CVE-2007-2449

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 4.0.0 through 4.0.6 Apache Tomcat versions 4.1.0 through 4.1.36 Apache Tomcat versions 5.0.0 through 5.0.30 Apache Tomcat versions 5.5.0 through 5.5.24 Apache Tomcat versions 6.0.0 through 6.0.13

Description The issue allows remote attackers to inject arbitrary web script or HTML via the portion of the URI after the ; character. This can be demonstrated by a URI containing a sequence such as snp/snoop.jsp;. The vulnerability is related to certain JSP files in the examples web application.

Recommendations For Apache Tomcat versions 4.0.0 through 4.0.6, consider disabling the examples web application until a patch is available. For Apache Tomcat versions 4.1.0 through 4.1.36, restrict access to the vulnerable JSP files in the examples web application to minimize the risk of exploitation. For Apache Tomcat versions 5.0.0 through 5.0.30, avoid using URIs that contain sequences after the ; character in the examples web application. For Apache Tomcat versions 5.5.0 through 5.5.24, consider removing or restricting access to the snp/snoop.jsp file as a temporary workaround. For Apache Tomcat versions 6.0.0 through 6.0.13, apply configuration changes to prevent injection of arbitrary web script or HTML via the URI.