[Japanese]
|
JVNDB-2007-000457
|
Apache Tomcat cross-site scripting vulnerability
|
Apache Tomcat, from the Apache Software Foundation, contains a cross-site scripting vulnerability.
Apache Tomcat, provided by the Apache Software Foundation, is an implementation of Java Servlets and JavaServer Pages technologies.
Apache Tomcat Web Application Manager contains a cross-site scripting vulnerability.
|
CVSS V2 Severity: Base Metrics 2.6 (Low) [IPA Score]
- Access Vector: Network
- Access Complexity: High
- Authentication: None
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
|
|
Apache Software Foundation
- Apache Tomcat 4.0.0 - 4.0.6
- Apache Tomcat 4.1.0 - 4.1.36
- Apache Tomcat 5.0.0 - 5.0.30
- Apache Tomcat 5.5.0 - 5.5.24
- Apache Tomcat 6.0.0 - 6.0.13
Apple Inc.
- Apple Mac OS X v10.4.11
- Apple Mac OS X Server v10.4.11
Sun Microsystems, Inc.
- Sun Solaris 10 (sparc)
- Sun Solaris 10 (x86)
- Sun Solaris 9 (sparc)
- Sun Solaris 9 (x86)
Hewlett-Packard Development Company, L.P
- HP-UX 11.11
- HP-UX 11.23
- HP-UX 11.31
MIRACLE LINUX CORPORATION
- Asianux Server 2.0
- Asianux Server 2.1
Red Hat, Inc.
- Red Hat Enterprise Linux 5 (server)
- Red Hat Enterprise Linux Desktop 5.0 (client)
- RHEL Desktop Workstation 5 (client)
|
|
When a user logs into Apache Tomcat Web Application Manager, an arbitrary script may be executed on the user's web browser.
|
[Update the Software]
Apache Tomcat 6.0.x users should update to [[Apache Tomcat 6.0.14:http://tomcat.apache.org/download-60.cgi#6.0.14]].
For more information, refer to the vendor's website.
[Workarounds]
This issue can be mitigated by logging out (closing the browser) of Web Application Manager when finished.
When using Apache Tomcat 4.x or 5.x, apply the workaround described above as an update has not been provided by the vendor.
|
Apache Software Foundation
Apple Inc.
Sun Microsystems, Inc.
- Sun Alert Notification : 239312
Hewlett-Packard Development Company, L.P
MIRACLE LINUX CORPORATION
- MIRACLE LINUX Update Information : tomcat4 (Japanese)
Red Hat, Inc.
|
- Cross-site Scripting(CWE-79) [NVD Evaluation]
|
- CVE-2007-2450
|
- JVN : JVN#07100457
- National Vulnerability Database (NVD) : CVE-2007-2450
- Secunia Advisory : SA25678
- SecurityFocus : 24475
- ISS X-Force Database : 34868
- SecurityTracker : 1018245
- FrSIRT Advisories : FrSIRT/ADV-2007-2213
|
- [2008/05/21]
Web page published
[2008/06/06]
Affected Products : Added MIRACLE LINUX CORPORATION (tomcat4 (V2.x)).
Vendor Information : Added MIRACLE LINUX CORPORATION (tomcat4 (V2.x)).
[2008/07/11]
Affected Products : Added Apple Inc.(Security Update 2008-004).
Affected Products : Added Sun Microsystems, Inc. (239312).
Vendor Information : Added Apple Inc.(Security Update 2008-004).
Vendor Information : Added Sun Microsystems, Inc. (239312).
|