SynopsisThe remote web server is affected by multiple vulnerabilities.
DescriptionVersions of Tomcat 6.0.x earlier than 6.0.39 are potentially affected by the following vulnerabilities:
- The version of Java used to build the application could generate Javadoc containing a frame injection error. (CVE-2013-1571)
- The fix for CVE-2005-2090 was not complete and the application does not reject requests with multiple Content-Length HTTP headers or with Content-Length HTTP headers when using chunked encoding. (CVE-2013-4286)
- The fix for CVE-2012-3544 was not complete and limits are not properly applied to chunk extensions and whitespaces in certain trailing headers. This error could allow denial of service attacks. (CVE-2013-4322)
- The application allows XML External Entity (XXE) processing that could disclose sensitive information. (CVE-2013-4590)
- An error exists related to the 'disableURLRewriting' configuration option and session IDs. (CVE-2014-0033)
SolutionUpgrade to Apache Tomcat 6.0.39 or later.