var-200810-0184
Vulnerability from variot
Apache Tomcat 5.5.0 and 4.1.0 through 4.1.31 allows remote attackers to bypass an IP address restriction and obtain sensitive information via a request that is processed concurrently with another request but in a different thread, leading to an instance-variable overwrite associated with a "synchronization problem" and lack of thread safety, and related to RemoteFilterValve, RemoteAddrValve, and RemoteHostValve. Apache Tomcat from The Apache Software Foundation contains a vulnerability which may allow a user from a non-premitted IP address to gain access. Apache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies. Apache Tomcat contains a vulnerability which may allow a user from a non-permitted IP address to gain access to a protected context. This vulnerability was addressed and solved in ASF Bugzilla - Bug 25835. However there was no description regarding this vulnerability in ASF Bugzilla - Bug 25835. Therefore, The Apache Tomcat Development Team has decided to publish an advisory regarding this issue. Kenichi Tsukamoto of Development Dept. II Application Management Middleware Div. FUJITSU LIMITED reported this vulnerability to IPA. JPCERT/CC coordinated with The Apache Software Foundation and the vendors under Information Security Early Warning Partnership.Impact varies depending on the accessed context by the non-permitted IP address. For example information disclosure may be possible as a result. Apache Tomcat is prone to a security-bypass vulnerability related to extensions of 'RemoteFilterValve'. Attackers may be able to bypass certain access restrictions. The following versions are vulnerable: Tomcat 4.1.0 through 4.1.32 Tomcat 5.5.0.
TITLE: Apache Tomcat Directory Listing Denial of Service
SECUNIA ADVISORY ID: SA17416
VERIFY ADVISORY: http://secunia.com/advisories/17416/
CRITICAL: Not critical
IMPACT: DoS
WHERE:
From remote
SOFTWARE: Apache Tomcat 5.x http://secunia.com/product/3571/
DESCRIPTION: David Maciejak has discovered a vulnerability in Apache Tomcat, which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to the inefficient generation of directory listing for web directories that has a large number of files. By sending multiple concurrent requests for such a directory, it is possible to prevent other users from accessing the directory and causes the server to consume a large amount of CPU resources. The vulnerability affects only the directory that is being listed. Files or applications in other web directories are not affected.
Successful exploitation requires that directory listing is enabled in a directory with a large number of files.
The vulnerability has been confirmed in Tomcat version 5.5.11 and 5.5.12 on the Windows platform, and has been reported in versions 5.5.0 through 5.5.11. Other versions may also be affected.
Note: In version 5.5.12, the server will resume normal operation after a few minutes.
SOLUTION: The vulnerability has been partially addressed in version 5.5.12, which will resume normal operation after a few minutes.
Disable directory listing for web directories that has a large number of files.
PROVIDED AND/OR DISCOVERED BY: David Maciejak
About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
.
Mitigation: Upgrade to: 4.1.32 or later 5.5.1 or later 6.0.0 or later
Example: This has only been reproduced using a debugger to force a particular processing sequence across two threads.
1. Set a breakpoint right after the place where a value
is to be entered in the instance variable of regexp
(search:org.apache.regexp.CharacterIterator).
2. Send a request from the IP address* which is not permitted.
(stopped at the breakpoint)
*About the IP address which is not permitted.
The character strings length of the IP address which is set
in RemoteAddrValve must be same.
3. Send a request from the IP address which was set in
RemoteAddrValve.
(stopped at the breakpoint)
In this way, the instance variable is to be overwritten here.
4. Resume the thread which is processing the step 2 above.
5. The request from the not permitted IP address will succeed.
References: http://tomcat.apache.org/security.html
Mark Thomas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkjuibsACgkQb7IeiTPGAkO33wCgiBY0nBdTaXBC8oPoHqMWH4mt OtgAmQHjgnxg0vKKSp43vez8XaBIZpOj =9Z/F -----END PGP SIGNATURE----- .
Apache Tomcat 5.x: Update to version 5.5.1 or later.
SOLUTION: Patches are scheduled for release.
Use a proxy or firewall to protect resources. Version 5.5.x is intented for servlet/jsp specification 2.4/2.0. More information on http://tomcat.apache.org/
Description:
Many time consuming directory listing requests can cause a denial of service.
Detection/PoC:
On Linux: Vulnerable version tested are 5.5.0 to 5.5.11. 5.5.12 and 5.0.28 seems not to be impacted.
A easy way to test : -Download Tomcat package from Tomcat archive -Unpack it, use default configuration -In webapps example dir, add some empty files (enough for the dir listing request to be long) -Thread many listing access on this directory
Workaround:
Upgrade to linux version 5.5.12
PS: Secunia team have done more test available on http://secunia.com/advisories/17416/
David Maciejak
KYXAR.FR - Mail envoy\xe9 depuis http://webmail.kyxar.fr . ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability intelligence source on the market.
Implement it through Secunia.
