Apache Tomcat 6.0.x < 6.0.39 Multiple Vulnerabilities
PVS ID: 8141 FAMILY: Web Servers RISK: MEDIUM NESSUS ID:72690
Description: Synopsis :\n\nThe remote web server is affected by multiple vulnerabilities.\n\nVersions of Tomcat 6.0.x earlier than 6.0.39 are potentially affected by the following vulnerabilities:\n\n - The version of Java used to build the application could generate Javadoc containing a frame injection error. (CVE-2013-1571)\n\n - The fix for CVE-2005-2090 was not complete and the application does not reject requests with multiple Content-Length HTTP headers or with Content-Length HTTP headers when using chunked encoding. (CVE-2013-4286)\n\n - The fix for CVE-2012-3544 was not complete and limits are not properly applied to chunk extensions and whitespaces in certain trailing headers. This error could allow denial of service attacks. (CVE-2013-4322)\n\n - The application allows XML External Entity (XXE) processing that could disclose sensitive information. (CVE-2013-4590)\n\n - An error exists related to the 'disableURLRewriting' configuration option and session IDs. (CVE-2014-0033)\n\nThe observed version of Apache Tomcat : \n %L

Solution: Upgrade to Apache Tomcat 6.0.39 or later.

CVE-2014-0033


Copyright Tenable Network Security Inc. 2014