Content
Apache Tomcat 3.x vulnerabilities
This page lists all security vulnerabilities fixed in released versions
of Apache Tomcat® 3.x. Each vulnerability is given a
security impact rating by the Apache
Tomcat security team — please note that this rating may vary from
platform to platform. We also list the versions of Apache Tomcat the flaw
is known to affect, and where a flaw has not been verified list the
version with a question mark.
Please note that Tomcat 3 is no longer supported. Further
vulnerabilities in the 3.x branches will not be fixed. Users should upgrade
to 8.5.x or later to obtain security fixes.
Please send comments or corrections for these vulnerabilities to the
Tomcat Security Team.
Table of Contents
Not fixed in Apache Tomcat 3.x
Important: Denial of service
CVE-2005-0808
Tomcat 3.x can be remotely caused to crash or shutdown by a connection
sending the right sequence of bytes to the AJP12 protocol port (TCP 8007
by default). Tomcat 3.x users are advised to ensure that this port is
adequately firewalled to ensure it is not accessible to remote attackers.
There are no plans to issue a an update to Tomcat 3.x for this issue.
Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3a-3.3.2
Low: Session hi-jacking
CVE-2007-3382
Tomcat incorrectly treated a single quote character (') in a cookie
value as a delimiter. In some circumstances this lead to the leaking of
information such as session ID to an attacker.
Affects: 3.3-3.3.2
Low: Cross site scripting
CVE-2007-3384
When reporting error messages, Tomcat does not filter user supplied data
before display. This enables an XSS attack. A source patch is available
from the
archives.
Affects: 3.3-3.3.2
Low: Session hi-jacking
CVE-2007-3385
Tomcat incorrectly handled the character sequence \" in a cookie value.
In some circumstances this lead to the leaking of information such as
session ID to an attacker.
Affects: 3.3-3.3.2
Fixed in Apache Tomcat 3.3.2
Moderate: Cross site scripting
CVE-2003-0044
The root web application and the examples web application contained a
number a cross-site scripting vulnerabilities. Note that is it
recommended that the examples web application is not installed on
production servers.
Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3a-3.3.1a
Fixed in Apache Tomcat 3.3.1a
Important: Information disclosure
CVE-2003-0043
When used with JDK 1.3.1 or earlier, web.xml files were read with
trusted privileges enabling files outside of the web application to be
read even when running under a security manager.
Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3a-3.3.1
Important: Information disclosure
CVE-2003-0042
URLs containing null characters could result in file contents being
returned or a directory listing being returned even when a welcome file
was defined.
Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3a-3.3.1
Fixed in Apache Tomcat 3.3.1
Important: Denial of service
CVE-2003-0045
JSP page names that match a Windows DOS device name, such as aux.jsp, may
cause the thread processing the request to become unresponsive. A
sequence of such requests may cause all request processing threads, and
hence Tomcat, to become unresponsive.
Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3a
Fixed in Apache Tomcat 3.3a
Moderate: Information disclosure
CVE-2002-2007
Non-standard requests to the sample applications installed by default
could result in unexpected directory listings or disclosure of the full
file system path for a JSP.
Affects: 3.2.3-3.2.4
Low: Information disclosure
CVE-2002-2006,
CVE-2000-0760
The snoop servlet installed as part of the examples includes output that
identifies the Tomcat installation path. There are no plans to issue a an
update to Tomcat 3.x for this issue.
Affects:3.1-3.1.1, 3.2-3.2.4
Fixed in Apache Tomcat 3.2.4
Moderate: Information disclosure
CVE-2001-1563
No specifics are provided in the vulnerability report. This may be a
summary of other issues reported against 3.2.x
Affects: 3.2?, 3.2.1, 3.2.2-3.2.3?
Fixed in Apache Tomcat 3.2.2
Moderate: Cross site scripting
CVE-2001-0829
The default 404 error page does not escape URLs. This allows XSS
attacks using specially crafted URLs.
Affects: 3.0, 3.1-3.1.1, 3.2-3.2.1
Moderate: Information disclosure
CVE-2001-0590
A specially crafted URL can be used to obtain the source for JSPs.
Affects: 3.0, 3.1-3.1.1, 3.2-3.2.1
Fixed in Apache Tomcat 3.2
Low: Information disclosure
CVE-2000-0759
Requesting a JSP that does not exist results in an error page that
includes the full file system page of the current context.
Affects: 3.1
Important: Information disclosure
CVE-2000-0672
Access to the admin context is not protected. This context allows an
attacker to mount an arbitary file system path as a context. Any files
accessible from this file sytem path to the account under which Tomcat
is running are then visible to the attacker.
Affects: 3.1
Fixed in Apache Tomcat 3.1
Important: Information disclosure
CVE-2000-1210
source.jsp, provided as part of the examples, allows an attacker to read
arbitrary files via a .. (dot dot) in the argument to source.jsp.
Affects: 3.0