CVE-2009-2901MEDIUM
New! CVE Severity Now Using CVSS v3
The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.
Description
The autodeployment process in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20, when autoDeploy is enabled, deploys appBase files that remain from a failed undeploy, which might allow remote attackers to bypass intended authentication requirements via HTTP requests.
References
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html
http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html
http://lists.opensuse.org/opensuse-updates/2012-12/msg00090.html
http://lists.opensuse.org/opensuse-updates/2013-01/msg00037.html
http://marc.info/?l=bugtraq&m=127420533226623&w=2
http://marc.info/?l=bugtraq&m=133469267822771&w=2
http://marc.info/?l=bugtraq&m=139344343412337&w=2
http://secunia.com/advisories/38316
http://secunia.com/advisories/38346
http://secunia.com/advisories/38541
http://secunia.com/advisories/39317
http://secunia.com/advisories/43310
http://secunia.com/advisories/57126
http://securitytracker.com/id?1023503
http://support.apple.com/kb/HT4077
http://svn.apache.org/viewvc?rev=892815&view=rev
http://svn.apache.org/viewvc?rev=902650&view=rev
http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-6.html
http://ubuntu.com/usn/usn-899-1
http://www.mandriva.com/security/advisories?name=MDVSA-2010:176
http://www.mandriva.com/security/advisories?name=MDVSA-2010:177
http://www.securityfocus.com/archive/1/509151/100/0/threaded
http://www.securityfocus.com/archive/1/516397/100/0/threaded
http://www.securityfocus.com/bid/37942
http://www.vmware.com/security/advisories/VMSA-2011-0003.html
http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html
http://www.vupen.com/english/advisories/2010/0213
https://exchange.xforce.ibmcloud.com/vulnerabilities/55856
https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E
Vulnerable Software
Configuration 1
OR
cpe:2.3:a:apache:tomcat:5.5.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.15:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.16:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.17:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.18:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.19:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.21:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.22:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.23:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.24:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.25:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.26:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.27:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.28:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*
Tenable Plugins
| ID | Name | Product | Family | Severity |
|---|---|---|---|---|
| 89674 | VMware ESX / ESXi Third-Party Libraries Multiple Vulnerabilities (VMSA-2011-0003) (remote check) | Nessus | Misc. | critical |
| 74854 | openSUSE Security Update : tomcat6 (openSUSE-SU-2012:1700-1) | Nessus | SuSE Local Security Checks | medium |
| 74853 | openSUSE Security Update : tomcat (openSUSE-SU-2012:1701-1) | Nessus | SuSE Local Security Checks | medium |
| 59677 | GLSA-201206-24 : Apache Tomcat: Multiple vulnerabilities | Nessus | Gentoo Local Security Checks | medium |
| 51971 | VMSA-2011-0003 : Third-party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX | Nessus | VMware ESX Local Security Checks | high |
| 49929 | SuSE 10 Security Update : Tomcat 5 (ZYPP Patch Number 6839) | Nessus | SuSE Local Security Checks | medium |
| 49207 | Mandriva Linux Security Advisory : tomcat5 (MDVSA-2010:177) | Nessus | Mandriva Local Security Checks | medium |
| 49206 | Mandriva Linux Security Advisory : tomcat5 (MDVSA-2010:176) | Nessus | Mandriva Local Security Checks | medium |
| 46170 | SuSE 10 Security Update : tomcat5 (ZYPP Patch Number 7003) | Nessus | SuSE Local Security Checks | medium |
| 45472 | SuSE Security Update: Security update for Tomcat 5 (tomcat5-6841) | Nessus | SuSE Local Security Checks | medium |
| 45468 | openSUSE Security Update : tomcat6 (tomcat6-2000) | Nessus | SuSE Local Security Checks | medium |
| 45462 | openSUSE Security Update : tomcat6 (tomcat6-2000) | Nessus | SuSE Local Security Checks | medium |
| 45456 | openSUSE Security Update : tomcat6 (tomcat6-2000) | Nessus | SuSE Local Security Checks | medium |
| 45452 | SuSE9 Security Update : Tomcat (YOU Patch Number 12585) | Nessus | SuSE Local Security Checks | medium |
| 5489 | Mac OS X < 10.6.3 Multiple Vulnerabilities | Nessus Network Monitor | Generic | critical |
| 45373 | Mac OS X Multiple Vulnerabilities (Security Update 2010-002) | Nessus | MacOS X Local Security Checks | critical |
| 45372 | Mac OS X 10.6.x < 10.6.3 Multiple Vulnerabilities | Nessus | MacOS X Local Security Checks | critical |
| 44594 | Ubuntu 8.10 / 9.04 / 9.10 : tomcat6 vulnerabilities (USN-899-1) | Nessus | Ubuntu Local Security Checks | medium |
| 44314 | Apache Tomcat WAR Deployment Multiple Vulnerabilities | Nessus | Web Servers | medium |
| 800619 | Apache Tomcat < 5.5.29 / 6.0.24 | Log Correlation Engine | Web Servers | medium |
| 5327 | Apache Tomcat 5.5.x < 5.5.29 / 6.0.x < 6.0.24 WAR Deployment Multiple Vulnerabilities | Nessus Network Monitor | Web Servers | medium |