CVE-2009-2901

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 5.5.0 through 5.5.28 Apache Tomcat versions 6.0.0 through 6.0.20

Description The autodeployment process in Apache Tomcat, when autoDeploy is enabled, deploys appBase files that remain from a failed undeploy. This might allow remote attackers to bypass intended authentication requirements via HTTP requests. By default, Tomcat automatically deploys any directories placed in a host's appBase, and after a failed undeploy, the remaining files will be deployed as a result of the autodeployment process. Depending on circumstances, files normally protected by one or more security constraints may be deployed without those security constraints, making them accessible without authentication. This issue only affects Windows platforms.

Recommendations For Apache Tomcat versions 5.5.0 through 5.5.28, consider disabling the autoDeploy feature to prevent the deployment of remaining files after a failed undeploy. For Apache Tomcat versions 6.0.0 through 6.0.20, consider disabling the autoDeploy feature to prevent the deployment of remaining files after a failed undeploy. As a temporary workaround, consider restricting access to the appBase directory to minimize the risk of exploitation.