Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2009-0783

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application.

Published

2009-06-05T16:00:00.267

Last Modified

2025-04-09T00:30:58.490

Status

Deferred

Source

[email protected]

Severity

CVSSv3.0: 4.2 (MEDIUM)

CVSSv2 Vector

AV:L/AC:L/Au:N/C:P/I:P/A:P

Access Vector: LOCAL
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

3.9

Impact Score

6.4

Weaknesses

Type: Primary
CWE-200

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	tomcat	≤ 4.1.39	Yes
Application	apache	tomcat	≤ 5.5.27	Yes
Application	apache	tomcat	≤ 6.0.18	Yes

References

http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html Mailing List ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html Third Party Advisory ([email protected])
http://marc.info/?l=bugtraq&m=127420533226623&w=2 Third Party Advisory ([email protected])
http://marc.info/?l=bugtraq&m=127420533226623&w=2 Third Party Advisory ([email protected])
http://marc.info/?l=bugtraq&m=129070310906557&w=2 Third Party Advisory ([email protected])
http://marc.info/?l=bugtraq&m=129070310906557&w=2 Third Party Advisory ([email protected])
http://marc.info/?l=bugtraq&m=136485229118404&w=2 Third Party Advisory ([email protected])
http://marc.info/?l=bugtraq&m=136485229118404&w=2 Third Party Advisory ([email protected])
http://secunia.com/advisories/35685 Vendor Advisory ([email protected])
http://secunia.com/advisories/35788 Vendor Advisory ([email protected])
http://secunia.com/advisories/37460 Vendor Advisory ([email protected])
http://secunia.com/advisories/42368 Vendor Advisory ([email protected])
http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1 Third Party Advisory ([email protected])
http://support.apple.com/kb/HT4077 Third Party Advisory ([email protected])
http://svn.apache.org/viewvc?rev=652592&view=rev Patch ([email protected])
http://svn.apache.org/viewvc?rev=681156&view=rev Patch ([email protected])
http://svn.apache.org/viewvc?rev=739522&view=rev Patch ([email protected])
http://svn.apache.org/viewvc?rev=781542&view=rev Patch ([email protected])
http://svn.apache.org/viewvc?rev=781708&view=rev Patch ([email protected])
http://tomcat.apache.org/security-4.html Patch, Vendor Advisory ([email protected])
http://tomcat.apache.org/security-5.html Patch, Vendor Advisory ([email protected])
http://tomcat.apache.org/security-6.html Patch, Vendor Advisory ([email protected])
http://www.debian.org/security/2011/dsa-2207 Third Party Advisory ([email protected])
http://www.mandriva.com/security/advisories?name=MDVSA-2009:136 Third Party Advisory ([email protected])
http://www.mandriva.com/security/advisories?name=MDVSA-2009:138 Third Party Advisory ([email protected])
http://www.mandriva.com/security/advisories?name=MDVSA-2010:176 Third Party Advisory ([email protected])
http://www.securityfocus.com/archive/1/504090/100/0/threaded Third Party Advisory, VDB Entry ([email protected])
http://www.securityfocus.com/archive/1/507985/100/0/threaded Third Party Advisory, VDB Entry ([email protected])
http://www.securityfocus.com/bid/35416 Third Party Advisory, VDB Entry ([email protected])
http://www.securitytracker.com/id?1022336 Third Party Advisory, VDB Entry ([email protected])
http://www.vmware.com/security/advisories/VMSA-2009-0016.html Third Party Advisory ([email protected])
http://www.vupen.com/english/advisories/2009/1856 Vendor Advisory ([email protected])
http://www.vupen.com/english/advisories/2009/3316 Vendor Advisory ([email protected])
http://www.vupen.com/english/advisories/2010/3056 Vendor Advisory ([email protected])
https://exchange.xforce.ibmcloud.com/vulnerabilities/51195 VDB Entry ([email protected])
https://issues.apache.org/bugzilla/show_bug.cgi?id=29936 Issue Tracking, Patch ([email protected])
https://issues.apache.org/bugzilla/show_bug.cgi?id=45933 Issue Tracking ([email protected])
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10716 Tool Signature ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18913 Tool Signature ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6450 Tool Signature ([email protected])
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html Third Party Advisory ([email protected])
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html Third Party Advisory ([email protected])
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html Third Party Advisory ([email protected])
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html Mailing List (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=bugtraq&m=127420533226623&w=2 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=bugtraq&m=127420533226623&w=2 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=bugtraq&m=129070310906557&w=2 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=bugtraq&m=129070310906557&w=2 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=bugtraq&m=136485229118404&w=2 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=bugtraq&m=136485229118404&w=2 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/35685 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/35788 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/37460 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/42368 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://support.apple.com/kb/HT4077 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://svn.apache.org/viewvc?rev=652592&view=rev Patch (af854a3a-2127-422b-91ae-364da2661108)
http://svn.apache.org/viewvc?rev=681156&view=rev Patch (af854a3a-2127-422b-91ae-364da2661108)
http://svn.apache.org/viewvc?rev=739522&view=rev Patch (af854a3a-2127-422b-91ae-364da2661108)
http://svn.apache.org/viewvc?rev=781542&view=rev Patch (af854a3a-2127-422b-91ae-364da2661108)
http://svn.apache.org/viewvc?rev=781708&view=rev Patch (af854a3a-2127-422b-91ae-364da2661108)
http://tomcat.apache.org/security-4.html Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://tomcat.apache.org/security-5.html Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://tomcat.apache.org/security-6.html Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.debian.org/security/2011/dsa-2207 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.mandriva.com/security/advisories?name=MDVSA-2009:136 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.mandriva.com/security/advisories?name=MDVSA-2009:138 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.mandriva.com/security/advisories?name=MDVSA-2010:176 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/archive/1/504090/100/0/threaded Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/archive/1/507985/100/0/threaded Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/35416 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id?1022336 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.vmware.com/security/advisories/VMSA-2009-0016.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2009/1856 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2009/3316 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2010/3056 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://exchange.xforce.ibmcloud.com/vulnerabilities/51195 VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://issues.apache.org/bugzilla/show_bug.cgi?id=29936 Issue Tracking, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://issues.apache.org/bugzilla/show_bug.cgi?id=45933 Issue Tracking (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10716 Tool Signature (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18913 Tool Signature (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6450 Tool Signature (af854a3a-2127-422b-91ae-364da2661108)
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)