CVE-2009-2901Improper Authentication in Apache Tomcat

CWE-264CWE-287Improper Authentication8 documents7 sources
Severity
4.3MEDIUMNVD
EPSS
6.6%
top 8.84%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Tomcat
Timeline
PublishedJan 28
Latest updateMay 2

Description

The autodeployment process in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20, when autoDeploy is enabled, deploys appBase files that remain from a failed undeploy, which might allow remote attackers to bypass intended authentication requirements via HTTP requests.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

NVDapache/tomcat51 versions+50

Patches

Patch: svn.apache.orgPatch: svn.apache.orgPatch: tomcat.apache.org

🔴Vulnerability Details

3
OSV
Improper Authentication in Apache Tomcat2022-05-02
GHSA
Improper Authentication in Apache Tomcat2022-05-02
CVEList
CVE-2009-2901: The autodeployment process in Apache Tomcat 52010-01-28

📋Vendor Advisories

2
Ubuntu
Tomcat vulnerabilities2010-02-11
Red Hat
tomcat: insecure partial deploy after failed undeploy2010-01-24

💬Community

2
Bugzilla
CVE-2009-2901 CVE-2009-2902 CVE-2009-2693 CVE-2010-1157 tomcat: multiple vulnerabilities [fedora-all]2010-04-23
Bugzilla
CVE-2009-2901 tomcat: insecure partial deploy after failed undeploy2010-01-28
CVE-2009-2901 — Improper Authentication in Apache | cvebase