CVE-2009-2901 – org.apache.tomcat:tomcat

Package

Manager: maven
Name: org.apache.tomcat:tomcat
Vulnerable Version: >=5.5.0 <5.5.29 || >=6.0.0 <6.0.24

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.06552 pctl0.90763

Details

Improper Authentication in Apache Tomcat The autodeployment process in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20, when autoDeploy is enabled, deploys appBase files that remain from a failed undeploy, which might allow remote attackers to bypass intended authentication requirements via HTTP requests.

Metadata

Created: 2022-05-02T03:39:47Z
Modified: 2024-02-21T16:53:18Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-hjfh-7c4v-7q8h/GHSA-hjfh-7c4v-7q8h.json
CWE IDs: ["CWE-287"]
Alternative ID: GHSA-hjfh-7c4v-7q8h
Finding: F039
Auto approve: 1