Apache Tomcat 6.0.x < 6.0.39 Multiple Vulnerabilities

Medium

Synopsis

The remote web server is affected by multiple vulnerabilities.

Description

Versions of Tomcat 6.0.x earlier than 6.0.39 are potentially affected by the following vulnerabilities:

- The version of Java used to build the application could generate Javadoc containing a frame injection error. (CVE-2013-1571)

- The fix for CVE-2005-2090 was not complete and the application does not reject requests with multiple Content-Length HTTP headers or with Content-Length HTTP headers when using chunked encoding. (CVE-2013-4286)

- The fix for CVE-2012-3544 was not complete and limits are not properly applied to chunk extensions and whitespaces in certain trailing headers. This error could allow denial of service attacks. (CVE-2013-4322)

- The application allows XML External Entity (XXE) processing that could disclose sensitive information. (CVE-2013-4590)

- An error exists related to the 'disableURLRewriting' configuration option and session IDs. (CVE-2014-0033)

Solution

Upgrade to Apache Tomcat 6.0.39 or later.