mirror of
https://github.com/fkie-cad/nvd-json-data-feeds.git
synced 2025-05-28 09:11:28 +00:00
432 lines
16 KiB
JSON
432 lines
16 KiB
JSON
{
|
|
"id": "CVE-2021-24122",
|
|
"sourceIdentifier": "security@apache.org",
|
|
"published": "2021-01-14T15:15:13.400",
|
|
"lastModified": "2022-10-24T17:00:52.023",
|
|
"vulnStatus": "Analyzed",
|
|
"descriptions": [
|
|
{
|
|
"lang": "en",
|
|
"value": "When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances."
|
|
},
|
|
{
|
|
"lang": "es",
|
|
"value": "Cuando se sirven recursos desde una ubicaci\u00f3n de red usando el sistema de archivos NTFS, Apache Tomcat versiones 10.0.0-M1 hasta 10.0.0-M9, versiones 9.0.0.M1 hasta 9.0.39, versiones 8.5.0 hasta 8.5.59 y versiones 7.0.0 hasta 7.0.106, fueron susceptibles a una divulgaci\u00f3n del c\u00f3digo fuente JSP en algunas configuraciones. La causa ra\u00edz fue el comportamiento inesperado de la funci\u00f3n File.getCanonicalPath() de la API JRE que a su vez fue causado por el comportamiento incoherente de la API de Windows (FindFirstFileW) en algunas circunstancias"
|
|
}
|
|
],
|
|
"metrics": {
|
|
"cvssMetricV31": [
|
|
{
|
|
"source": "nvd@nist.gov",
|
|
"type": "Primary",
|
|
"cvssData": {
|
|
"version": "3.1",
|
|
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
|
|
"attackVector": "NETWORK",
|
|
"attackComplexity": "HIGH",
|
|
"privilegesRequired": "NONE",
|
|
"userInteraction": "NONE",
|
|
"scope": "UNCHANGED",
|
|
"confidentialityImpact": "HIGH",
|
|
"integrityImpact": "NONE",
|
|
"availabilityImpact": "NONE",
|
|
"baseScore": 5.9,
|
|
"baseSeverity": "MEDIUM"
|
|
},
|
|
"exploitabilityScore": 2.2,
|
|
"impactScore": 3.6
|
|
}
|
|
],
|
|
"cvssMetricV2": [
|
|
{
|
|
"source": "nvd@nist.gov",
|
|
"type": "Primary",
|
|
"cvssData": {
|
|
"version": "2.0",
|
|
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
|
|
"accessVector": "NETWORK",
|
|
"accessComplexity": "MEDIUM",
|
|
"authentication": "NONE",
|
|
"confidentialityImpact": "PARTIAL",
|
|
"integrityImpact": "NONE",
|
|
"availabilityImpact": "NONE",
|
|
"baseScore": 4.3
|
|
},
|
|
"baseSeverity": "MEDIUM",
|
|
"exploitabilityScore": 8.6,
|
|
"impactScore": 2.9,
|
|
"acInsufInfo": false,
|
|
"obtainAllPrivilege": false,
|
|
"obtainUserPrivilege": false,
|
|
"obtainOtherPrivilege": false,
|
|
"userInteractionRequired": false
|
|
}
|
|
]
|
|
},
|
|
"weaknesses": [
|
|
{
|
|
"source": "nvd@nist.gov",
|
|
"type": "Primary",
|
|
"description": [
|
|
{
|
|
"lang": "en",
|
|
"value": "CWE-706"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"source": "security@apache.org",
|
|
"type": "Secondary",
|
|
"description": [
|
|
{
|
|
"lang": "en",
|
|
"value": "CWE-200"
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"configurations": [
|
|
{
|
|
"nodes": [
|
|
{
|
|
"operator": "OR",
|
|
"negate": false,
|
|
"cpeMatch": [
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
|
|
"versionStartIncluding": "7.0.0",
|
|
"versionEndIncluding": "7.0.106",
|
|
"matchCriteriaId": "AD7B0066-F7CD-4609-91F5-A778DD56EAE9"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
|
|
"versionStartIncluding": "8.5.0",
|
|
"versionEndIncluding": "8.5.59",
|
|
"matchCriteriaId": "1F74CD42-7B43-4444-B121-B9C1ECFDB67D"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
|
|
"versionStartIncluding": "9.0.1",
|
|
"versionEndIncluding": "9.0.39",
|
|
"matchCriteriaId": "2EA947E9-FC93-4FAA-9988-27BC4C26CA36"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*",
|
|
"matchCriteriaId": "9D0689FE-4BC0-4F53-8C79-34B21F9B86C2"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*",
|
|
