Apache Tomcat is a servlet container for the Java Servlet and JavaServer
Pages (JSP) technologies.
A cross-site scripting vulnerability was discovered in the
HttpServletResponse.sendError() method. A remote attacker could inject
arbitrary web script or HTML via forged HTTP headers. (CVE-2008-1232)
An additional cross-site scripting vulnerability was discovered in the host
manager application. A remote attacker could inject arbitrary web script or
HTML via the hostname parameter. (CVE-2008-1947)
A traversal vulnerability was discovered when using a RequestDispatcher
in combination with a servlet or JSP. A remote attacker could utilize a
specially-crafted request parameter to access protected web resources.
(CVE-2008-2370)
An additional traversal vulnerability was discovered when the
โallowLinkingโ and โURIencodingโ settings were activated. A remote attacker
could use a UTF-8-encoded request to extend their privileges and obtain
local files accessible to the Tomcat process. (CVE-2008-2938)
Users of tomcat should upgrade to these updated packages, which contain
backported patches to resolve these issues.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
RedHat | any | noarch | tomcat5-jsp-2.0-api | <ย 5.5.23-0jpp_12rh | tomcat5-jsp-2.0-api-5.5.23-0jpp_12rh.noarch.rpm |
RedHat | any | noarch | tomcat5-server-lib | <ย 5.5.23-0jpp_12rh | tomcat5-server-lib-5.5.23-0jpp_12rh.noarch.rpm |
RedHat | any | noarch | tomcat5 | <ย 5.5.23-0jpp_12rh | tomcat5-5.5.23-0jpp_12rh.noarch.rpm |
RedHat | any | noarch | tomcat5-servlet-2.4-api | <ย 5.5.23-0jpp_12rh | tomcat5-servlet-2.4-api-5.5.23-0jpp_12rh.noarch.rpm |
RedHat | any | noarch | tomcat5-jasper | <ย 5.5.23-0jpp_12rh | tomcat5-jasper-5.5.23-0jpp_12rh.noarch.rpm |
RedHat | any | noarch | tomcat5-common-lib | <ย 5.5.23-0jpp_12rh | tomcat5-common-lib-5.5.23-0jpp_12rh.noarch.rpm |