Lucene search
This script is Copyright (C) 2014-2024 and is owned by Tenable, Inc. or an Affiliate thereof.TOMCAT_7_0_50.NASLHistoryFeb 25, 2014 - 12:00 a.m.
Apache Tomcat 7.0.0 < 7.0.50 multiple vulnerabilities
2014-02-2500:00:00
This script is Copyright (C) 2014-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
78
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
9.7 High
AI Score
Confidence
High
0.718 High
EPSS
Percentile
98.1%
The version of Tomcat installed on the remote host is prior to 7.0.50. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_7.0.50_security-7 advisory.
-
Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30 does not properly handle chunk extensions in chunked transfer coding, which allows remote attackers to cause a denial of service by streaming data.
(CVE-2012-3544) -
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain Tomcat internals information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. (CVE-2013-4590)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(72691);
script_version("1.13");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/23");
script_cve_id("CVE-2012-3544", "CVE-2013-4590");
script_bugtraq_id(65767, 65768);
script_name(english:"Apache Tomcat 7.0.0 < 7.0.50 multiple vulnerabilities");
script_set_attribute(attribute:"synopsis", value:
"The remote Apache Tomcat server is affected by multiple vulnerabilities");
script_set_attribute(attribute:"description", value:
"The version of Tomcat installed on the remote host is prior to 7.0.50. It is, therefore, affected by multiple
vulnerabilities as referenced in the fixed_in_apache_tomcat_7.0.50_security-7 advisory.
- Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30 does not properly handle chunk extensions in chunked
transfer coding, which allows remote attackers to cause a denial of service by streaming data.
(CVE-2012-3544)
- Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain
Tomcat internals information by leveraging the presence of an untrusted web application with a
context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in
conjunction with an entity reference, related to an XML External Entity (XXE) issue. (CVE-2013-4590)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
# https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.50
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?09fb312a");
script_set_attribute(attribute:"see_also", value:"https://svn.apache.org/viewvc?view=rev&rev=1521864");
script_set_attribute(attribute:"see_also", value:"https://svn.apache.org/viewvc?view=rev&rev=1549523");
script_set_attribute(attribute:"see_also", value:"https://svn.apache.org/viewvc?view=rev&rev=1549529");
script_set_attribute(attribute:"solution", value:
"Upgrade to Apache Tomcat version 7.0.50 or later.");
script_set_attribute(attribute:"agent", value:"all");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-4590");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2014/01/08");
script_set_attribute(attribute:"patch_publication_date", value:"2014/02/25");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/02/25");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:tomcat:7");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Web Servers");
script_copyright(english:"This script is Copyright (C) 2014-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("tomcat_error_version.nasl", "tomcat_win_installed.nbin", "apache_tomcat_nix_installed.nbin", "os_fingerprint.nasl");
script_require_keys("installed_sw/Apache Tomcat");
exit(0);
}
include('vcf_extras.inc');
vcf::tomcat::initialize();
var app_info = vcf::combined_get_app_info(app:'Apache Tomcat');
var constraints = [
