all) | Patch → 6.0.53 |
| CVE-2013-1571 | Unspecified vulnerability in the Javadoc component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier; JavaFX 2.2.21 and earlier; and OpenJDK 7 allows remote attackers to affect integrity via unknown vectors related to Javadoc. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to frame injection in HTML that is generated by Javadoc. | 6.0.18, 6.0.13, 6.0.26, 6.0.20, 6.0.24, 6.0.14, 6.0.16, 6.0.32 (Show all) | Patch → 6.0.53 |
| CVE-2012-5887 | The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 does not properly check for stale nonce values in conjunction with enforcement of proper credentials, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests. | 6.0.18, 6.0.13, 6.0.26, 6.0.20, 6.0.24, 6.0.14, 6.0.16, 6.0.32 (Show all) | Patch → 6.0.53 |
| CVE-2012-5886 | The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches information about the authenticated user within the session state, which makes it easier for remote attackers to bypass authentication via vectors related to the session ID. | 6.0.18, 6.0.13, 6.0.26, 6.0.20, 6.0.24, 6.0.14, 6.0.16, 6.0.32 (Show all) | Patch → 6.0.53 |
| CVE-2012-5885 | The replay-countermeasure functionality in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 tracks cnonce (aka client nonce) values instead of nonce (aka server nonce) and nc (aka nonce-count) values, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, a different vulnerability than CVE-2011-1184. | 6.0.18, 6.0.13, 6.0.26, 6.0.20, 6.0.24, 6.0.14, 6.0.16, 6.0.32 (Show all) | Patch → 6.0.53 |
| CVE-2012-4431 | org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism via a request that lacks a session identifier. | 6.0.18, 6.0.13, 6.0.26, 6.0.20, 6.0.24, 6.0.14, 6.0.16, 6.0.32 (Show all) | Patch → 6.0.53 |
| CVE-2012-3546 | org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote attackers to bypass security-constraint checks by leveraging a previous setUserPrincipal call and then placing /j_security_check at the end of a URI. | 6.0.18, 6.0.13, 6.0.26, 6.0.20, 6.0.24, 6.0.14, 6.0.16, 6.0.32 (Show all) | Patch → 6.0.53 |
| CVE-2012-0022 | Apache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.34, and 7.x before 7.0.23 uses an inefficient approach for handling parameters, which allows remote attackers to cause a denial of service (CPU consumption) via a request that contains many parameters and parameter values, a different vulnerability than CVE-2011-4858. | 6.0.18, 6.0.13, 6.0.26, 6.0.20, 6.0.24, 6.0.14, 6.0.16, 6.0.32 (Show all) | Patch → 6.0.53 |
| CVE-2011-5064 | DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184. | 6.0.18, 6.0.13, 6.0.26, 6.0.20, 6.0.24, 6.0.14, 6.0.16, 6.0.32 (Show all) | Patch → 6.0.53 |
| CVE-2011-5063 | The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check realm values, which might allow remote attackers to bypass intended access restrictions by leveraging the availability of a protection space with weaker authentication or authorization requirements, a different vulnerability than CVE-2011-1184. | 6.0.18, 6.0.13, 6.0.26, 6.0.20, 6.0.24, 6.0.14, 6.0.16, 6.0.32 (Show all) | Patch → 6.0.53 |
| CVE-2011-5062 | The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check qop values, which might allow remote attackers to bypass intended integrity-protection requirements via a qop=auth value, a different vulnerability than CVE-2011-1184. | 6.0.18, 6.0.13, 6.0.26, 6.0.20, 6.0.24, 6.0.14, 6.0.16, 6.0.32 (Show all) | Patch → 6.0.53 |
| CVE-2011-4858 | Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. | 6.0.18, 6.0.13, 6.0.26, 6.0.20, 6.0.24, 6.0.14, 6.0.16, 6.0.32 (Show all) | Patch → 6.0.53 |
| CVE-2011-3375 | Apache Tomcat 6.0.30 through 6.0.33 and 7.x before 7.0.22 does not properly perform certain caching and recycling operations involving request objects, which allows remote attackers to obtain unintended read access to IP address and HTTP header information in opportunistic circumstances by reading TCP data. | 6.0.32, 6.0.33, 6.0.30 | Patch → 6.0.53 |