For more information visit: http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com
TITLE: NEC WebOTX Products "RemoteFilterValve" Security Bypass Security Issue
SECUNIA ADVISORY ID: SA35684
VERIFY ADVISORY: http://secunia.com/advisories/35684/
DESCRIPTION: A security issue has been reported in various NEC WebOTX products, which potentially can be exploited by malicious people to bypass certain security restrictions.
The security issue is caused due to a synchronisation problem when checking IP addresses and can be exploited to bypass a filter valve that extends "RemoteFilterValve" and potentially gain access to protected contexts.
The security issue is reported in the following products and versions: * WebOTX Web Edition version 4.x through 5.x * WebOTX Standard-J Edition version 4.x through 5.x * WebOTX Standard Edition version 4.x through 5.x * WebOTX Enterprise Edition version 4.x through 5.x * WebOTX UDDI Registry version 1.1 through 2.1
SOLUTION: Reportedly, patches are available. Contact the vendor's sales department for more information.
For more information: SA32213
SOLUTION: Apply updated packages via YaST Online Update or the SUSE FTP server
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-200810-0184", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "tomcat", "scope": "eq", "trust": 2.4, "vendor": "apache", "version": "5.5.0" }, { "model": "tomcat", "scope": "eq", "trust": 1.9, "vendor": "apache", "version": "4.1.31" }, { "model": "tomcat", "scope": "eq", "trust": 1.9, "vendor": "apache", "version": "4.1.30" }, { "model": "tomcat", "scope": "eq", "trust": 1.9, "vendor": "apache", "version": "4.1.3" }, { "model": "tomcat", "scope": "eq", "trust": 1.6, "vendor": "apache", "version": "4.1.8" }, { "model": "tomcat", "scope": "eq", "trust": 1.6, "vendor": "apache", "version": "4.1.5" }, { "model": "tomcat", "scope": "eq", "trust": 1.6, "vendor": "apache", "version": "4.1.7" }, { "model": "tomcat", "scope": "eq", "trust": 1.6, "vendor": "apache", "version": "4.1.4" }, { "model": "tomcat", "scope": "eq", "trust": 1.6, "vendor": "apache", "version": "4.1.6" }, { "model": "tomcat", "scope": "eq", "trust": 1.6, "vendor": "apache", "version": "4.1.9" }, { "model": "tomcat", "scope": "eq", "trust": 1.3, "vendor": "apache", "version": "4.1.28" }, { "model": "tomcat", "scope": "eq", "trust": 1.3, "vendor": "apache", "version": "4.1.29" }, { "model": "tomcat", "scope": "eq", "trust": 1.3, "vendor": "apache", "version": "4.1.24" }, { "model": "tomcat", "scope": "eq", "trust": 1.3, "vendor": "apache", "version": "4.1.12" }, { "model": "tomcat", "scope": "eq", "trust": 1.3, "vendor": "apache", "version": "4.1.10" }, { "model": "tomcat", "scope": "eq", "trust": 1.0, "vendor": "apache", "version": "4.1.18" }, { "model": "tomcat", "scope": "eq", "trust": 1.0, "vendor": "apache", "version": "4.1.0" }, { "model": "tomcat", "scope": "eq", "trust": 1.0, "vendor": "apache", "version": "4.1.13" }, { "model": "tomcat", "scope": "eq", "trust": 1.0, "vendor": "apache", "version": "4.1.15" }, { "model": "tomcat", "scope": "eq", "trust": 1.0, "vendor": "apache", "version": "4.1.17" }, { "model": "tomcat", "scope": "eq", "trust": 1.0, "vendor": "apache", "version": "4.1.23" }, { "model": "tomcat", "scope": "eq", "trust": 1.0, "vendor": "apache", "version": "4.1.2" }, { "model": "tomcat", "scope": "eq", "trust": 1.0, "vendor": "apache", "version": "4.1.19" }, { "model": "tomcat", "scope": "eq", "trust": 1.0, "vendor": "apache", "version": "4.1.21" }, { "model": "tomcat", "scope": "eq", "trust": 1.0, "vendor": "apache", "version": "4.1.1" }, { "model": "tomcat", "scope": "eq", "trust": 1.0, "vendor": "apache", "version": "4.1.14" }, { "model": "tomcat", "scope": "eq", "trust": 1.0, "vendor": "apache", "version": "4.1.16" }, { "model": "tomcat", "scope": "eq", "trust": 1.0, "vendor": "apache", "version": "4.1.22" }, { "model": "tomcat", "scope": "eq", "trust": 1.0, "vendor": "apache", "version": "4.1.11" }, { "model": "tomcat", "scope": "eq", "trust": 1.0, "vendor": "apache", "version": "4.1.25" }, { "model": "tomcat", "scope": "eq", "trust": 1.0, "vendor": "apache", "version": "4.1.26" }, { "model": "tomcat", "scope": "eq", "trust": 1.0, "vendor": "apache", "version": "4.1.27" }, { "model": "tomcat", "scope": "eq", "trust": 1.0, "vendor": "apache", "version": "4.1.20" }, { "model": "tomcat", "scope": "eq", "trust": 0.8, "vendor": "apache", "version": "4.1.0 to 4.1.31" }, { "model": "interstage application framework suite", "scope": null, "trust": 0.8, "vendor": "fujitsu", "version": null }, { "model": "interstage application server", "scope": null, "trust": 0.8, "vendor": "fujitsu", "version": null }, { "model": "interstage apworks", "scope": null, "trust": 0.8, "vendor": "fujitsu", "version": null }, { "model": "interstage business