Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2009-0783

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application.

Security Impact Summary

This vulnerability carries a MEDIUM severity rating with a CVSS v3.1 score of 4.2, requiring local system access to exploit with relatively low complexity without requiring user interaction . The vulnerability impacts limited data confidentiality, limited integrity, and limited availability for affected systems. Impacting 1 product from apache organizations running these solutions should prioritize assessment and patching.

Historical Context

Originally identified in 2009, this vulnerability predates many modern security frameworks and practices. The vulnerability landscape of that era was characterized by different threat models and less mature defense mechanisms compared to contemporary standards.

Published

2009-06-05T16:00:00.267

Last Modified

2026-04-23T00:35:47.467

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 4.2 (MEDIUM)

CVSSv2 Vector

AV:L/AC:L/Au:N/C:P/I:P/A:P

Access Vector: LOCAL
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

3.9

Impact Score

6.4

Weaknesses

Type: Primary
CWE-200

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	tomcat	≤ 4.1.39	Yes
Application	apache	tomcat	≤ 5.5.27	Yes
Application	apache	tomcat	≤ 6.0.18	Yes

References

http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html Mailing List ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html Third Party Advisory ([email protected])
http://marc.info/?l=bugtraq&m=127420533226623&w=2 Third Party Advisory ([email protected])
http://marc.info/?l=bugtraq&m=129070310906557&w=2 Third Party Advisory ([email protected])
http://marc.info/?l=bugtraq&m=136485229118404&w=2 Third Party Advisory ([email protected])
http://secunia.com/advisories/35685 Vendor Advisory ([email protected])
http://secunia.com/advisories/35788 Vendor Advisory ([email protected])
http://secunia.com/advisories/37460 Vendor Advisory ([email protected])
http://secunia.com/advisories/42368 Vendor Advisory ([email protected])
http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1 Third Party Advisory ([email protected])
http://support.apple.com/kb/HT4077 Third Party Advisory ([email protected])
http://svn.apache.org/viewvc?rev=652592&view=rev Patch ([email protected])
http://svn.apache.org/viewvc?rev=681156&view=rev Patch ([email protected])
http://svn.apache.org/viewvc?rev=739522&view=rev Patch ([email protected])
http://svn.apache.org/viewvc?rev=781542&view=rev Patch ([email protected])
http://svn.apache.org/viewvc?rev=781708&view=rev Patch ([email protected])
http://tomcat.apache.org/security-4.html Patch, Vendor Advisory ([email protected])
http://tomcat.apache.org/security-5.html Patch, Vendor Advisory ([email protected])
http://tomcat.apache.org/security-6.html Patch, Vendor Advisory ([email protected])
http://www.debian.org/security/2011/dsa-2207 Third Party Advisory ([email protected])
http://www.mandriva.com/security/advisories?name=MDVSA-2009:136 Third Party Advisory ([email protected])
http://www.mandriva.com/security/advisories?name=MDVSA-2009:138 Third Party Advisory ([email protected])
http://www.mandriva.com/security/advisories?name=MDVSA-2010:176 Third Party Advisory ([email protected])
http://www.securityfocus.com/archive/1/504090/100/0/threaded Third Party Advisory, VDB Entry ([email protected])
http://www.securityfocus.com/archive/1/507985/100/0/threaded Third Party Advisory, VDB Entry ([email protected])
http://www.securityfocus.com/bid/35416 Third Party Advisory, VDB Entry ([email protected])
http://www.securitytracker.com/id?1022336 Third Party Advisory, VDB Entry ([email protected])
http://www.vmware.com/security/advisories/VMSA-2009-0016.html Third Party Advisory ([email protected])
http://www.vupen.com/english/advisories/2009/1856 Vendor Advisory ([email protected])
http://www.vupen.com/english/advisories/2009/3316 Vendor Advisory ([email protected])
http://www.vupen.com/english/advisories/2010/3056 Vendor Advisory ([email protected])
https://exchange.xforce.ibmcloud.com/vulnerabilities/51195 VDB Entry ([email protected])
https://issues.apache.org/bugzilla/show_bug.cgi?id=29936 Issue Tracking, Patch ([email protected])
https://issues.apache.org/bugzilla/show_bug.cgi?id=45933 Issue Tracking ([email protected])
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10716 Tool Signature ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18913 Tool Signature ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6450 Tool Signature ([email protected])
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html Third Party Advisory ([email protected])
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html Third Party Advisory ([email protected])
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html Third Party Advisory ([email protected])
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html Mailing List (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=bugtraq&m=127420533226623&w=2 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=bugtraq&m=129070310906557&w=2 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=bugtraq&m=136485229118404&w=2 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/35685 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/35788 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/37460 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/42368 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://support.apple.com/kb/HT4077 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://svn.apache.org/viewvc?rev=652592&view=rev Patch (af854a3a-2127-422b-91ae-364da2661108)
http://svn.apache.org/viewvc?rev=681156&view=rev Patch (af854a3a-2127-422b-91ae-364da2661108)
http://svn.apache.org/viewvc?rev=739522&view=rev Patch (af854a3a-2127-422b-91ae-364da2661108)
http://svn.apache.org/viewvc?rev=781542&view=rev Patch (af854a3a-2127-422b-91ae-364da2661108)
http://svn.apache.org/viewvc?rev=781708&view=rev Patch (af854a3a-2127-422b-91ae-364da2661108)
http://tomcat.apache.org/security-4.html Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://tomcat.apache.org/security-5.html Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://tomcat.apache.org/security-6.html Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.debian.org/security/2011/dsa-2207 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.mandriva.com/security/advisories?name=MDVSA-2009:136 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.mandriva.com/security/advisories?name=MDVSA-2009:138 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.mandriva.com/security/advisories?name=MDVSA-2010:176 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/archive/1/504090/100/0/threaded Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/archive/1/507985/100/0/threaded Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/35416 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id?1022336 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.vmware.com/security/advisories/VMSA-2009-0016.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2009/1856 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2009/3316 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2010/3056 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://exchange.xforce.ibmcloud.com/vulnerabilities/51195 VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://issues.apache.org/bugzilla/show_bug.cgi?id=29936 Issue Tracking, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://issues.apache.org/bugzilla/show_bug.cgi?id=45933 Issue Tracking (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10716 Tool Signature (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18913 Tool Signature (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6450 Tool Signature (af854a3a-2127-422b-91ae-364da2661108)
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For apache's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.