pepelyaevip/vuln-list-alt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
307fb8e080
vuln-list-alt/oval/c10f1/ALT-PU-2018-1731/definitions.json
pepelyaevip 56bb29c44b ALT Vulnerability
2024-06-28 13:17:52 +00:00

193 lines
9.3 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:20181731",
"Version": "oval:org.altlinux.errata:def:20181731",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2018-1731: package `tomcat` update to version 8.5.29-alt1_1jpp8",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch c10f1"
],
"Products": [
"ALT SP Workstation",
"ALT SP Server"
]
}
],
"References": [
{
"RefID": "ALT-PU-2018-1731",
"RefURL": "https://errata.altlinux.org/ALT-PU-2018-1731",
"Source": "ALTPU"
},
{
"RefID": "BDU:2019-01758",
"RefURL": "https://bdu.fstec.ru/vul/2019-01758",
"Source": "BDU"
},
{
"RefID": "BDU:2019-01759",
"RefURL": "https://bdu.fstec.ru/vul/2019-01759",
"Source": "BDU"
},
{
"RefID": "CVE-2016-5388",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-5388",
"Source": "CVE"
},
{
"RefID": "CVE-2017-15706",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-15706",
"Source": "CVE"
},
{
"RefID": "CVE-2018-1304",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2018-1304",
"Source": "CVE"
},
{
"RefID": "CVE-2018-1305",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2018-1305",
"Source": "CVE"
}
],
"Description": "This update upgrades tomcat to version 8.5.29-alt1_1jpp8. \nSecurity Fix(es):\n\n * BDU:2019-01758: Уязвимость сервера приложений Apache Tomcat, связанная с недостатками контроля доступа, позволяющая нарушителю повысить свои привилегии\n\n * BDU:2019-01759: Уязвимость сервера приложений Apache Tomcat, связанная с ошибками в настройках безопасности, позволяющая нарушителю получить доступ к ресурсам веб-приложений\n\n * CVE-2016-5388: Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an \"httpoxy\" issue. NOTE: the vendor states \"A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388\"; in other words, this is not a CVE ID for a vulnerability.\n\n * CVE-2017-15706: As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. The update was not correct. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that the behaviour of the CGI servlet has remained unchanged in this regard. It is only the documentation of the behaviour that was wrong and has been corrected.\n\n * CVE-2018-1304: The URL pattern of \"\" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.\n\n * CVE-2018-1305: Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "High",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2018-05-17"
},
"Updated": {
"Date": "2018-05-17"
},
"BDUs": [
{
"ID": "BDU:2019-01758",
"CVSS": "AV:N/AC:L/Au:S/C:C/I:N/A:N",
"CVSS3": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"CWE": "CWE-284",
"Href": "https://bdu.fstec.ru/vul/2019-01758",
"Impact": "Low",
"Public": "20180223"
},
{
"ID": "BDU:2019-01759",
"CVSS": "AV:N/AC:M/Au:N/C:C/I:N/A:N",
"CVSS3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"CWE": "CWE-254",
"Href": "https://bdu.fstec.ru/vul/2019-01759",
"Impact": "Low",
"Public": "20180228"
}
],
"CVEs": [
{
"ID": "CVE-2016-5388",
"CVSS": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"CVSS3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"CWE": "CWE-284",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-5388",
"Impact": "High",
"Public": "20160719"
},
{
"ID": "CVE-2017-15706",
"CVSS": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"CWE": "CWE-358",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-15706",
"Impact": "Low",
"Public": "20180131"
},
{
"ID": "CVE-2018-1304",
"CVSS": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"CVSS3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"CWE": "NVD-CWE-noinfo",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2018-1304",
"Impact": "Low",
"Public": "20180228"
},
{
"ID": "CVE-2018-1305",
"CVSS": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"CVSS3": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"CWE": "NVD-CWE-noinfo",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2018-1305",
"Impact": "Low",
"Public": "20180223"
}
],
"AffectedCPEs": {
"CPEs": [
"cpe:/o:alt:spworkstation:10",
"cpe:/o:alt:spserver:10"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:4001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:20181731001",
"Comment": "tomcat is earlier than 1:8.5.29-alt1_1jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20181731002",
"Comment": "tomcat-admin-webapps is earlier than 1:8.5.29-alt1_1jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20181731003",
"Comment": "tomcat-docs-webapp is earlier than 1:8.5.29-alt1_1jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20181731004",
"Comment": "tomcat-el-3.0-api is earlier than 1:8.5.29-alt1_1jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20181731005",
"Comment": "tomcat-javadoc is earlier than 1:8.5.29-alt1_1jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20181731006",
"Comment": "tomcat-jsp-2.3-api is earlier than 1:8.5.29-alt1_1jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20181731007",
"Comment": "tomcat-jsvc is earlier than 1:8.5.29-alt1_1jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20181731008",
"Comment": "tomcat-lib is earlier than 1:8.5.29-alt1_1jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20181731009",
"Comment": "tomcat-servlet-3.1-api is earlier than 1:8.5.29-alt1_1jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20181731010",
"Comment": "tomcat-webapps is earlier than 1:8.5.29-alt1_1jpp8"
}
]
}
]
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink