CVE-2009-2902

MEDIUM
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to delete work-directory files via directory traversal sequences in a WAR filename, as demonstrated by the ...war filename.

References

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02241113

http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html

http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html

http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html

http://lists.opensuse.org/opensuse-updates/2012-12/msg00090.html

http://lists.opensuse.org/opensuse-updates/2013-01/msg00037.html

http://marc.info/?l=bugtraq&m=127420533226623&w=2

http://marc.info/?l=bugtraq&m=133469267822771&w=2

http://marc.info/?l=bugtraq&m=136485229118404&w=2

http://marc.info/?l=bugtraq&m=139344343412337&w=2

http://secunia.com/advisories/38316

http://secunia.com/advisories/38346

http://secunia.com/advisories/38541

http://secunia.com/advisories/38687

http://secunia.com/advisories/39317

http://secunia.com/advisories/40330

http://secunia.com/advisories/40813

http://secunia.com/advisories/43310

http://secunia.com/advisories/57126

http://securitytracker.com/id?1023504

http://support.apple.com/kb/HT4077

http://svn.apache.org/viewvc?rev=892815&view=rev

http://svn.apache.org/viewvc?rev=902650&view=rev

http://tomcat.apache.org/security-5.html

http://tomcat.apache.org/security-6.html

http://ubuntu.com/usn/usn-899-1

http://www.debian.org/security/2011/dsa-2207

http://www.mandriva.com/security/advisories?name=MDVSA-2010:176

http://www.mandriva.com/security/advisories?name=MDVSA-2010:177

http://www.redhat.com/support/errata/RHSA-2010-0119.html

http://www.redhat.com/support/errata/RHSA-2010-0580.html

http://www.redhat.com/support/errata/RHSA-2010-0582.html

http://www.securityfocus.com/archive/1/509150/100/0/threaded

http://www.securityfocus.com/archive/1/516397/100/0/threaded

http://www.securityfocus.com/bid/37945

http://www.vmware.com/security/advisories/VMSA-2011-0003.html

http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html

http://www.vupen.com/english/advisories/2010/0213

http://www.vupen.com/english/advisories/2010/1559

http://www.vupen.com/english/advisories/2010/1986

https://exchange.xforce.ibmcloud.com/vulnerabilities/55857

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19431

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7092

Details

Source: MITRE

Published: 2010-01-28

Updated: 2019-03-25

Type: CWE-22

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:apache:tomcat:5.5.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.9:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.10:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.11:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.12:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.13:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.14:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.15:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.16:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.17:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.18:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.19:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.20:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.21:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.22:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.23:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.24:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.25:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.26:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.27:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.28:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.19:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*

Tenable Plugins

View all (26 total)

IDNameProductFamilySeverity
89674VMware ESX / ESXi Third-Party Libraries Multiple Vulnerabilities (VMSA-2011-0003) (remote check)NessusMisc.
critical
74854openSUSE Security Update : tomcat6 (openSUSE-SU-2012:1700-1)NessusSuSE Local Security Checks
medium
74853openSUSE Security Update : tomcat (openSUSE-SU-2012:1701-1)NessusSuSE Local Security Checks
medium
68076Oracle Linux 5 : tomcat5 (ELSA-2010-0580)NessusOracle Linux Local Security Checks
medium
60828Scientific Linux Security Update : tomcat5 on SL5.x i386/x86_64NessusScientific Linux Local Security Checks
medium
59677GLSA-201206-24 : Apache Tomcat: Multiple vulnerabilitiesNessusGentoo Local Security Checks
medium
53212Debian DSA-2207-1 : tomcat5.5 - several vulnerabilitiesNessusDebian Local Security Checks
medium
51971VMSA-2011-0003 : Third-party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXNessusVMware ESX Local Security Checks
high
49929SuSE 10 Security Update : Tomcat 5 (ZYPP Patch Number 6839)NessusSuSE Local Security Checks
medium
49207Mandriva Linux Security Advisory : tomcat5 (MDVSA-2010:177)NessusMandriva Local Security Checks
medium
49206Mandriva Linux Security Advisory : tomcat5 (MDVSA-2010:176)NessusMandriva Local Security Checks
medium
48231RHEL 5 : tomcat5 (RHSA-2010:0580)NessusRed Hat Local Security Checks
medium
48218CentOS 5 : tomcat5 (CESA-2010:0580)NessusCentOS Local Security Checks
medium
46170SuSE 10 Security Update : tomcat5 (ZYPP Patch Number 7003)NessusSuSE Local Security Checks
medium
45472SuSE Security Update: Security update for Tomcat 5 (tomcat5-6841)NessusSuSE Local Security Checks
medium
45468openSUSE Security Update : tomcat6 (tomcat6-2000)NessusSuSE Local Security Checks
medium
45462openSUSE Security Update : tomcat6 (tomcat6-2000)NessusSuSE Local Security Checks
medium
45456openSUSE Security Update : tomcat6 (tomcat6-2000)NessusSuSE Local Security Checks
medium
45452SuSE9 Security Update : Tomcat (YOU Patch Number 12585)NessusSuSE Local Security Checks
medium
5489Mac OS X < 10.6.3 Multiple VulnerabilitiesNessus Network MonitorGeneric
critical
45373Mac OS X Multiple Vulnerabilities (Security Update 2010-002)NessusMacOS X Local Security Checks
critical
45372Mac OS X 10.6.x < 10.6.3 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
critical
44594Ubuntu 8.10 / 9.04 / 9.10 : tomcat6 vulnerabilities (USN-899-1)NessusUbuntu Local Security Checks
medium
44314Apache Tomcat WAR Deployment Multiple VulnerabilitiesNessusWeb Servers
medium
800619Apache Tomcat < 5.5.29 / 6.0.24Log Correlation EngineWeb Servers
medium
5327Apache Tomcat 5.5.x < 5.5.29 / 6.0.x < 6.0.24 WAR Deployment Multiple VulnerabilitiesNessus Network MonitorWeb Servers
medium