Search Results (Refine Search)
- Keyword (text search): cpe:2.3:a:apache:tomcat:7.0.31:*:*:*:*:*:*:*
- CPE Name Search: true
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2014-0050 |
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions. Published: April 01, 2014; 2:27:51 AM -0400 |
V3.x:(not available) V2.0: 7.5 HIGH |
CVE-2013-4590 |
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. Published: February 26, 2014; 9:55:08 AM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2013-4322 |
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544. Published: February 26, 2014; 9:55:08 AM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2013-4286 |
Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header. NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090. Published: February 26, 2014; 9:55:08 AM -0500 |
V3.x:(not available) V2.0: 5.8 MEDIUM |
CVE-2013-0346 |
Apache Tomcat 7.x uses world-readable permissions for the log directory and its files, which might allow local users to obtain sensitive information by reading a file. NOTE: One Tomcat distributor has stated "The tomcat log directory does not contain any sensitive information." Published: February 15, 2014; 9:57:07 AM -0500 |
V3.x:(not available) V2.0: 2.1 LOW |
CVE-2013-2185 |
The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue Published: January 19, 2014; 1:02:57 PM -0500 |
V3.x:(not available) V2.0: 7.5 HIGH |
CVE-2012-5568 |
Apache Tomcat through 7.0.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris. Published: November 30, 2012; 2:55:01 PM -0500 |
V3.x:(not available) V2.0: 5.0 MEDIUM |