Apache.Tomcat.Jsecurity.Check.Information.Disclosure

description-logoDescription

This indicates an attack attempt against an information disclosure vulnerability in Apache Tomcat.
A vulnerability has been reported in Apache Tomcat that may allow an attacker to gain knowledge of sensitive information on a vulnerable system. This is possible because the user input filters fail to properly sanitize the j_password parameter value that is passed to "j_security_check". An attacker may read any file on the vulnerable server by sending a crafted http request.

affected-products-logoAffected Products

Apache Software Foundation Tomcat 6.0.18
Apache Software Foundation Tomcat 6.0.16
Apache Software Foundation Tomcat 6.0.15
Apache Software Foundation Tomcat 6.0.14
Apache Software Foundation Tomcat 6.0.13
Apache Software Foundation Tomcat 6.0.12
Apache Software Foundation Tomcat 6.0.11
Apache Software Foundation Tomcat 6.0.10
Apache Software Foundation Tomcat 6.0.9
Apache Software Foundation Tomcat 6.0.8
Apache Software Foundation Tomcat 6.0.7
Apache Software Foundation Tomcat 6.0.6
Apache Software Foundation Tomcat 6.0.5
Apache Software Foundation Tomcat 6.0.4
Apache Software Foundation Tomcat 6.0.3
Apache Software Foundation Tomcat 6.0.2
Apache Software Foundation Tomcat 6.0.1
Apache Software Foundation Tomcat 6.0
Apache Software Foundation Tomcat 5.5.27
Apache Software Foundation Tomcat 5.5.26
Apache Software Foundation Tomcat 5.5.25
Apache Software Foundation Tomcat 5.5.24
Apache Software Foundation Tomcat 5.5.23
Apache Software Foundation Tomcat 5.5.22
Apache Software Foundation Tomcat 5.5.21
Apache Software Foundation Tomcat 5.5.20
Apache Software Foundation Tomcat 5.5.20
Apache Software Foundation Tomcat 5.5.19
Apache Software Foundation Tomcat 5.5.18
Apache Software Foundation Tomcat 5.5.17
Apache Software Foundation Tomcat 5.5.17
Apache Software Foundation Tomcat 5.5.16
Apache Software Foundation Tomcat 5.5.15
Apache Software Foundation Tomcat 5.5.14
Apache Software Foundation Tomcat 5.5.13
Apache Software Foundation Tomcat 5.5.12
Apache Software Foundation Tomcat 5.5.12
Apache Software Foundation Tomcat 5.5.11
Apache Software Foundation Tomcat 5.5.11
Apache Software Foundation Tomcat 5.5.10
Apache Software Foundation Tomcat 5.5.10
Apache Software Foundation Tomcat 5.5.9
Apache Software Foundation Tomcat 5.5.9
Apache Software Foundation Tomcat 5.5.8
Apache Software Foundation Tomcat 5.5.8
Apache Software Foundation Tomcat 5.5.7
Apache Software Foundation Tomcat 5.5.7
Apache Software Foundation Tomcat 5.5.6
Apache Software Foundation Tomcat 5.5.6
Apache Software Foundation Tomcat 5.5.5
Apache Software Foundation Tomcat 5.5.5
Apache Software Foundation Tomcat 5.5.4
Apache Software Foundation Tomcat 5.5.4
Apache Software Foundation Tomcat 5.5.3
Apache Software Foundation Tomcat 5.5.3
Apache Software Foundation Tomcat 5.5.2
Apache Software Foundation Tomcat 5.5.2
Apache Software Foundation Tomcat 5.5.1
Apache Software Foundation Tomcat 5.5.1
Apache Software Foundation Tomcat 5.5
Apache Software Foundation Tomcat 5.5
Apache Software Foundation Tomcat 4.1.39
Apache Software Foundation Tomcat 4.1.38
Apache Software Foundation Tomcat 4.1.37
Apache Software Foundation Tomcat 4.1.36
Apache Software Foundation Tomcat 4.1.36
Apache Software Foundation Tomcat 4.1.35
Apache Software Foundation Tomcat 4.1.34
Apache Software Foundation Tomcat 4.1.34
Apache Software Foundation Tomcat 4.1.32
Apache Software Foundation Tomcat 4.1.31
Apache Software Foundation Tomcat 4.1.30
Apache Software Foundation Tomcat 4.1.29
Apache Software Foundation Tomcat 4.1.28
Apache Software Foundation Tomcat 4.1.24
Apache Software Foundation Tomcat 4.1.12
Apache Software Foundation Tomcat 4.1.10
Apache Software Foundation Tomcat 4.1.9 beta
Apache Software Foundation Tomcat 4.1.3 beta
Apache Software Foundation Tomcat 4.1.3
Apache Software Foundation Tomcat 4.1
Apache Software Foundation Tomcat 4.1

Impact logoImpact

Information Disclosure: Remote attackers can gain sensitive information from vulnerable systems.

recomended-action-logoRecommended Actions

Apply patch,available from the web site.
6.0.x :
http://svn.apache.org/viewvc?rev=747840&view=rev
5.5.x :
http://svn.apache.org/viewvc?rev=781379&view=rev
4.1.x :
http://svn.apache.org/viewvc?rev=781382&view=rev

Telemetry logoTelemetry

Coverage

IPS (Regular DB)
IPS (Extended DB)