Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2007-2449

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2007-2449
Last Modified 30 Oct 2012 10:34:36
Published 14 Jun 2007 07:30:00
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2007-2449

Summary

Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary web script or HTML via the portion of the URI after the ';' character, as demonstrated by a URI containing a "snp/snoop.jsp;" sequence.

Vulnerable Systems

Application

  • Apache Tomcat 4.0.0

  • Apache Tomcat 4.0.1

  • Apache Tomcat 4.0.2

  • Apache Tomcat 4.0.3

  • Apache Tomcat 4.0.4

  • Apache Tomcat 4.0.5

  • Apache Tomcat 4.1.36

  • Apache Tomcat 5.0.0

  • Apache Tomcat 5.0.1

  • Apache Tomcat 5.0.10

  • Apache Tomcat 5.0.11

  • Apache Tomcat 5.0.12

  • Apache Tomcat 5.0.13

  • Apache Tomcat 5.0.14

  • Apache Tomcat 5.0.15

  • Apache Tomcat 5.0.16

  • Apache Tomcat 5.0.17

  • Apache Tomcat 5.0.18

  • Apache Tomcat 5.0.19

  • Apache Tomcat 5.0.2

  • Apache Tomcat 5.0.21

  • Apache Tomcat 5.0.22

  • Apache Tomcat 5.0.23

  • Apache Tomcat 5.0.24

  • Apache Tomcat 5.0.25

  • Apache Tomcat 5.0.26

  • Apache Tomcat 5.0.27

  • Apache Tomcat 5.0.28

  • Apache Tomcat 5.0.29

  • Apache Tomcat 5.0.3

  • Apache Tomcat 5.0.30

  • Apache Tomcat 5.0.4

  • Apache Tomcat 5.0.5

  • Apache Tomcat 5.0.6

  • Apache Tomcat 5.0.7

  • Apache Tomcat 5.0.8

  • Apache Tomcat 5.0.9

  • Apache Tomcat 5.5.0

  • Apache Tomcat 5.5.1

  • Apache Tomcat 5.5.10

  • Apache Tomcat 5.5.11

  • Apache Tomcat 5.5.12

  • Apache Tomcat 5.5.13

  • Apache Tomcat 5.5.14

  • Apache Tomcat 5.5.15

  • Apache Tomcat 5.5.16

  • Apache Tomcat 5.5.17

  • Apache Tomcat 5.5.18

  • Apache Tomcat 5.5.19

  • Apache Tomcat 5.5.2

  • Apache Tomcat 5.5.20

  • Apache Tomcat 5.5.21

  • Apache Tomcat 5.5.22

  • Apache Tomcat 5.5.3

  • Apache Tomcat 5.5.4

  • Apache Tomcat 5.5.5

  • Apache Tomcat 5.5.6

  • Apache Tomcat 5.5.7

  • Apache Tomcat 5.5.8

  • Apache Tomcat 5.5.9

  • Apache Tomcat 6.0.0

  • Apache Tomcat 6.0.1

  • Apache Tomcat 6.0.10

  • Apache Tomcat 6.0.11

  • Apache Tomcat 6.0.12

  • Apache Tomcat 6.0.13

  • Apache Tomcat 6.0.2

  • Apache Tomcat 6.0.3

  • Apache Tomcat 6.0.4

  • Apache Tomcat 6.0.5

  • Apache Tomcat 6.0.6

  • Apache Tomcat 6.0.7

  • Apache Tomcat 6.0.8


References

CONFIRM - http://tomcat.apache.org/security-6.html

VUPEN - ADV-2009-0233

VUPEN - ADV-2008-1981

VUPEN - ADV-2007-3386

VUPEN - ADV-2007-2213

BUGTRAQ - 20090127 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities (Updated - v1.1)

BUGTRAQ - 20090124 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities

BUGTRAQ - 20070614 [CVE-2007-2449] Apache Tomcat XSS vulnerabilities in the JSP examples

CONFIRM - http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540

SECUNIA - 33668

SECUNIA - 31493

REDHAT - RHSA-2008:0630

SUSE - SUSE-SR:2009:004

HP - HPSBUX02262

CONFIRM - http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx

FEDORA - FEDORA-2007-3456

XF - tomcat-example-xss(34869)

SECTRACK - 1018245

BID - 24476

REDHAT - RHSA-2008:0261

REDHAT - RHSA-2007:0569

MANDRIVA - MDKSA-2007:241

CONFIRM - http://tomcat.apache.org/security-5.html

CONFIRM - http://tomcat.apache.org/security-4.html

CONFIRM - http://support.apple.com/kb/HT2163

SREASON - 2804

SECUNIA - 30802

SECUNIA - 29392

SECUNIA - 27727

SECUNIA - 27037

SECUNIA - 26076

SUSE - SUSE-SR:2008:007

APPLE - APPLE-SA-2008-06-30

OSVDB - 36080

HP - SSRT071447

Related Patches

Apple 2008-06-30 Security Update 2008-004 (PPC)

Apple 2008-06-30 Security Update 2008-004 Server (PPC)

Apple 2008-06-30 Security Update 2008-004 (Intel)

Apple 2008-06-30 Security Update 2008-004 Server (Intel)


Last Updated: 27 May 2016 10:49:48