"matchCriteriaId": "89B129B2-FB6F-4EF9-BF12-E589A87996CF"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*",
|
|
"matchCriteriaId": "8B6787B6-54A8-475E-BA1C-AB99334B2535"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*",
|
|
"matchCriteriaId": "EABB6FBC-7486-44D5-A6AD-FFF1D3F677E1"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*",
|
|
"matchCriteriaId": "E10C03BC-EE6B-45B2-83AE-9E8DFB58D7DB"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*",
|
|
"matchCriteriaId": "8A6DA0BE-908C-4DA8-A191-A0113235E99A"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*",
|
|
"matchCriteriaId": "39029C72-28B4-46A4-BFF5-EC822CFB2A4C"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*",
|
|
"matchCriteriaId": "1A2E05A3-014F-4C4D-81E5-88E725FBD6AD"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*",
|
|
"matchCriteriaId": "166C533C-0833-41D5-99B6-17A4FAB3CAF0"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*",
|
|
"matchCriteriaId": "D3768C60-21FA-4B92-B98C-C3A2602D1BC4"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*",
|
|
"matchCriteriaId": "DDD510FA-A2E4-4BAF-A0DE-F4E5777E9325"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*",
|
|
"matchCriteriaId": "9F542E12-6BA8-4504-A494-DA83E7E19BD5"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*",
|
|
"matchCriteriaId": "C2409CC7-6A85-4A66-A457-0D62B9895DC1"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*",
|
|
"matchCriteriaId": "B392A7E5-4455-4B1C-8FAC-AE6DDC70689E"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*",
|
|
"matchCriteriaId": "EF411DDA-2601-449A-9046-D250419A0E1A"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*",
|
|
"matchCriteriaId": "D7D8F2F4-AFE2-47EA-A3FD-79B54324DE02"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*",
|
|
"matchCriteriaId": "1B4FBF97-DE16-4E5E-BE19-471E01818D40"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*",
|
|
"matchCriteriaId": "3B266B1E-24B5-47EE-A421-E0E3CC0C7471"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*",
|
|
"matchCriteriaId": "29614C3A-6FB3-41C7-B56E-9CC3F45B04F0"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*",
|
|
"matchCriteriaId": "C6AB156C-8FF6-4727-AF75-590D0DCB3F9D"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*",
|
|
"matchCriteriaId": "C0C5F004-F7D8-45DB-B173-351C50B0EC16"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*",
|
|
"matchCriteriaId": "D1902D2E-1896-4D3D-9E1C-3A675255072C"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*",
|
|
"matchCriteriaId": "49AAF4DF-F61D-47A8-8788-A21E317A145D"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*",
|
|
"matchCriteriaId": "454211D0-60A2-4661-AECA-4C0121413FEB"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*",
|
|
"matchCriteriaId": "0686F977-889F-4960-8E0B-7784B73A7F2D"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*",
|
|
"matchCriteriaId": "558703AE-DB5E-4DFF-B497-C36694DD7B24"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*",
|
|
"matchCriteriaId": "ED6273F2-1165-47A4-8DD7-9E9B2472941B"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone1:*:*:*:*:*:*",
|
|
"matchCriteriaId": "90CD7E85-4FF9-4158-AC78-4BFCBC882A65"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone2:*:*:*:*:*:*",
|
|
"matchCriteriaId": "7EA56B52-1015-40CD-B10C-393768094269"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone3:*:*:*:*:*:*",
|
|
"matchCriteriaId": "501B0D4A-D636-4736-979B-D5023599CEFB"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone4:*:*:*:*:*:*",
|
|
"matchCriteriaId": "94E7764F-BF9E-463E-B446-A9A8DB92BB97"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone5:*:*:*:*:*:*",
|
|
