CVE-2009-0783

MEDIUM

Description

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application.

References

http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html

http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html

http://marc.info/?l=bugtraq&m=127420533226623&w=2

http://marc.info/?l=bugtraq&m=129070310906557&w=2

http://marc.info/?l=bugtraq&m=136485229118404&w=2

http://secunia.com/advisories/35685

http://secunia.com/advisories/35788

http://secunia.com/advisories/37460

http://secunia.com/advisories/42368

http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1

http://support.apple.com/kb/HT4077

http://svn.apache.org/viewvc?rev=652592&view=rev

http://svn.apache.org/viewvc?rev=681156&view=rev

http://svn.apache.org/viewvc?rev=739522&view=rev

http://svn.apache.org/viewvc?rev=781542&view=rev

http://svn.apache.org/viewvc?rev=781708&view=rev

http://tomcat.apache.org/security-4.html

http://tomcat.apache.org/security-5.html

http://tomcat.apache.org/security-6.html

http://www.debian.org/security/2011/dsa-2207

http://www.mandriva.com/security/advisories?name=MDVSA-2009:136

http://www.mandriva.com/security/advisories?name=MDVSA-2009:138

http://www.mandriva.com/security/advisories?name=MDVSA-2010:176

http://www.securityfocus.com/archive/1/504090/100/0/threaded

http://www.securityfocus.com/archive/1/507985/100/0/threaded

http://www.securityfocus.com/bid/35416

http://www.securitytracker.com/id?1022336

http://www.vmware.com/security/advisories/VMSA-2009-0016.html

http://www.vupen.com/english/advisories/2009/1856

http://www.vupen.com/english/advisories/2009/3316

http://www.vupen.com/english/advisories/2010/3056

https://exchange.xforce.ibmcloud.com/vulnerabilities/51195

https://issues.apache.org/bugzilla/show_bug.cgi?id=29936

https://issues.apache.org/bugzilla/show_bug.cgi?id=45933

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10716

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18913

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6450

https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html

https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html

https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html

Details

Source: MITRE

Published: 2009-06-05

Updated: 2019-09-27

Type: CWE-200

Risk Information

CVSS v2.0

Base Score: 4.6

Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 3.9

Severity: MEDIUM

CVSS v3.0

Base Score: 4.2

Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Impact Score: 3.4

Exploitability Score: 0.8

Severity: MEDIUM