application server", "scope": null, "trust": 0.8, "vendor": "fujitsu", "version": null }, { "model": "interstage job workload server", "scope": null, "trust": 0.8, "vendor": "fujitsu", "version": null }, { "model": "interstage studio", "scope": null, "trust": 0.8, "vendor": "fujitsu", "version": null }, { "model": "interstage web server", "scope": null, "trust": 0.8, "vendor": "fujitsu", "version": null }, { "model": "webotx application server", "scope": null, "trust": 0.8, "vendor": "nec", "version": null }, { "model": "interstage job workload server", "scope": "eq", "trust": 0.3, "vendor": "fujitsu", "version": "8.1" }, { "model": "opensuse", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "11.0" }, { "model": "webotx uddi registry", "scope": "eq", "trust": 0.3, "vendor": "nec", "version": "2.1" }, { "model": "interstage application server standard-j edition", "scope": "eq", "trust": 0.3, "vendor": "fujitsu", "version": "8.0" }, { "model": "interstage apworks modelers-j edition", "scope": "eq", "trust": 0.3, "vendor": "fujitsu", "version": "7.0" }, { "model": "webotx standard-j edition", "scope": "eq", "trust": 0.3, "vendor": "nec", "version": "4.x" }, { "model": "interstage application server standard-j edition", "scope": "eq", "trust": 0.3, "vendor": "fujitsu", "version": "9.1" }, { "model": "interstage studio enterprise edition", "scope": "eq", "trust": 0.3, "vendor": "fujitsu", "version": "8.0.1" }, { "model": "interstage application server enterprise edition", "scope": "eq", "trust": 0.3, "vendor": "fujitsu", "version": "9.0" }, { "model": "opensuse", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "10.3" }, { "model": "webotx web edition", "scope": "eq", "trust": 0.3, "vendor": "nec", "version": "5.x" }, { "model": "linux enterprise server sp2", "scope": "eq", "trust": 0.3, "vendor": "suse", "version": "10" }, { "model": "tomcat", "scope": "eq", "trust": 0.3, "vendor": "apache", "version": "5.0" }, { "model": "interstage application server enterprise edition a", "scope": "eq", "trust": 0.3, "vendor": "fujitsu", "version": "9.0" }, { "model": "opensuse", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "10.2" }, { "model": "linux enterprise sdk sp2", "scope": "eq", "trust": 0.3, "vendor": "suse", "version": "10" }, { "model": "tomcat", "scope": "ne", "trust": 0.3, "vendor": "apache", "version": "4.1.32" }, { "model": "tomcat", "scope": "ne", "trust": 0.3, "vendor": "apache", "version": "5.0.1" }, { "model": "interstage application server plus", "scope": "eq", "trust": 0.3, "vendor": "fujitsu", "version": "7.0" }, { "model": "interstage apworks modelers-j edition", "scope": "eq", "trust": 0.3, "vendor": "fujitsu", "version": "6.0" }, { "model": "interstage apworks modelers-j edition 6.0a", "scope": null, "trust": 0.3, "vendor": "fujitsu", "version": null }, { "model": "webotx enterprise edition", "scope": "eq", "trust": 0.3, "vendor": "nec", "version": "5.x" }, { "model": "interstage application server standard-j edition", "scope": "eq", "trust": 0.3, "vendor": "fujitsu", "version": "8.0.2" }, { "model": "interstage application server plus", "scope": "eq", "trust": 0.3, "vendor": "fujitsu", "version": "7.0.1" }, { "model": "interstage application server plus developer", "scope": "eq", "trust": 0.3, "vendor": "fujitsu", "version": "7.0" }, { "model": "interstage application server enterprise edition", "scope": "eq", "trust": 0.3, "vendor": "fujitsu", "version": "8.0.1" }, { "model": "interstage application server enterprise edition", "scope": "eq", "trust": 0.3, "vendor": "fujitsu", "version": "7.0" }, { "model": "interstage application server plus", "scope": "eq", "trust": 0.3, "vendor": "fujitsu", "version": "6.0" }, { "model": "webotx web edition", "scope": "eq", "trust": 0.3, "vendor": "nec", "version": "4.x" }, { "model": "interstage business application server enterprise", "scope": "eq", "trust": 0.3, "vendor": "fujitsu", "version": "8.0.0" }, { "model": "tomcat", "scope": "eq", "trust": 0.3, "vendor": "apache", "version": "4.1" }, { "model": "interstage application server enterprise edition", "scope": "eq", "trust": 0.3, "vendor": "fujitsu", "version": "7.0.1" }, { "model": "interstage application server standard-j edition", "scope": "eq", "trust": 0.3, "vendor": "fujitsu", "version": "9.0" }, { "model": "interstage application server standard-j edition a", "scope": "eq", "trust": 0.3, "vendor": "fujitsu", "version": "9.0" }, { "model": "interstage application server plus developer", "scope": "eq", "trust": 0.3, "vendor": "fujitsu", "version": "6.0" }, { "model": "webotx enterprise edition", "scope": "eq", "trust": 0.3, "vendor": "nec", "version": "4.x" }, { "model": "interstage studio standard-j edition", "scope": "eq", "trust": 0.3, "vendor": "fujitsu", "version": "9.0" }, { "model": "interstage application