Summary
Apache Commons Daemon is prone to a remote information-disclosure vulnerability that affects the 'jsvc' library.
Remote attackers can exploit this issue to gain access to files and directories owned by the superuser, through applications using the affected library. This allows attackers to obtain sensitive information that may aid in further attacks.
Note: This issue affects applications running on Linux operating systems only.
Versions prior to Commons Daemon 1.0.7 are vulnerable.
The following Apache Tomcat versions which use the affected library are vulnerable:
Tomcat 7.0.0 through 7.0.19 Tomcat 6.0.30 through 6.0.32 Tomcat 5.5.32 through 5.5.33
Solution
Updates are available. Please see the references for more information.
References
- http://commons.apache.org/daemon/
- http://commons.apache.org/daemon/jsvc.html
- http://mail-archives.apache.org/mod_mbox/tomcat-announce/201108.mbox/%3C4E45221D.1020306@apache.org%3E
- http://tomcat.apache.org/
- http://tomcat.apache.org/security-5.html
- http://tomcat.apache.org/security-6.html
- http://tomcat.apache.org/security-7.html
- http://www.securityfocus.com/bid/49143
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2011-2729 -
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N
Related Vulnerabilities
- AMSI 'file' Parameter Directory Traversal Vulnerability
- Apache Tomcat source.jsp malformed request information disclosure
- Apache ActiveMQ 'admin/queueBrowse' Cross Site Scripting Vulnerability
- Apache Struts Showcase Multiple Persistence Cross-Site Scripting Vulnerabilities
- Apache Tomcat HTTP BIO Connector Information Disclosure Vulnerability