| CVE-2011-2526 | Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.19, when sendfile is enabled for the HTTP APR or HTTP NIO connector, does not validate certain request attributes, which allows local users to bypass intended file access restrictions or cause a denial of service (infinite loop or JVM crash) by leveraging an untrusted web application. | 6.0.18, 6.0.13, 6.0.26, 6.0.20, 6.0.24, 6.0.14, 6.0.16, 6.0.32 (Show all) | Patch → 6.0.53 |
| CVE-2011-2204 | Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.17, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file. | 6.0.18, 6.0.13, 6.0.26, 6.0.20, 6.0.24, 6.0.14, 6.0.16, 6.0.32 (Show all) | Patch → 6.0.53 |
| CVE-2011-1184 | The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values. | 6.0.18, 6.0.13, 6.0.26, 6.0.20, 6.0.24, 6.0.14, 6.0.16, 6.0.32 (Show all) | Patch → 6.0.53 |
| CVE-2011-0013 | Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag. | 6.0.18, 6.0.13, 6.0.26, 6.0.20, 6.0.24, 6.0.14, 6.0.16, 6.0.29 (Show all) | Patch → 6.0.53 |
| CVE-2010-4172 | Multiple cross-site scripting (XSS) vulnerabilities in the Manager application in Apache Tomcat 6.0.12 through 6.0.29 and 7.0.0 through 7.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) orderBy or (2) sort parameter to sessionsList.jsp, or unspecified input to (3) sessionDetail.jsp or (4) java/org/apache/catalina/manager/JspHelper.java, related to use of untrusted web applications. | 6.0.18, 6.0.13, 6.0.26, 6.0.20, 6.0.24, 6.0.14, 6.0.16, 6.0.29 (Show all) | Patch → 6.0.53 |
| CVE-2010-3718 | Apache Tomcat 7.0.0 through 7.0.3, 6.0.x, and 5.5.x, when running within a SecurityManager, does not make the ServletContext attribute read-only, which allows local web applications to read or write files outside of the intended working directory, as demonstrated using a directory traversal attack. | 6.0.18, 6.0.13, 6.0.26, 6.0.20, 6.0.24, 6.0.14, 6.0.16, 6.0.39 (Show all) | Patch → 6.0.53 |
| CVE-2010-1157 | Apache Tomcat 5.5.0 through 5.5.29 and 6.0.0 through 6.0.26 might allow remote attackers to discover the server's hostname or IP address by sending a request for a resource that requires (1) BASIC or (2) DIGEST authentication, and then reading the realm field in the WWW-Authenticate header in the reply. | 6.0.18, 6.0.13, 6.0.26, 6.0.20, 6.0.24, 6.0.14, 6.0.16 | Patch → 6.0.53 |
| CVE-2009-2902 | Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to delete work-directory files via directory traversal sequences in a WAR filename, as demonstrated by the ...war filename. | 6.0.18, 6.0.13, 6.0.20, 6.0.14, 6.0.16 | Patch → 6.0.53 |
| CVE-2009-2901 | The autodeployment process in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20, when autoDeploy is enabled, deploys appBase files that remain from a failed undeploy, which might allow remote attackers to bypass intended authentication requirements via HTTP requests. | 6.0.18, 6.0.13, 6.0.20, 6.0.14, 6.0.16 | Patch → 6.0.53 |
| CVE-2009-0783 | Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application. | 6.0.18, 6.0.13, 6.0.14, 6.0.16 | Patch → 6.0.53 |
| CVE-2009-0781 | Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." | 6.0.18, 6.0.13, 6.0.14, 6.0.16 | Patch → 6.0.53 |
| CVE-2009-0580 | Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter. | 6.0.18, 6.0.13, 6.0.14, 6.0.16 | Patch → 6.0.53 |
| CVE-2008-5515 | Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request. | 6.0.18, 6.0.13, 6.0.14, 6.0.16 | Patch → 6.0.53 |
| CVE-2008-0002 | Apache Tomcat 6.0.0 through 6.0.15 processes parameters in the context of the wrong request when an exception occurs during parameter processing, which might allow remote attackers to obtain sensitive information, as demonstrated by disconnecting during this processing in order to trigger the exception. | 6.0.13, 6.0.14 | Patch → 6.0.53 |
Instantly see if these catalina vulnerabilities affect your code.