server enterprise edition", "scope": "eq", "trust": 0.3, "vendor": "fujitsu", "version": "8.0" }, { "model": "interstage application server enterprise edition", "scope": "eq", "trust": 0.3, "vendor": "fujitsu", "version": "6.0" }, { "model": "interstage application server enterprise edition", "scope": "eq", "trust": 0.3, "vendor": "fujitsu", "version": "9.1" }, { "model": "red hat network satellite (for rhel", "scope": "eq", "trust": 0.3, "vendor": "redhat", "version": "4)5.1" }, { "model": "webotx standard edition", "scope": "eq", "trust": 0.3, "vendor": "nec", "version": "5.x" }, { "model": "tomcat beta", "scope": "eq", "trust": 0.3, "vendor": "apache", "version": "4.1.3" }, { "model": "interstage application server standard edition", "scope": "eq", "trust": 0.3, "vendor": "fujitsu", "version": "7.0" }, { "model": "webotx standard-j edition", "scope": "eq", "trust": 0.3, "vendor": "nec", "version": "5.x" }, { "model": "linux enterprise sdk 10.sp1", "scope": null, "trust": 0.3, "vendor": "suse", "version": null }, { "model": "linux enterprise server sp1", "scope": "eq", "trust": 0.3, "vendor": "suse", "version": "10" }, { "model": "interstage studio enterprise edition", "scope": "eq", "trust": 0.3, "vendor": "fujitsu", "version": "9.0" }, { "model": "red hat network satellite server", "scope": "eq", "trust": 0.3, "vendor": "redhat", "version": "5.0.1" }, { "model": "interstage application server enterprise edition", "scope": "eq", "trust": 0.3, "vendor": "fujitsu", "version": "8.0.3" }, { "model": "novell linux pos", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "9" }, { "model": "webotx uddi registry", "scope": "eq", "trust": 0.3, "vendor": "nec", "version": "1.1" }, { "model": "interstage studio standard-j edition", "scope": "eq", "trust": 0.3, "vendor": "fujitsu", "version": "8.0.1" }, { "model": "interstage application server enterprise edition", "scope": "eq", "trust": 0.3, "vendor": "fujitsu", "version": "8.0.2" }, { "model": "tomcat", "scope": "ne", "trust": 0.3, "vendor": "apache", "version": "6.0" }, { "model": "open-enterprise-server", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "0" }, { "model": "linux enterprise server", "scope": "eq", "trust": 0.3, "vendor": "suse", "version": "9" }, { "model": "novell linux desktop sdk", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "9.0" }, { "model": "webotx standard edition", "scope": "eq", "trust": 0.3, "vendor": "nec", "version": "4.x" }, { "model": "red hat network satellite server", "scope": "eq", "trust": 0.3, "vendor": "redhat", "version": "5.0" } ], "sources": [ { "db": "BID", "id": "31698" }, { "db": "JVNDB", "id": "JVNDB-2008-000069" }, { "db": "NVD", "id": "CVE-2008-3271" }, { "db": "CNNVD", "id": "CNNVD-200810-176" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.21:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.24:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.25:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.27:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.30:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.7:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.11:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.18:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.14:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.19:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.31:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.16:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.29:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.22:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.26:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.13:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.8:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.17:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:5.5.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.12:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.28:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.15:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.3:beta:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.10:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.20:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.23:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:4.1.9:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2008-3271" } ] }, "credits": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Kenichi Tsukamoto", "sources": [ { "db": "BID", "id": "31698" }, { "db": "CNNVD", "id": "CNNVD-200810-176" } ], "trust": 0.9 }, "cve": "CVE-2008-3271", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "acInsufInfo": false, "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "author": "NVD", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 8.6, "impactScore": 