Date: Sun, 1 Aug 2021 21:52:46 GMT From: Kevin Bowling <kbowling@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 9c1924450f57 - main - security/vuxml: document tomcat CVE-2021-30640 Message-ID: <202108012152.171LqkmC095899@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kbowling: URL: https://cgit.FreeBSD.org/ports/commit/?id=9c1924450f57ec143cd6f72aa1c9a48f30f755ee commit 9c1924450f57ec143cd6f72aa1c9a48f30f755ee Author: Kevin Bowling <kbowling@FreeBSD.org> AuthorDate: 2021-08-01 21:51:39 +0000 Commit: Kevin Bowling <kbowling@FreeBSD.org> CommitDate: 2021-08-01 21:52:40 +0000 security/vuxml: document tomcat CVE-2021-30640 PR: 257153 --- security/vuxml/vuln-2021.xml | 41 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml index f99ceeea1d96..901b873ac212 100644 --- a/security/vuxml/vuln-2021.xml +++ b/security/vuxml/vuln-2021.xml @@ -1,3 +1,42 @@ + <vuln vid="8b571fb2-f311-11eb-b12b-fc4dd43e2b6a"> + <topic>tomcat -- JNDI Realm Authentication Weakness in multiple versions</topic> + <affects> + <package> + <name>tomcat7</name> + <range><ge>7.0.0</ge><le>7.0.108</le></range> + </package> + <package> + <name>tomcat85</name> + <range><ge>8.5.0</ge><le>8.5.65</le></range> + </package> + <package> + <name>tomcat9</name> + <range><ge>9.0.0</ge><le>9.0.45</le></range> + </package> + <package> + <name>tomcat10</name> + <range><ge>10.0.0</ge><le>10.0.5</le></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>ilja.farber reports:</p> + <blockquote cite="https://tomcat.apache.org/security.html"> + <p>Queries made by the JNDI Realm did not always correctly escape parameters. Parameter values could be sourced from user provided data (eg user names) as well as configuration data provided by an administrator. +In limited circumstances it was possible for users to authenticate using variations of their user name and/or to bypass some of the protection provided by the LockOut Realm.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2021-30640</cvename> + <url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30640</url> + </references> + <dates> + <discovery>2021-04-08</discovery> + <entry>2021-08-01</entry> + </dates> + </vuln> + <vuln vid="cc7c85d9-f30a-11eb-b12b-fc4dd43e2b6a"> <topic>tomcat -- Remote Denial of Service in multiple versions</topic> <affects> @@ -28,7 +67,7 @@ <url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30639</url> </references> <dates> - <discovery>2021-07-12</discovery> + <discovery>2021-03-24</discovery> <entry>2021-08-01</entry> </dates> </vuln>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202108012152.171LqkmC095899>