Vulnerability CVE-2003-0044 - CERT Civis.Net

Vulnerability Name:

CVE-2003-0044 (CCN-11196)

Assigned:

2003-01-25

Published:

2003-01-25

Updated:

2017-07-11

Summary:

Multiple cross-site scripting (XSS) vulnerabilities in the (1) examples and (2) ROOT web applications for Jakarta Tomcat 3.x through 3.3.1a allow remote attackers to insert arbitrary web script or HTML.

CVSS v3 Severity:

5.6 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

5.1 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2003-0044

Source: CCN
Type: Apache Jakarta Project Web site
Index of /builds/jakarta-tomcat/release/v3.3.1a

Source: CONFIRM
Type: Vendor Advisory
http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/

Source: CONFIRM
Type: Vendor Advisory
http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/RELEASE-NOTES-3.3.1a.txt

Source: CCN
Type: SA7972
Debian updates to tomcat

Source: SECUNIA
Type: UNKNOWN
7972

Source: CCN
Type: CIAC Information Bulletin N-060
Vulnerabilities in Tomcat 3.3.1

Source: CIAC
Type: UNKNOWN
N-060

Source: DEBIAN
Type: Patch, Vendor Advisory
DSA-246

Source: DEBIAN
Type: DSA-246
tomcat -- information exposure

Source: OSVDB
Type: UNKNOWN
9203

Source: OSVDB
Type: UNKNOWN
9204

Source: CCN
Type: OSVDB ID: 9203
Apache Tomcat examples Application XSS

Source: CCN
Type: OSVDB ID: 9204
Apache Tomcat ROOT Application XSS

Source: HP
Type: UNKNOWN
HPSBUX0303-249

Source: BID
Type: UNKNOWN
6720

Source: CCN
Type: BID-6720
Apache Tomcat Example Web Application Cross Site Scripting Vulnerability

Source: XF
Type: UNKNOWN
tomcat-web-app-xss(11196)

Source: XF
Type: UNKNOWN
tomcat-web-app-xss(11196)

Vulnerable Configuration:

Configuration 1:

cpe:/a:apache:tomcat:3.0:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:3.1:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:3.1.1:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:3.2:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:3.2.1:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:3.2.3:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:3.2.4:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:3.3:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:3.3.1:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:3.3.1a:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:apache:tomcat:3.1:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:3.0:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:3.2.1:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:3.2.3:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:3.2.4:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:3.3:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:3.1.1:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:3.2:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:3.3.1:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:3.3.1a:*:*:*:*:*:*:*

AND

cpe:/o:hp:hp-ux:11.00:*:*:*:*:*:*:*

OR cpe:/o:hp:hp-ux:11.11:*:*:*:*:*:*:*

OR cpe:/o:hp:hp-ux:11.20:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:3.0:*:*:*:*:*:*:*

OR cpe:/o:hp:hp-ux:11.22:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.debian:def:246	V	information exposure, cross site scripting	2003-01-29