2.9, "integrityImpact": "NONE", "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "trust": 1.0, "userInteractionRequired": false, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0" }, { "acInsufInfo": null, "accessComplexity": "High", "accessVector": "Network", "authentication": "None", "author": "IPA", "availabilityImpact": "None", "baseScore": 2.6, "confidentialityImpact": "None", "exploitabilityScore": null, "id": "JVNDB-2008-000069", "impactScore": null, "integrityImpact": "Partial", "obtainAllPrivilege": null, "obtainOtherPrivilege": null, "obtainUserPrivilege": null, "severity": "Low", "trust": 0.8, "userInteractionRequired": null, "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0" } ], "cvssV3": [], "severity": [ { "author": "NVD", "id": "CVE-2008-3271", "trust": 1.0, "value": "MEDIUM" }, { "author": "IPA", "id": "JVNDB-2008-000069", "trust": 0.8, "value": "Low" }, { "author": "CNNVD", "id": "CNNVD-200810-176", "trust": 0.6, "value": "LOW" } ] } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2008-000069" }, { "db": "NVD", "id": "CVE-2008-3271" }, { "db": "CNNVD", "id": "CNNVD-200810-176" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Apache Tomcat 5.5.0 and 4.1.0 through 4.1.31 allows remote attackers to bypass an IP address restriction and obtain sensitive information via a request that is processed concurrently with another request but in a different thread, leading to an instance-variable overwrite associated with a \"synchronization problem\" and lack of thread safety, and related to RemoteFilterValve, RemoteAddrValve, and RemoteHostValve. Apache Tomcat from The Apache Software Foundation contains a vulnerability which may allow a user from a non-premitted IP address to gain access. Apache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies. Apache Tomcat contains a vulnerability which may allow a user from a non-permitted IP address to gain access to a protected context. This vulnerability was addressed and solved in ASF Bugzilla - Bug 25835. However there was no description regarding this vulnerability in ASF Bugzilla - Bug 25835. Therefore, The Apache Tomcat Development Team has decided to publish an advisory regarding this issue. Kenichi Tsukamoto of Development Dept. II Application Management Middleware Div. FUJITSU LIMITED reported this vulnerability to IPA. JPCERT/CC coordinated with The Apache Software Foundation and the vendors under Information Security Early Warning Partnership.Impact varies depending on the accessed context by the non-permitted IP address. For example information disclosure may be possible as a result. Apache Tomcat is prone to a security-bypass vulnerability related to extensions of \u0027RemoteFilterValve\u0027. \nAttackers may be able to bypass certain access restrictions. \nThe following versions are vulnerable:\nTomcat 4.1.0 through 4.1.32\nTomcat 5.5.0. \n\nTITLE:\nApache Tomcat Directory Listing Denial of Service\n\nSECUNIA ADVISORY ID:\nSA17416\n\nVERIFY ADVISORY:\nhttp://secunia.com/advisories/17416/\n\nCRITICAL:\nNot critical\n\nIMPACT:\nDoS\n\nWHERE:\n\u003eFrom remote\n\nSOFTWARE:\nApache Tomcat 5.x\nhttp://secunia.com/product/3571/\n\nDESCRIPTION:\nDavid Maciejak has discovered a vulnerability in Apache Tomcat, which\ncan be exploited by malicious people to cause a DoS (Denial of\nService). \n\nThe vulnerability is caused due to the inefficient generation of\ndirectory listing for web directories that has a large number of\nfiles. By sending multiple concurrent requests for such a directory,\nit is possible to prevent other users from accessing the directory\nand causes the server to consume a large amount of CPU resources. The\nvulnerability affects only the directory that is being listed. Files\nor applications in other web directories are not affected. \n\nSuccessful exploitation requires that directory listing is enabled in\na directory with a large number of files. \n\nThe vulnerability has been confirmed in Tomcat version 5.5.11 and\n5.5.12 on the Windows platform, and has been reported in versions\n5.5.0 through 5.5.11. Other versions may also be affected. \n\nNote: In version 5.5.12, the server will resume normal operation\nafter a few minutes. \n\nSOLUTION:\nThe vulnerability has been partially addressed in version 5.5.12,\nwhich will resume normal operation after a few minutes. \n\nDisable directory listing for web directories that has a large number\nof files. \n\nPROVIDED AND/OR DISCOVERED BY:\nDavid Maciejak\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n. \n\nMitigation:\nUpgrade to:\n4.1.32 or later\n5.5.1 or later\n6.0.0 or later\n\nExample:\nThis has only been reproduced using a debugger to force a particular\nprocessing sequence across two threads. \n\n 1. Set a breakpoint right after the place where a value\n is to be entered in the instance