Fixed in Apache Tomcat 5.5.27

Low: Cross-site scripting CVE-2008-1232

The message argument of HttpServletResponse.sendError() call is not only displayed on the error page, but is also used for the reason-phrase of HTTP response. This may include characters that are illegal in HTTP headers. It is possible for a specially crafted message to result in arbitrary content being injected into the HTTP response. For a successful XSS attack, unfiltered user supplied data must be included in the message argument.

This was fixed in revision 680947.

This was first reported to the Tomcat security team on 24 Jan 2008 and made public on 1 Aug 2008.

Affects: 5.5.0-5.5.26

Low: Cross-site scripting CVE-2008-1947

The Host Manager web application did not escape user provided data before including it in the output. This enabled a XSS attack. This application now filters the data before use. This issue may be mitigated by logging out (closing the browser) of the application once the management tasks have been completed.

This was fixed in revision 662583.

This was first reported to the Tomcat security team on 15 May 2008 and made public on 28 May 2008.

Affects: 5.5.9-5.5.26

Important: Information disclosure CVE-2008-2370

When using a RequestDispatcher the target path was normalised before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory.

This was fixed in revision 680949.

This was first reported to the Tomcat security team on 13 Jun 2008 and made public on 1 August 2008.

Affects: 5.5.0-5.5.26