CVE-2015-5351 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
redhat	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 84%

Vendor	Product	Version
apache	tomcat	7.0.0:beta
apache	tomcat	7.0.2:beta
apache	tomcat	7.0.4:beta
apache	tomcat	7.0.5:beta
apache	tomcat	7.0.6
apache	tomcat	7.0.10
apache	tomcat	7.0.11
apache	tomcat	7.0.12
apache	tomcat	7.0.14
apache	tomcat	7.0.16
apache	tomcat	7.0.19
apache	tomcat	7.0.20
apache	tomcat	7.0.21
apache	tomcat	7.0.22
apache	tomcat	7.0.23
apache	tomcat	7.0.25
apache	tomcat	7.0.26
apache	tomcat	7.0.27
apache	tomcat	7.0.28
apache	tomcat	7.0.29
apache	tomcat	7.0.30
apache	tomcat	7.0.32
apache	tomcat	7.0.33
apache	tomcat	7.0.34
apache	tomcat	7.0.35
apache	tomcat	7.0.37
apache	tomcat	7.0.39
apache	tomcat	7.0.40
apache	tomcat	7.0.41
apache	tomcat	7.0.42
apache	tomcat	7.0.47
apache	tomcat	7.0.50
apache	tomcat	7.0.52
apache	tomcat	7.0.53
apache	tomcat	7.0.54
apache	tomcat	7.0.55
apache	tomcat	7.0.56
apache	tomcat	7.0.57
apache	tomcat	7.0.59
apache	tomcat	7.0.61
apache	tomcat	7.0.62
apache	tomcat	7.0.63
apache	tomcat	7.0.64
apache	tomcat	7.0.65
apache	tomcat	7.0.67
apache	tomcat	8.0.0:rc1
apache	tomcat	8.0.0:rc10
apache	tomcat	8.0.0:rc3
apache	tomcat	8.0.0:rc5
apache	tomcat	8.0.1
apache	tomcat	8.0.3
apache	tomcat	8.0.11
apache	tomcat	8.0.12
apache	tomcat	8.0.14
apache	tomcat	8.0.15
apache	tomcat	8.0.17
apache	tomcat	8.0.18
apache	tomcat	8.0.20
apache	tomcat	8.0.21
apache	tomcat	8.0.22
apache	tomcat	8.0.23
apache	tomcat	8.0.24
apache	tomcat	8.0.26
apache	tomcat	8.0.27
apache	tomcat	8.0.28
apache	tomcat	8.0.29
apache	tomcat	8.0.30
apache	tomcat	9.0.0:milestone1
debian	debian_linux	7.0
debian	debian_linux	8.0
canonical	ubuntu_linux	12.04
canonical	ubuntu_linux	14.04
canonical	ubuntu_linux	15.10
canonical	ubuntu_linux	16.04

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

tomcat9

bullseye (security)	9.0.43-2~deb11u10 fixed
bullseye	9.0.43-2~deb11u10 fixed
bookworm	9.0.70-2 fixed
sid	9.0.95-1 fixed
trixie	9.0.95-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

tomcat6

bionic	dne
artful	dne
zesty	dne
yakkety	dne
xenial	not-affected
wily	ignored
trusty	Fixed 6.0.39-1ubuntu0.1 released
precise	not-affected

tomcat7

bionic	not-affected
artful	not-affected
zesty	not-affected
yakkety	not-affected
xenial	not-affected
wily	Fixed 7.0.64-1ubuntu0.3 released
trusty	Fixed 7.0.52-1ubuntu0.6 released
precise	ignored

tomcat8

bionic	not-affected
artful	not-affected
zesty	not-affected
yakkety	not-affected
xenial	not-affected
wily	ignored
trusty	dne
precise	dne

Common Weakness Enumeration

CWE-352 - Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html

http://packetstormsecurity.com/files/135882/Apache-Tomcat-CSRF-Token-Leak.html

http://rhn.redhat.com/errata/RHSA-2016-1089.html

http://rhn.redhat.com/errata/RHSA-2016-2599.html

http://rhn.redhat.com/errata/RHSA-2016-2807.html

http://rhn.redhat.com/errata/RHSA-2016-2808.html

http://seclists.org/bugtraq/2016/Feb/148

http://svn.apache.org/viewvc?view=revision&revision=1720652

http://svn.apache.org/viewvc?view=revision&revision=1720655

http://svn.apache.org/viewvc?view=revision&revision=1720658

http://svn.apache.org/viewvc?view=revision&revision=1720660

http://svn.apache.org/viewvc?view=revision&revision=1720661

http://svn.apache.org/viewvc?view=revision&revision=1720663

http://tomcat.apache.org/security-7.html

http://tomcat.apache.org/security-8.html

http://tomcat.apache.org/security-9.html

http://www.debian.org/security/2016/dsa-3530

http://www.debian.org/security/2016/dsa-3552

http://www.debian.org/security/2016/dsa-3609

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

http://www.securityfocus.com/bid/83330

http://www.securitytracker.com/id/1035069

http://www.ubuntu.com/usn/USN-3024-1

https://access.redhat.com/errata/RHSA-2016:1087

https://access.redhat.com/errata/RHSA-2016:1088

https://bto.bluecoat.com/security-advisory/sa118

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

https://security.gentoo.org/glsa/201705-09

https://security.netapp.com/advisory/ntap-20180531-0001/

https://softwaresupport.hpe.com/document/-/facetsearch/document/KM02978021

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html

http://packetstormsecurity.com/files/135882/Apache-Tomcat-CSRF-Token-Leak.html

http://rhn.redhat.com/errata/RHSA-2016-1089.html

http://rhn.redhat.com/errata/RHSA-2016-2599.html

http://rhn.redhat.com/errata/RHSA-2016-2807.html

http://rhn.redhat.com/errata/RHSA-2016-2808.html

http://seclists.org/bugtraq/2016/Feb/148

http://svn.apache.org/viewvc?view=revision&revision=1720652

http://svn.apache.org/viewvc?view=revision&revision=1720655

http://svn.apache.org/viewvc?view=revision&revision=1720658

http://svn.apache.org/viewvc?view=revision&revision=1720660

http://svn.apache.org/viewvc?view=revision&revision=1720661

http://svn.apache.org/viewvc?view=revision&revision=1720663

http://tomcat.apache.org/security-7.html

http://tomcat.apache.org/security-8.html

http://tomcat.apache.org/security-9.html

http://www.debian.org/security/2016/dsa-3530

http://www.debian.org/security/2016/dsa-3552

http://www.debian.org/security/2016/dsa-3609

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

http://www.securityfocus.com/bid/83330

http://www.securitytracker.com/id/1035069

http://www.ubuntu.com/usn/USN-3024-1

https://access.redhat.com/errata/RHSA-2016:1087

https://access.redhat.com/errata/RHSA-2016:1088

https://bto.bluecoat.com/security-advisory/sa118

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

https://security.gentoo.org/glsa/201705-09

https://security.netapp.com/advisory/ntap-20180531-0001/

https://softwaresupport.hpe.com/document/-/facetsearch/document/KM02978021