{ 'min_version' : '7.0.0', 'max_version' : '7.0.47', 'fixed_version' : '7.0.50' }
];
vcf::check_all_backporting(app_info:app_info);
vcf::check_granularity(app_info:app_info, sig_segments:3);
vcf::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_WARNING
);
Related
tomcat
tomcat
Fixed in Apache Tomcat 8.0.0-RC10
2013-12-26 00:00:00
Fixed in Apache Tomcat 7.0.50
2014-01-08 00:00:00
Fixed in Apache Tomcat 6.0.39
2014-01-31 00:00:00
nessus
nessus
Apache Tomcat < 8.0.0-RC10 Multiple Vulnerabilities
2019-01-11 00:00:00
Fedora 20 : tomcat-7.0.52-1.fc20 (2014-11048)
2014-09-29 00:00:00
Oracle Linux 6 : tomcat6 (ELSA-2014-1038)
2014-08-12 00:00:00
ibm
ibm
openvas
openvas
Fedora Update for tomcat FEDORA-2014-11048
2014-10-01 00:00:00
Apache Tomcat Denial Of Service Vulnerability - Windows
2013-06-06 00:00:00
Apache Tomcat Multiple Vulnerabilities - 02 (Mar 2014)
2014-03-25 00:00:00
atlassian
atlassian
CVE-2013-4590 vulnerability with Tomcat 7.0.42 shipped with Crowd 2.7.2
2014-05-24 04:42:42
CVE-2013-4590 vulnerability with Tomcat 7.0.42 shipped with Crowd 2.7.2
2014-05-24 04:42:42
Upgrade bundled Tomcat to the latest minor release
2013-06-19 09:30:24
securityvulns
securityvulns
seebug
seebug
Apache TomcatXML外部实体信息泄漏漏洞
2014-02-27 00:00:00
Apache Tomcat 不完整修复拒绝服务漏洞
2014-02-27 00:00:00
nvd
nvd
cve
cve
osv
osv
Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
2022-05-14 01:10:35
Apache Tomcat Denial of Service vulnerability
2022-05-14 01:10:35
tomcat6 - regression update
2014-11-23 00:00:00
ubuntucve
ubuntucve
debiancve
debiancve
github
github
Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
2022-05-14 01:10:35
Apache Tomcat Denial of Service vulnerability
2022-05-14 01:10:35
cvelist
cvelist
prion
prion
veracode
veracode
XML External Entity (XXE)
2019-01-15 08:58:51
checkpoint_advisories
checkpoint_advisories
Apache Tomcat Chunked Transfer Denial of Service - Ver 2 (CVE-2012-3544)
2013-11-10 00:00:00
redhat
redhat
(RHSA-2014:1038) Low: tomcat6 security update
2014-08-11 00:00:00
(RHSA-2014:0527) Moderate: Red Hat JBoss Web Server 2.0.1 tomcat7 security update
2014-05-21 15:31:56
(RHSA-2014:0686) Important: tomcat security update
2014-06-10 00:00:00
centos
centos
tomcat6 security update
2014-08-11 18:04:13
tomcat6 security update
2014-04-23 19:07:14
mageia
mageia
Updated tomcat package fixes security vulnerabilities
2014-04-03 04:16:05
Updated tomcat package fixes security vulnerabilities
2014-04-03 04:16:05
Updated tomcat6 packages fix multiple vulnerabilities and logging
2014-02-17 22:13:24
fedora
fedora
[SECURITY] Fedora 20 Update: tomcat-7.0.52-1.fc20
2014-09-26 09:02:42
oraclelinux
oraclelinux
tomcat6 security update
2014-08-11 00:00:00
tomcat security update
2014-08-07 00:00:00
ubuntu
ubuntu
Tomcat vulnerabilities
2013-05-28 00:00:00
amazon
amazon
Medium: tomcat6
2014-05-21 10:45:00
vmware
vmware
VMware vSphere product updates to third party libraries
2014-09-09 00:00:00
VMware vSphere product updates to third party libraries
2014-09-09 00:00:00
debian
debian
[SECURITY] [DLA 91-1] tomcat6 security update
2014-11-23 09:02:25
[SECURITY] [DSA 2725-1] tomcat6 security update
2013-07-18 17:58:50
[SECURITY] [DSA 3530-1] tomcat6 security update
2016-03-25 18:47:56
f5
f5
K20038622 : Multiple Apache Tomcat vulnerabilities
2020-08-06 00:00:00
gentoo
gentoo
Apache Tomcat: Multiple vulnerabilities
2014-12-15 00:00:00
oracle
oracle
Oracle Critical Patch Update - July 2014
2014-07-15 00:00:00
Oracle Critical Patch Update - January 2014
2014-01-14 00:00:00
Oracle Critical Patch Update - October 2014
2014-10-14 00:00:00
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
9.7 High
AI Score
Confidence
High
0.718 High
EPSS
Percentile
98.1%
Related for TOMCAT_7_0_50.NASL