This script is Copyright (C) 2010-2014 Tenable Network Security, Inc.
The remote Apache Tomcat service may be affected by multiple
According to its self-reported version number, the Apache Tomcat
listening on the remote host is earlier than Tomcat 6.0.18 and,
therefore, may be affected by multiple vulnerabilities.
- The remote Apache Tomcat install is vulnerable to a
cross-site scripting attack. Improper input validation
allows a remote attacker to inject arbitrary script
code or HTML into the message argument used by the
HttpServletResponse.sendError method. (CVE-2008-1232)
- A cross-site scripting vulnerability was found in the
host manager application that could allow a remote
attacker to inject arbitrary web script or HTML via the
hostname parameter. (CVE-2008-1947)
- A traversal vulnerability was found when using a
RequestDispatcher in combination with a servlet or JSP
that could allow a remote attacker to utilize a
specially crafted request parameter to access protected
web resources. (CVE-2008-2370)
Note that Nessus did not actually test for the flaws but instead has
relied on the version in Tomcat's banner or error page so this may be
a false positive.
See also :
Update Apache Tomcat to version 6.0.18 or later.
Risk factor :
Medium / CVSS Base Score : 5.0
CVSS Temporal Score : 4.3
Public Exploit Available : true
Family: Web Servers
Nessus Plugin ID: 47578 ()
Bugtraq ID: 3049430496
CVE ID: CVE-2008-1232CVE-2008-1947CVE-2008-2370
The cookie settings on this website are set to 'allow all cookies' to give you the very best website experience. If you continue without changing these settings, you consent to this - but if you want, you can opt out of all cookies by clicking below.