CVE-2009-2901

Severity

43%

Complexity

86%

Confidentiality

48%

The autodeployment process in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20, when autoDeploy is enabled, deploys appBase files that remain from a failed undeploy, which might allow remote attackers to bypass intended authentication requirements via HTTP requests.

The autodeployment process in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20, when autoDeploy is enabled, deploys appBase files that remain from a failed undeploy, which might allow remote attackers to bypass intended authentication requirements via HTTP requests.

CVSS 2.0 Base Score 4.3. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N).

Overview

Type

Apache Software Foundation Tomcat

First reported 15 years ago

2010-01-28 20:30:00

Last updated 5 years ago

2019-03-25 11:30:00

Affected Software

Apache Software Foundation Tomcat 5.5.0

5.5.0

Apache Software Foundation Tomcat 5.5.1

5.5.1

Apache Software Foundation Tomcat 5.5.2

5.5.2

Apache Software Foundation Tomcat 5.5.3

5.5.3

Apache Software Foundation Tomcat 5.5.4

5.5.4

Apache Software Foundation Tomcat 5.5.5

5.5.5

Apache Software Foundation Tomcat 5.5.6

5.5.6

Apache Software Foundation Tomcat 5.5.7

5.5.7

Apache Software Foundation Tomcat 5.5.8

5.5.8

Apache Software Foundation Tomcat 5.5.9

5.5.9

Apache Software Foundation Tomcat 5.5.10

5.5.10

Apache Software Foundation Tomcat 5.5.11

5.5.11

Apache Software Foundation Tomcat 5.5.12

5.5.12

Apache Software Foundation Tomcat 5.5.13

5.5.13

Apache Software Foundation Tomcat 5.5.14

5.5.14

Apache Software Foundation Tomcat 5.5.15

5.5.15

Apache Software Foundation Tomcat 5.5.16

5.5.16

Apache Software Foundation Tomcat 5.5.17

5.5.17

Apache Software Foundation Tomcat 5.5.18

5.5.18

Apache Software Foundation Tomcat 5.5.19

5.5.19

Apache Software Foundation Tomcat 5.5.20

5.5.20

Apache Software Foundation Tomcat 5.5.21

5.5.21

Apache Software Foundation Tomcat 5.5.22

5.5.22

Apache Software Foundation Tomcat 5.5.23

5.5.23

Apache Software Foundation Tomcat 5.5.24

5.5.24

Apache Software Foundation Tomcat 5.5.25

5.5.25

Apache Software Foundation Tomcat 5.5.26

5.5.26

Apache Software Foundation Tomcat 5.5.27

5.5.27

Apache Software Foundation Tomcat 5.5.28

5.5.28

Apache Software Foundation Tomcat 6.0

6.0

Apache Software Foundation Tomcat 6.0.0

6.0.0

Apache Software Foundation Tomcat 6.0.1

6.0.1

Apache Software Foundation Tomcat 6.0.2

6.0.2

Apache Software Foundation Tomcat 6.0.3

6.0.3

Apache Software Foundation Tomcat 6.0.4

6.0.4

Apache Software Foundation Tomcat 6.0.5

6.0.5

Apache Software Foundation Tomcat 6.0.6

6.0.6

Apache Software Foundation Tomcat 6.0.7

6.0.7

Apache Software Foundation Tomcat 6.0.8

6.0.8

Apache Software Foundation Tomcat 6.0.9

6.0.9

Apache Software Foundation Tomcat 6.0.10

6.0.10

Apache Software Foundation Tomcat 6.0.11

6.0.11

Apache Software Foundation Tomcat 6.0.12

6.0.12

Apache Software Foundation Tomcat 6.0.13

6.0.13

Apache Software Foundation Tomcat 6.0.14

6.0.14

Apache Software Foundation Tomcat 6.0.15

6.0.15

Apache Software Foundation Tomcat 6.0.16

6.0.16

Apache Software Foundation Tomcat 6.0.17

6.0.17

Apache Software Foundation Tomcat 6.0.18

6.0.18

Apache Software Foundation Tomcat 6.0.19

6.0.19

Apache Software Foundation Tomcat 6.0.20

6.0.20

References

APPLE-SA-2010-03-29-1

SUSE-SR:2010:008

openSUSE-SU-2012:1700

openSUSE-SU-2012:1701

openSUSE-SU-2013:0147

HPSBMA02535

HPSBOV02762

HPSBST02955

38316

Vendor Advisory

38346

Vendor Advisory

38541

39317

43310

57126

1023503

http://support.apple.com/kb/HT4077

http://svn.apache.org/viewvc?rev=892815&view=rev

Patch

http://svn.apache.org/viewvc?rev=902650&view=rev

Patch

http://tomcat.apache.org/security-5.html

Patch, Vendor Advisory

http://tomcat.apache.org/security-6.html

Patch, Vendor Advisory

USN-899-1

MDVSA-2010:176

MDVSA-2010:177

20100124 [SECURITY] CVE-2009-2901 Apache Tomcat insecure partial deploy after failed undeploy

20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX

37942

http://www.vmware.com/security/advisories/VMSA-2011-0003.html

http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html

ADV-2010-0213

Patch, Vendor Advisory

tomcat-autodeploy-security-bypass(55856)

[tomcat-dev] 20190319 svn commit: r1855831 [22/30] - in /tomcat/site/trunk: ./ docs/ xdocs/

[tomcat-dev] 20190325 svn commit: r1856174 [20/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/

[tomcat-dev] 20200213 svn commit: r1873980 [25/34] - /tomcat/site/trunk/docs/

[tomcat-dev] 20200203 svn commit: r1873527 [22/30] - /tomcat/site/trunk/docs/

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.