Apache Tomcat 5.5.25 Deploy/Undeploy/Start/Stop Applications

I and my friend Gianmarco Pirozzi discovered new vulnerabilities affecting Apache Tomcat which allow to perform the following malicious activities:

  • Undeploy an existing application
  • Deploy a new application
  • Stop an application
  • Start an application

For more details you can read our Original Advisory:
Apache Tomcat 5.5.25 Start/Stop/Deploy/Undeploy Application | CSRF Vulnerabilities

MITRE CVE Numbering Authority assigned meĀ CVE-2013-6357 for these vulnerabilities.

My Advisory has been also published in the following web sites:
http://www.securityfocus.com/bid/63515
http://osvdb.org/show/osvdb/99375
http://packetstormsecurity.com/files/123894/Apache-Tomcat-5.5.25-Cross-Site-Request-Forgery.html
http://www.exploit-db.com/exploits/29435/
http://1337day.com/exploits/21455
http://www.scip.ch/en/?vuldb.11098
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6357
https://bugzilla.redhat.com/show_bug.cgi?id=1030090
http://www.cvedetails.com/cve/CVE-2013-6357/
http://xforce.iss.net/xforce/xfdb/88471
http://en.securitylab.ru/nvd/447679.php
http://www.us-cert.gov/ncas/bulletins/SB13-322
http://www.cvedetails.com/cve/CVE-2013-6357/

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>