CVE-2009-0783

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 4.1.0 through 4.1.39 Apache Tomcat versions 5.5.0 through 5.5.27 Apache Tomcat versions 6.0.0 through 6.0.18

Description The issue allows local users to read or modify the web.xml, context.xml, or tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application. This is possible because a web application can replace the XML parser used by Tomcat to process these files. In limited circumstances, a rogue web application may be able to view and/or alter the web.xml, context.xml, and tld files of other web applications deployed on the Tomcat instance.

Recommendations For Apache Tomcat versions 4.1.0 through 4.1.39, update to a version outside of this range to resolve the issue. For Apache Tomcat versions 5.5.0 through 5.5.27, update to a version outside of this range to resolve the issue. For Apache Tomcat versions 6.0.0 through 6.0.18, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the XML parser used by Tomcat to minimize the risk of exploitation.