CVE-2009-0783

Description

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application.

References

Link	Tags
http://tomcat.apache.org/security-4.html	patch vendor advisory
http://marc.info/?l=bugtraq&m=127420533226623&w=2	third party advisory vendor advisory
http://svn.apache.org/viewvc?rev=652592&view=rev	patch
http://www.mandriva.com/security/advisories?name=MDVSA-2009:138	third party advisory vendor advisory
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html	third party advisory vendor advisory
http://www.debian.org/security/2011/dsa-2207	third party advisory vendor advisory
http://marc.info/?l=bugtraq&m=136485229118404&w=2	third party advisory vendor advisory
http://secunia.com/advisories/37460	third party advisory vendor advisory
http://svn.apache.org/viewvc?rev=781542&view=rev	patch
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18913	vdb entry tool signature signature
http://www.vupen.com/english/advisories/2010/3056	vdb entry vendor advisory
http://www.securityfocus.com/archive/1/504090/100/0/threaded	mailing list vdb entry third party advisory
http://www.vmware.com/security/advisories/VMSA-2009-0016.html	third party advisory
http://secunia.com/advisories/35788	third party advisory vendor advisory
http://svn.apache.org/viewvc?rev=781708&view=rev	patch
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html	mailing list vendor advisory
http://svn.apache.org/viewvc?rev=739522&view=rev	patch
http://www.vupen.com/english/advisories/2009/1856	vdb entry vendor advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2010:176	third party advisory vendor advisory
http://www.securityfocus.com/archive/1/507985/100/0/threaded	mailing list vdb entry third party advisory
http://svn.apache.org/viewvc?rev=681156&view=rev	patch
http://secunia.com/advisories/42368	third party advisory vendor advisory
http://tomcat.apache.org/security-6.html	patch vendor advisory
http://support.apple.com/kb/HT4077	third party advisory
https://issues.apache.org/bugzilla/show_bug.cgi?id=45933	issue tracking
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html	third party advisory vendor advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6450	vdb entry tool signature signature
http://secunia.com/advisories/35685	third party advisory vendor advisory
http://www.securitytracker.com/id?1022336	vdb entry third party advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/51195	vdb entry
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html	third party advisory vendor advisory
http://tomcat.apache.org/security-5.html	patch vendor advisory
http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html	third party advisory vendor advisory
http://marc.info/?l=bugtraq&m=129070310906557&w=2	third party advisory vendor advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2009:136	third party advisory vendor advisory
http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1	third party advisory vendor advisory
https://issues.apache.org/bugzilla/show_bug.cgi?id=29936	issue tracking patch
http://www.securityfocus.com/bid/35416	vdb entry third party advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10716	vdb entry tool signature signature
http://www.vupen.com/english/advisories/2009/3316	vdb entry vendor advisory
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E	mailing list
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E	mailing list
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E	mailing list
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E	mailing list
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E	mailing list
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E	mailing list
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E	mailing list

Frequently Asked Questions

What is the severity of CVE-2009-0783?: CVE-2009-0783 has been scored as a medium severity vulnerability.
How to fix CVE-2009-0783?: To fix CVE-2009-0783, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2009-0783 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2009-0783 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.

Description

Category

CWE-200 – Exposure of Sensitive Information to an Unauthorized Actor

References

Frequently Asked Questions