Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2009-2901

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2009-2901
Last Modified 15 Mar 2014 11:50:49
Published 28 Jan 2010 03:30:01
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2009-2901

Summary

The autodeployment process in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20, when autoDeploy is enabled, deploys appBase files that remain from a failed undeploy, which might allow remote attackers to bypass intended authentication requirements via HTTP requests.

Vulnerable Systems

Application

  • Apache Tomcat 5.5.0

  • Apache Tomcat 5.5.1

  • Apache Tomcat 5.5.10

  • Apache Tomcat 5.5.11

  • Apache Tomcat 5.5.12

  • Apache Tomcat 5.5.13

  • Apache Tomcat 5.5.14

  • Apache Tomcat 5.5.15

  • Apache Tomcat 5.5.16

  • Apache Tomcat 5.5.17

  • Apache Tomcat 5.5.18

  • Apache Tomcat 5.5.19

  • Apache Tomcat 5.5.2

  • Apache Tomcat 5.5.20

  • Apache Tomcat 5.5.21

  • Apache Tomcat 5.5.22

  • Apache Tomcat 5.5.23

  • Apache Tomcat 5.5.24

  • Apache Tomcat 5.5.25

  • Apache Tomcat 5.5.26

  • Apache Tomcat 5.5.27

  • Apache Tomcat 5.5.28

  • Apache Tomcat 5.5.3

  • Apache Tomcat 5.5.4

  • Apache Tomcat 5.5.5

  • Apache Tomcat 5.5.6

  • Apache Tomcat 5.5.7

  • Apache Tomcat 5.5.8

  • Apache Tomcat 5.5.9

  • Apache Tomcat 6.0

  • Apache Tomcat 6.0.0

  • Apache Tomcat 6.0.1

  • Apache Tomcat 6.0.10

  • Apache Tomcat 6.0.11

  • Apache Tomcat 6.0.12

  • Apache Tomcat 6.0.13

  • Apache Tomcat 6.0.14

  • Apache Tomcat 6.0.15

  • Apache Tomcat 6.0.16

  • Apache Tomcat 6.0.17

  • Apache Tomcat 6.0.18

  • Apache Tomcat 6.0.19

  • Apache Tomcat 6.0.2

  • Apache Tomcat 6.0.20

  • Apache Tomcat 6.0.3

  • Apache Tomcat 6.0.4

  • Apache Tomcat 6.0.5

  • Apache Tomcat 6.0.6

  • Apache Tomcat 6.0.7

  • Apache Tomcat 6.0.8

  • Apache Tomcat 6.0.9


References

VUPEN - ADV-2010-0213

CONFIRM - http://tomcat.apache.org/security-6.html

CONFIRM - http://tomcat.apache.org/security-5.html

CONFIRM - http://svn.apache.org/viewvc?rev=902650&view=rev

CONFIRM - http://svn.apache.org/viewvc?rev=892815&view=rev

XF - tomcat-autodeploy-security-bypass(55856)

CONFIRM - http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html

CONFIRM - http://www.vmware.com/security/advisories/VMSA-2011-0003.html

BID - 37942

BUGTRAQ - 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX

BUGTRAQ - 20100124 [SECURITY] CVE-2009-2901 Apache Tomcat insecure partial deploy after failed undeploy

MANDRIVA - MDVSA-2010:177

MANDRIVA - MDVSA-2010:176

UBUNTU - USN-899-1

CONFIRM - http://support.apple.com/kb/HT4077

SECTRACK - 1023503

SECUNIA - 43310

SECUNIA - 39317

SECUNIA - 38541

SECUNIA - 38346

SECUNIA - 38316

SUSE - SUSE-SR:2010:008

APPLE - APPLE-SA-2010-03-29-1

SUSE - openSUSE-SU-2012:1700

SUSE - openSUSE-SU-2012:1701

SUSE - openSUSE-SU-2013:0147

HP - HPSBST02955

SECUNIA - 57126


Last Updated: 27 May 2016 10:58:32