Description
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application.
References (47)
Core 47
Core References
Patch, Vendor Advisory x_refsource_confirm
http://tomcat.apache.org/security-4.html
Third Party Advisory vendor-advisory
x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2009:138
Third Party Advisory vendor-advisory
x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2011/dsa-2207
Patch x_refsource_confirm
http://svn.apache.org/viewvc?rev=781542&view=rev
Tool Signature vdb-entry
signature
x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18913
Vendor Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2010/3056
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/504090/100/0/threaded
Third Party Advisory x_refsource_confirm
http://www.vmware.com/security/advisories/VMSA-2009-0016.html
Patch x_refsource_confirm
http://svn.apache.org/viewvc?rev=781708&view=rev
Third Party Advisory vendor-advisory
x_refsource_hp
http://marc.info/?l=bugtraq&m=127420533226623&w=2
Patch x_refsource_confirm
http://svn.apache.org/viewvc?rev=652592&view=rev
Third Party Advisory vendor-advisory
x_refsource_hp
http://marc.info/?l=bugtraq&m=136485229118404&w=2
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/37460
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/35788
Mailing List vendor-advisory
x_refsource_apple
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
Patch x_refsource_confirm
http://svn.apache.org/viewvc?rev=739522&view=rev
Vendor Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2009/1856
Third Party Advisory vendor-advisory
x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2010:176
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/507985/100/0/threaded
Patch x_refsource_confirm
http://svn.apache.org/viewvc?rev=681156&view=rev
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/42368
Patch, Vendor Advisory x_refsource_confirm
http://tomcat.apache.org/security-6.html
Third Party Advisory x_refsource_confirm
http://support.apple.com/kb/HT4077
Issue Tracking x_refsource_confirm
https://issues.apache.org/bugzilla/show_bug.cgi?id=45933
Third Party Advisory vendor-advisory
x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html
Tool Signature vdb-entry
signature
x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6450
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/35685
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id?1022336
VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/51195
Third Party Advisory vendor-advisory
x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html
Patch, Vendor Advisory x_refsource_confirm
http://tomcat.apache.org/security-5.html
Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html
Third Party Advisory vendor-advisory
x_refsource_hp
http://marc.info/?l=bugtraq&m=129070310906557&w=2
Third Party Advisory vendor-advisory
x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2009:136
Third Party Advisory vendor-advisory
x_refsource_sunalert
http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1
Issue Tracking, Patch x_refsource_confirm
https://issues.apache.org/bugzilla/show_bug.cgi?id=29936
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/35416
Tool Signature vdb-entry
signature
x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10716
Vendor Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2009/3316
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E
Scores
CVSS v3
4.2
EPSS
0.0081
EPSS Percentile
52.6%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
Details
CWE
CWE-200
Status
published
Products (2)
apache/tomcat
4.1.0 - 4.1.39
org.apache.tomcat/tomcat
4.1.0Maven
Published
Jun 05, 2009
Tracked Since
Feb 18, 2026