CVE-2007-6286

Sažetak

Apache Tomcat 5.5.11 through 5.5.25 and 6.0.0 through 6.0.15, when the native APR connector is used, does not properly handle an empty request to the SSL port, which allows remote attackers to trigger handling of "a duplicate copy of one of the recent requests," as demonstrated by using netcat to send the empty request.

Reference

http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-6.html
http://secunia.com/advisories/28878
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00315.html
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00460.html
http://secunia.com/advisories/28915
http://security.gentoo.org/glsa/glsa-200804-10.xml
http://secunia.com/advisories/29711
http://securityreason.com/securityalert/3637
http://www.vmware.com/security/advisories/VMSA-2008-0010.html
http://secunia.com/advisories/30676
http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html
http://www.securityfocus.com/bid/31681
http://secunia.com/advisories/32222
http://support.apple.com/kb/HT3216
http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
http://www.mandriva.com/security/advisories?name=MDVSA-2009:136
http://secunia.com/advisories/37460
http://www.vmware.com/security/advisories/VMSA-2009-0016.html
http://www.vupen.com/english/advisories/2009/3316
http://www.vupen.com/english/advisories/2008/0488
http://www.vupen.com/english/advisories/2008/1856/references
http://www.vupen.com/english/advisories/2008/2780
http://marc.info/?l=bugtraq&m=139344343412337&w=2
http://secunia.com/advisories/57126
http://www.securityfocus.com/archive/1/507985/100/0/threaded
http://www.securityfocus.com/archive/1/487823/100/0/threaded
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E

CVSS

Base:	4.3
Impact:	2.9
Exploitability:	8.6

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	PARTIAL	NONE

CVSS vektor

AV:N/AC:M/Au:N/C:N/I:P/A:N

Zadnje važnije ažuriranje

07-11-2023 - 02:01

Objavljeno

12-02-2008 - 01:00