variable of regexp\n (search:org.apache.regexp.CharacterIterator). \n\n 2. Send a request from the IP address* which is not permitted. \n (stopped at the breakpoint)\n\n *About the IP address which is not permitted. \n The character strings length of the IP address which is set\n in RemoteAddrValve must be same. \n\n 3. Send a request from the IP address which was set in\n RemoteAddrValve. \n (stopped at the breakpoint)\n In this way, the instance variable is to be overwritten here. \n\n 4. Resume the thread which is processing the step 2 above. \n\n 5. The request from the not permitted IP address will succeed. \n\nReferences:\nhttp://tomcat.apache.org/security.html\n\nMark Thomas\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.9 (MingW32)\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\n\niEYEARECAAYFAkjuibsACgkQb7IeiTPGAkO33wCgiBY0nBdTaXBC8oPoHqMWH4mt\nOtgAmQHjgnxg0vKKSp43vez8XaBIZpOj\n=9Z/F\n-----END PGP SIGNATURE-----\n. \n\nApache Tomcat 5.x:\nUpdate to version 5.5.1 or later. \n\nSOLUTION:\nPatches are scheduled for release. \n\nUse a proxy or firewall to protect resources. \nVersion 5.5.x is intented for servlet/jsp specification 2.4/2.0. \nMore information on http://tomcat.apache.org/\n\nDescription:\n\nMany time consuming directory listing requests can cause a denial of service. \n\nDetection/PoC:\n\nOn Linux:\nVulnerable version tested are 5.5.0 to 5.5.11. \n5.5.12 and 5.0.28 seems not to be impacted. \n\nA easy way to test :\n-Download Tomcat package from Tomcat archive\n-Unpack it, use default configuration\n-In webapps example dir, add some empty files (enough for the dir listing \nrequest to be long)\n-Thread many listing access on this directory\n\nWorkaround:\n\nUpgrade to linux version 5.5.12\n\nPS: Secunia team have done more test available on\nhttp://secunia.com/advisories/17416/\n\nDavid Maciejak\n\n\n\n--------------------------------------------------------------------------------\nKYXAR.FR - Mail envoy\\xe9 depuis http://webmail.kyxar.fr\n. ----------------------------------------------------------------------\n\nDo you have VARM strategy implemented?\n\n(Vulnerability Assessment Remediation Management) \n\nIf not, then implement it through the most reliable vulnerability\nintelligence source on the market. \n\nImplement it through Secunia. \n\nFor more information visit:\nhttp://secunia.com/advisories/business_solutions/\n\nAlternatively request a call from a Secunia representative today to\ndiscuss how we can help you with our capabilities contact us at:\nsales@secunia.com\n\n----------------------------------------------------------------------\n\nTITLE:\nNEC WebOTX Products \"RemoteFilterValve\" Security Bypass Security\nIssue\n\nSECUNIA ADVISORY ID:\nSA35684\n\nVERIFY ADVISORY:\nhttp://secunia.com/advisories/35684/\n\nDESCRIPTION:\nA security issue has been reported in various NEC WebOTX products,\nwhich potentially can be exploited by malicious people to bypass\ncertain security restrictions. \n\nThe security issue is caused due to a synchronisation problem when\nchecking IP addresses and can be exploited to bypass a filter valve\nthat extends \"RemoteFilterValve\" and potentially gain access to\nprotected contexts. \n\nThe security issue is reported in the following products and\nversions:\n* WebOTX Web Edition version 4.x through 5.x\n* WebOTX Standard-J Edition version 4.x through 5.x\n* WebOTX Standard Edition version 4.x through 5.x\n* WebOTX Enterprise Edition version 4.x through 5.x\n* WebOTX UDDI Registry version 1.1 through 2.1\n\nSOLUTION:\nReportedly, patches are available. Contact the vendor\u0027s sales\ndepartment for more information. \n\nFor more information:\nSA32213\n\nSOLUTION:\nApply updated packages via YaST Online Update or the SUSE FTP server", "sources": [ { "db": "NVD", "id": "CVE-2008-3271" }, { "db": "JVNDB", "id": "JVNDB-2008-000069" }, { "db": "BID", "id": "31698" }, { "db": "PACKETSTORM", "id": "41248" }, { "db": "PACKETSTORM", "id": "70828" }, { "db": "PACKETSTORM", "id": "70882" }, { "db": "PACKETSTORM", "id": "70792" }, { "db": "PACKETSTORM", "id": "41335" }, { "db": "PACKETSTORM", "id": "79028" }, { "db": "PACKETSTORM", "id": "71395" } ], "trust": 2.52 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "JVNDB", "id": "JVNDB-2008-000069", "trust": 2.8 }, { "db": "NVD", "id": "CVE-2008-3271", "trust": 2.8 }, { "db": "BID", "id": "31698", "trust": 2.7 }, { "db": "SECUNIA", "id": "32213", "trust": 2.6 }, { "db": "SECUNIA", "id": "32234", "trust": 2.6 }, { "db": "JVN", "id": "JVN30732239", "trust": 2.6 }, { "db": "SECUNIA", "id": "35684", "trust": 1.8 }, { "db": "SECUNIA", "id": "32398", "trust": 1.7 }, { "db": "VUPEN", "id": "ADV-2008-2800", "trust": 1.6 }, { "db": "VUPEN", "id": "ADV-2009-1818", "trust": 1.6 }, { "db": "VUPEN", "id": "ADV-2008-2793", "trust": 