Информационная безопасность
[RU] switch to English

Уязвимости безопасности в Apache Tomcat
Опубликовано:10 мая 2013 г.
SecurityVulns ID:13080
Уровень опасности:
Описание:DoS, перехват сеанса, утечка информации.
Затронутые продукты:APACHE : Tomcat 6.0
 APACHE : Tomcat 7.0
CVE:CVE-2013-2071 (java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive request information intended for other applications in opportunistic circumstances via an application that records the requests that it processes.)
 CVE-2013-2067 (java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.)
 CVE-2012-3544 (Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30 does not properly handle chunk extensions in chunked transfer coding, which allows remote attackers to cause a denial of service by streaming data.)
Оригинальный текстdocumentAPACHE, CVE-2013-2071 Request mix-up if AsyncListener method throws RuntimeException (10.05.2013)
 documentAPACHE, [SECURITY] CVE-2013-2067 Session fixation with FORM authenticator (10.05.2013)
 documentAPACHE, [SECURITY] CVE-2012-3544 Chunked transfer encoding extension size is not limited (10.05.2013)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород