Apache Tomcat 5.5.25 HTTP Request cross-site request forgery

EntryeditHistoryDiffjsonxmlCTI

A vulnerability classified as problematic was found in Apache Tomcat 5.5.25 (Application Server Software). This vulnerability affects an unknown part of the component HTTP Request Handler. Applying a patch is able to eliminate this problem.

Field11/07/2013 09:25 AM08/13/2018 07:04 AM
typeApplication Server SoftwareApplication Server Software
vendorApacheApache
nameTomcatTomcat
version5.5.255.5.25
componentHTTP Request HandlerHTTP Request Handler
cwe352 (cross site request forgery)352 (cross site request forgery)
risk11
historic00
cvss2_vuldb_basescore5.85.8
cvss2_vuldb_tempscore4.54.5
cvss2_vuldb_avNN
cvss2_vuldb_acMM
cvss2_vuldb_auNN
cvss2_vuldb_ciPP
cvss2_vuldb_iiPP
cvss2_vuldb_aiNN
cvss3_meta_basescore5.45.4
cvss3_meta_tempscore4.94.9
cvss3_vuldb_basescore5.45.4
cvss3_vuldb_tempscore4.94.9
date1383523200 (11/04/2013)1383523200 (11/04/2013)
locationWebsiteWebsite
typeAdvisoryAdvisory
urlhttp://packetstormsecurity.com/files/123894/Apache-Tomcat-5.5.25-Cross-Site-Request-Forgery.htmlhttp://packetstormsecurity.com/files/123894/Apache-Tomcat-5.5.25-Cross-Site-Request-Forgery.html
identifierApache Tomcat 5.5.25 Cross Site Request ForgeryApache Tomcat 5.5.25 Cross Site Request Forgery
coordination00
person_nameIvano BinettiIvano Binetti
person_websitehttp://www.ivanobinetti.com/http://www.ivanobinetti.com/
disputed11
availability11
date1383523200 (11/04/2013)1383523200 (11/04/2013)
publicity11
urlhttp://packetstormsecurity.com/files/123894/Apache-Tomcat-5.5.25-Cross-Site-Request-Forgery.htmlhttp://packetstormsecurity.com/files/123894/Apache-Tomcat-5.5.25-Cross-Site-Request-Forgery.html
price_0day$5k-$25k$5k-$25k
namePatchPatch
cveCVE-2013-6357CVE-2013-6357
cve_assigned13834368001383436800
cve_nvd_published13843008001384300800
cve_nvd_summary** DISPUTED ** Cross-site request forgery (CSRF) vulnerability in the Manager application in Apache Tomcat 5.5.25 and earlier allows remote attackers to hijack the authentication of administrators for requests that manipulate application deployment via the POST method, as demonstrated by a /manager/html/undeploy?path= URI. NOTE: the vendor disputes the significance of this report, stating that "the Apache Tomcat Security team has not accepted any reports of CSRF attacks against the Manager application ... as they require a reckless system administrator."** DISPUTED ** Cross-site request forgery (CSRF) vulnerability in the Manager application in Apache Tomcat 5.5.25 and earlier allows remote attackers to hijack the authentication of administrators for requests that manipulate application deployment via the POST method, as demonstrated by a /manager/html/undeploy?path= URI. NOTE: the vendor disputes the significance of this report, stating that "the Apache Tomcat Security team has not accepted any reports of CSRF attacks against the Manager application ... as they require a reckless system administrator."
osvdb9937599375
securityfocus6351563515
securityfocus_date1382572800 (10/24/2013)1382572800 (10/24/2013)
securityfocus_classInput Validation ErrorInput Validation Error
securityfocus_titleApache Tomcat Manager Component CVE-2013-6357 Cross Site Request Forgery VulnerabilityApache Tomcat Manager Component CVE-2013-6357 Cross Site Request Forgery Vulnerability
cvss3_vuldb_avNN
cvss3_vuldb_acLL
cvss3_vuldb_uiRR
cvss2_vuldb_ePOCPOC
cvss2_vuldb_rlOFOF
cvss2_vuldb_rcCC
cvss3_vuldb_ePP
cvss3_vuldb_rlOO
cvss3_vuldb_rcCC
cvss3_vuldb_prNN
cvss3_vuldb_sUU
cvss3_vuldb_cLL
cvss3_vuldb_iLL
cvss3_vuldb_aNN
cvss2_nvd_avN
cvss2_nvd_acM
cvss2_nvd_auN
cvss2_nvd_ciP
cvss2_nvd_iiP
cvss2_nvd_aiP
developer_nameIvano Binetti
exploitdb29435
exploitdb_date1383516000 (11/03/2013)

Want to stay up to date on a daily basis?

Enable the mail alert feature now!