1.6 }, { "db": "SREASON", "id": "4396", "trust": 1.6 }, { "db": "SECTRACK", "id": "1021039", "trust": 1.6 }, { "db": "CNNVD", "id": "CNNVD-200810-176", "trust": 0.6 }, { "db": "SECUNIA", "id": "17416", "trust": 0.2 }, { "db": "PACKETSTORM", "id": "41248", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "70828", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "70882", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "70792", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "41335", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "79028", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "71395", "trust": 0.1 } ], "sources": [ { "db": "BID", "id": "31698" }, { "db": "JVNDB", "id": "JVNDB-2008-000069" }, { "db": "PACKETSTORM", "id": "41248" }, { "db": "PACKETSTORM", "id": "70828" }, { "db": "PACKETSTORM", "id": "70882" }, { "db": "PACKETSTORM", "id": "70792" }, { "db": "PACKETSTORM", "id": "41335" }, { "db": "PACKETSTORM", "id": "79028" }, { "db": "PACKETSTORM", "id": "71395" }, { "db": "NVD", "id": "CVE-2008-3271" }, { "db": "CNNVD", "id": "CNNVD-200810-176" } ] }, "id": "VAR-200810-0184", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.15801565 }, "last_update_date": "2023-12-18T10:49:06.563000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "Security Updates", "trust": 0.8, "url": "http://tomcat.apache.org/security" }, { "title": "Apache Tomcat 4.x vulnerabilities", "trust": 0.8, "url": "http://tomcat.apache.org/security-4.html" }, { "title": "Apache Tomcat 5.x vulnerabilities", "trust": 0.8, "url": "http://tomcat.apache.org/security-5.html" }, { "title": "Bug 25835", "trust": 0.8, "url": "https://issues.apache.org/bugzilla/show_bug.cgi?id=25835" }, { "title": "interstage-200806e", "trust": 0.8, "url": "http://www.fujitsu.com/global/support/software/security/products-f/interstage-200806e.html" }, { "title": "NV09-006", "trust": 0.8, "url": "http://www.nec.co.jp/security-info/secinfo/nv09-006.html" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2008-000069" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-264", "trust": 1.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2008-000069" }, { "db": "NVD", "id": "CVE-2008-3271" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 3.0, "url": "http://www.securityfocus.com/bid/31698" }, { "trust": 2.6, "url": "http://jvn.jp/en/jp/jvn30732239/index.html" }, { "trust": 2.4, "url": "http://secunia.com/advisories/32234" }, { "trust": 2.0, "url": "http://tomcat.apache.org/security-4.html" }, { "trust": 2.0, "url": "http://tomcat.apache.org/security-5.html" }, { "trust": 2.0, "url": "https://issues.apache.org/bugzilla/show_bug.cgi?id=25835" }, { "trust": 2.0, "url": "http://www.fujitsu.com/global/support/software/security/products-f/interstage-200806e.html" }, { "trust": 2.0, "url": "http://jvndb.jvn.jp/en/contents/2008/jvndb-2008-000069.html" }, { "trust": 2.0, "url": "http://www.nec.co.jp/security-info/secinfo/nv09-006.html" }, { "trust": 1.7, "url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00012.html" }, { "trust": 1.6, "url": "http://secunia.com/advisories/32213" }, { "trust": 1.6, "url": "http://secunia.com/advisories/32398" }, { "trust": 1.6, "url": "http://secunia.com/advisories/35684" }, { "trust": 1.6, "url": "http://securityreason.com/securityalert/4396" }, { "trust": 1.6, "url": "http://www.securityfocus.com/archive/1/497220/100/0/threaded" }, { "trust": 1.6, "url": "http://www.securitytracker.com/id?1021039" }, { "trust": 1.6, "url": "http://www.vupen.com/english/advisories/2008/2793" }, { "trust": 1.6, "url": "http://www.vupen.com/english/advisories/2008/2800" }, { "trust": 1.6, "url": "http://www.vupen.com/english/advisories/2009/1818" }, { "trust": 1.6, "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45791" }, { "trust": 1.6, "url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3cdev.tomcat.apache.org%3e" }, { "trust": 1.6, "url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3cdev.tomcat.apache.org%3e" }, { "trust": 1.6, "url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3cdev.tomcat.apache.org%3e" }, { "trust": 1.0, "url": "http://secunia.com/advisories/32213/" }, { "trust": 0.8, "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-3271" }, { "trust": 0.8, "url": "http://www.frsirt.com/english/advisories/2008/2793" }, { "trust": 0.8, "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-3271" }, { "trust": 0.6, "url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3cdev.tomcat.apache.org%3e" }, { "trust": 0.6, "url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3cdev.tomcat.apache.org%3e" }, { "trust": 0.5, "url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org" }, { "trust": 0.4, "url": "http://tomcat.apache.org/" }, { "trust": 0.4, "url": "http://secunia.com/advisories/secunia_security_advisories/" }, { "trust": 