CVE-2009-0783

medium

Description

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application.

References

https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html

https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html

https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6450

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18913

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10716

https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E

https://issues.apache.org/bugzilla/show_bug.cgi?id=45933

https://issues.apache.org/bugzilla/show_bug.cgi?id=29936

https://exchange.xforce.ibmcloud.com/vulnerabilities/51195

http://www.vupen.com/english/advisories/2010/3056

http://www.vupen.com/english/advisories/2009/3316

http://www.vupen.com/english/advisories/2009/1856

http://www.vmware.com/security/advisories/VMSA-2009-0016.html

http://www.securitytracker.com/id?1022336

http://www.securityfocus.com/bid/35416

http://www.securityfocus.com/archive/1/507985/100/0/threaded

http://www.securityfocus.com/archive/1/504090/100/0/threaded

http://www.mandriva.com/security/advisories?name=MDVSA-2010:176

http://www.mandriva.com/security/advisories?name=MDVSA-2009:138

http://www.mandriva.com/security/advisories?name=MDVSA-2009:136

http://www.debian.org/security/2011/dsa-2207

http://tomcat.apache.org/security-6.html

http://tomcat.apache.org/security-5.html

http://tomcat.apache.org/security-4.html

http://svn.apache.org/viewvc?rev=781708&view=rev

http://svn.apache.org/viewvc?rev=781542&view=rev

http://svn.apache.org/viewvc?rev=739522&view=rev

http://svn.apache.org/viewvc?rev=681156&view=rev

http://svn.apache.org/viewvc?rev=652592&view=rev

http://support.apple.com/kb/HT4077

http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1

http://secunia.com/advisories/42368

http://secunia.com/advisories/37460

http://secunia.com/advisories/35788

http://secunia.com/advisories/35685

http://marc.info/?l=bugtraq&m=136485229118404&w=2

http://marc.info/?l=bugtraq&m=129070310906557&w=2

http://marc.info/?l=bugtraq&m=127420533226623&w=2

http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html

http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html

Details

Source: Mitre, NVD

Published: 2009-06-05

Risk Information

CVSS v2

Base Score: 4.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 4.2

Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Severity: Medium