"matchCriteriaId": "53A9F7EE-AF2A-43E5-B708-0198784AB45A"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone6:*:*:*:*:*:*",
|
|
"matchCriteriaId": "AC872C5F-63AF-4BB8-8629-334FC9704AE8"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone7:*:*:*:*:*:*",
|
|
"matchCriteriaId": "94B95C95-DF3E-49C1-9CA0-4474DD7EF7B8"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone8:*:*:*:*:*:*",
|
|
"matchCriteriaId": "310B0163-01DE-40DA-A2EA-FFA4A6100037"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone9:*:*:*:*:*:*",
|
|
"matchCriteriaId": "75420449-A951-4133-A5F1-4C01F2DF843B"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"nodes": [
|
|
{
|
|
"operator": "OR",
|
|
"negate": false,
|
|
"cpeMatch": [
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"nodes": [
|
|
{
|
|
"operator": "OR",
|
|
"negate": false,
|
|
"cpeMatch": [
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "D14ABF04-E460-4911-9C6C-B7BCEFE68E9D"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "C650FEDB-E903-4C2D-AD40-282AB5F2E3C2"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"references": [
|
|
{
|
|
"url": "http://www.openwall.com/lists/oss-security/2021/01/14/1",
|
|
"source": "security@apache.org",
|
|
"tags": [
|
|
"Mailing List",
|
|
"Third Party Advisory"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52%40%3Cannounce.tomcat.apache.org%3E",
|
|
"source": "security@apache.org",
|
|
"tags": [
|
|
"Mailing List",
|
|
"Vendor Advisory"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52@%3Cannounce.apache.org%3E",
|
|
"source": "security@apache.org",
|
|
"tags": [
|
|
"Mailing List",
|
|
"Vendor Advisory"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52@%3Cannounce.tomcat.apache.org%3E",
|
|
"source": "security@apache.org",
|
|
"tags": [
|
|
"Mailing List",
|
|
"Vendor Advisory"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://lists.apache.org/thread.html/r7382e1e35b9bc7c8f320b90ad77e74c13172d08034e20c18000fe710@%3Cdev.tomee.apache.org%3E",
|
|
"source": "security@apache.org",
|
|
"tags": [
|
|
"Mailing List",
|
|
"Vendor Advisory"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://lists.apache.org/thread.html/r776c64337495bf28b7d5597268114a888e3fad6045c40a0da0c66d4d@%3Cdev.tomee.apache.org%3E",
|
|
"source": "security@apache.org",
|
|
"tags": [
|
|
"Mailing List",
|
|
"Vendor Advisory"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://lists.apache.org/thread.html/r7e0bb9ea415724550e2b325e143b23e269579e54d66fcd7754bd0c20@%3Cdev.tomcat.apache.org%3E",
|
|
"source": "security@apache.org",
|
|
"tags": [
|
|
"Mailing List",
|
|
"Vendor Advisory"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://lists.apache.org/thread.html/rb32a73b7cb919d4f44a2596b6b951274c0004fc8b0e393d6829a45f9@%3Cusers.tomcat.apache.org%3E",
|
|
"source": "security@apache.org",
|
|
"tags": [
|
|
"Mailing List",
|
|
"Vendor Advisory"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://lists.apache.org/thread.html/rca833c6d42b7b9ce1563488c0929f29fcc95947d86e5e740258c8937@%3Cdev.tomcat.apache.org%3E",
|
|
"source": "security@apache.org",
|
|
"tags": [
|
|
"Mailing List",
|
|
"Vendor Advisory"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html",
|
|
"source": "security@apache.org",
|
|
"tags": [
|
|
"Mailing List",
|
|
"Third Party Advisory"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://security.netapp.com/advisory/ntap-20210212-0008/",
|
|
"source": "security@apache.org",
|
|
"tags": [
|
|
"Third Party Advisory"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://www.oracle.com//security-alerts/cpujul2021.html",
|
|
"source": "security@apache.org",
|
|
"tags": [
|
|
"Third Party Advisory"
|
|
]
|
|
}
|
|
]
|
|
} |