Debian DSA-2207-1 : tomcat5.5 - several vulnerabilities

medium Nessus Plugin ID 53212


The remote Debian host is missing a security-related update.


Various vulnerabilities have been discovered in the Tomcat Servlet and JSP engine, resulting in denial of service, cross-site scripting, information disclosure and WAR file traversal. Further details on the individual security issues can be found on the Apache Tomcat 5 vulnerabilities page.


Upgrade the tomcat5.5 packages.

For the oldstable distribution (lenny), this problem has been fixed in version 5.5.26-5lenny2.

The stable distribution (squeeze) no longer contains tomcat5.5.
tomcat6 is already fixed.

See Also

Plugin Details

Severity: Medium

ID: 53212

File Name: debian_DSA-2207.nasl

Version: 1.18

Type: local

Agent: unix

Published: 3/30/2011

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Nessus Agent

Risk Information


Risk Factor: Medium

Score: 6.2


Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:C


Risk Factor: Medium

Base Score: 4.2

Temporal Score: 3.9

Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:tomcat5.5, cpe:/o:debian:debian_linux:5.0

Required KB Items: Host/local_checks_enabled, Host/Debian/dpkg-l, Host/Debian/release

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/30/2011

Vulnerability Publication Date: 3/9/2009

Exploitable With

CANVAS (D2ExploitPack)

Reference Information

CVE: CVE-2008-5515, CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783, CVE-2009-2693, CVE-2009-2902, CVE-2010-1157, CVE-2010-2227

BID: 35193, 35196, 35263, 35416, 37944, 37945, 39635, 41544

CWE: 20, 22, 79, 200

DSA: 2207