CVE-2007-5461

Name of the Vulnerable Software and Affected Versions: Apache Tomcat versions 4.0.0 through 4.0.6 Apache Tomcat version 4.1.0 Apache Tomcat versions 5.0.0 through 5.5.25 Apache Tomcat versions 6.0.0 through 6.0.14

Description: The issue allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag, under certain configurations. This occurs when Tomcat's WebDAV servlet is configured for use with a context and has been enabled for write. Some WebDAV requests can result in the contents of arbitrary files being returned to the client.

Recommendations: For Apache Tomcat versions 4.0.0 through 4.0.6, consider disabling the WebDAV servlet until a patch is available. For Apache Tomcat version 4.1.0, restrict access to the WebDAV servlet to minimize the risk of exploitation. For Apache Tomcat versions 5.0.0 through 5.5.25, avoid using the WebDAV write request with a SYSTEM tag until the issue is resolved. For Apache Tomcat versions 6.0.0 through 6.0.14, consider temporarily disabling the WebDAV servlet to prevent arbitrary file reads.