0.4, "url": "http://secunia.com/advisories/about_secunia_advisories/" }, { "trust": 0.3, "url": "/archive/1/497220" }, { "trust": 0.3, "url": "http://secunia.com/binary_analysis/sample_analysis/" }, { "trust": 0.2, "url": "http://secunia.com/advisories/17416/" }, { "trust": 0.1, "url": "http://secunia.com/secunia_security_advisories/" }, { "trust": 0.1, "url": "http://secunia.com/about_secunia_advisories/" }, { "trust": 0.1, "url": "http://secunia.com/product/3571/" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2008-3271" }, { "trust": 0.1, "url": "https://issues.apache.org/bugzilla/show_bug.cgi?id=25835)" }, { "trust": 0.1, "url": "http://tomcat.apache.org/security.html" }, { "trust": 0.1, "url": "http://enigmail.mozdev.org" }, { "trust": 0.1, "url": "http://secunia.com/advisories/product/328/" }, { "trust": 0.1, "url": "http://secunia.com/advisories/product/3571/" }, { "trust": 0.1, "url": "http://secunia.com/advisories/32234/" }, { "trust": 0.1, "url": "http://secunia.com/advisories/product/13693/" }, { "trust": 0.1, "url": "http://secunia.com/advisories/product/15986/" }, { "trust": 0.1, "url": "http://secunia.com/advisories/product/13690/" }, { "trust": 0.1, "url": "http://secunia.com/advisories/product/13688/" }, { "trust": 0.1, "url": "http://secunia.com/advisories/product/15610/" }, { "trust": 0.1, "url": "http://secunia.com/advisories/product/13685/" }, { "trust": 0.1, "url": "http://secunia.com/advisories/product/13687/" }, { "trust": 0.1, "url": "http://secunia.com/advisories/product/13689/" }, { "trust": 0.1, "url": "http://secunia.com/advisories/product/13686/" }, { "trust": 0.1, "url": "http://secunia.com/advisories/product/13692/" }, { "trust": 0.1, "url": "http://webmail.kyxar.fr" }, { "trust": 0.1, "url": "http://secunia.com/advisories/35684/" }, { "trust": 0.1, "url": "http://secunia.com/advisories/business_solutions/" }, { "trust": 0.1, "url": "http://secunia.com/advisories/32398/" }, { "trust": 0.1, "url": "http://secunia.com/advisories/product/4664/" }, { "trust": 0.1, "url": "http://secunia.com/advisories/product/13375/" }, { "trust": 0.1, "url": "http://secunia.com/advisories/product/4118/" }, { "trust": 0.1, "url": "http://secunia.com/advisories/product/12192/" } ], "sources": [ { "db": "BID", "id": "31698" }, { "db": "JVNDB", "id": "JVNDB-2008-000069" }, { "db": "PACKETSTORM", "id": "41248" }, { "db": "PACKETSTORM", "id": "70828" }, { "db": "PACKETSTORM", "id": "70882" }, { "db": "PACKETSTORM", "id": "70792" }, { "db": "PACKETSTORM", "id": "41335" }, { "db": "PACKETSTORM", "id": "79028" }, { "db": "PACKETSTORM", "id": "71395" }, { "db": "NVD", "id": "CVE-2008-3271" }, { "db": "CNNVD", "id": "CNNVD-200810-176" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "BID", "id": "31698" }, { "db": "JVNDB", "id": "JVNDB-2008-000069" }, { "db": "PACKETSTORM", "id": "41248" }, { "db": "PACKETSTORM", "id": "70828" }, { "db": "PACKETSTORM", "id": "70882" }, { "db": "PACKETSTORM", "id": "70792" }, { "db": "PACKETSTORM", "id": "41335" }, { "db": "PACKETSTORM", "id": "79028" }, { "db": "PACKETSTORM", "id": "71395" }, { "db": "NVD", "id": "CVE-2008-3271" }, { "db": "CNNVD", "id": "CNNVD-200810-176" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2008-10-10T00:00:00", "db": "BID", "id": "31698" }, { "date": "2008-10-10T00:00:00", "db": "JVNDB", "id": "JVNDB-2008-000069" }, { "date": "2005-11-03T23:53:58", "db": "PACKETSTORM", "id": "41248" }, { "date": "2008-10-11T18:33:31", "db": "PACKETSTORM", "id": "70828" }, { "date": "2008-10-13T22:53:24", "db": "PACKETSTORM", "id": "70882" }, { "date": "2008-10-10T23:03:15", "db": "PACKETSTORM", "id": "70792" }, { "date": "2005-11-08T14:26:54", "db": "PACKETSTORM", "id": "41335" }, { "date": "2009-07-08T14:53:57", "db": "PACKETSTORM", "id": "79028" }, { "date": "2008-10-31T18:08:14", "db": "PACKETSTORM", "id": "71395" }, { "date": "2008-10-13T20:00:02.057000", "db": "NVD", "id": "CVE-2008-3271" }, { "date": "2008-10-13T00:00:00", "db": "CNNVD", "id": "CNNVD-200810-176" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2009-07-08T21:46:00", "db": "BID", "id": "31698" }, { "date": "2009-07-08T00:00:00", "db": "JVNDB", "id": "JVNDB-2008-000069" }, { "date": "2023-02-13T02:19:17.897000", "db": "NVD", "id": "CVE-2008-3271" }, { "date": "2023-02-14T00:00:00", "db": "CNNVD", "id": "CNNVD-200810-176" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-200810-176" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Apache Tomcat allows access from a non-permitted IP address", "sources": [ { "db": "JVNDB", "id": "JVNDB-2008-000069" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "permissions and access control issues", "sources": [ { "db": "CNNVD", "id": "CNNVD-200810-176" } ], "trust": 0.6 } }
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.