CVE-2012-4431

Published: Dec 19, 2012Modified: Apr 29, 2026

4.3

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability: 8.6 / Impact: 2.9

Source: NVD

Description

org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism via a request that lacks a session identifier.

Affected (72)

Products: Apache: Tomcat

1 product

Configuration A

42 vulnerable

Vulnerable Software	Affected Versions
Apache Tomcat	Version 6.0.0
Apache Tomcat	Version 6.0.0 alpha
Apache Tomcat	Version 6.0.10
Apache Tomcat	Version 6.0.11
Apache Tomcat	Version 6.0.12
Apache Tomcat	Version 6.0.13
Apache Tomcat	Version 6.0.14
Apache Tomcat	Version 6.0.15
Apache Tomcat	Version 6.0.16
Apache Tomcat	Version 6.0.17
Apache Tomcat	Version 6.0.18
Apache Tomcat	Version 6.0.19
Apache Tomcat	Version 6.0.1
Apache Tomcat	Version 6.0.1 alpha
Apache Tomcat	Version 6.0.20
Apache Tomcat	Version 6.0.24
Apache Tomcat	Version 6.0.26
Apache Tomcat	Version 6.0.27
Apache Tomcat	Version 6.0.28
Apache Tomcat	Version 6.0.29
Apache Tomcat	Version 6.0.2
Apache Tomcat	Version 6.0.2 alpha
Apache Tomcat	Version 6.0.2 beta
Apache Tomcat	Version 6.0.30
Apache Tomcat	Version 6.0.31
Apache Tomcat	Version 6.0.32
Apache Tomcat	Version 6.0.33
Apache Tomcat	Version 6.0.35
Apache Tomcat	Version 6.0.3
Apache Tomcat	Version 6.0.4
Apache Tomcat	Version 6.0.4 alpha
Apache Tomcat	Version 6.0.5
Apache Tomcat	Version 6.0.6
Apache Tomcat	Version 6.0.6 alpha
Apache Tomcat	Version 6.0.7
Apache Tomcat	Version 6.0.7 alpha
Apache Tomcat	Version 6.0.7 beta
Apache Tomcat	Version 6.0.8
Apache Tomcat	Version 6.0.8 alpha
Apache Tomcat	Version 6.0.9
Apache Tomcat	Version 6.0.9 beta
Apache Tomcat	Version 6.0

Configuration B

30 vulnerable

Vulnerable Software	Affected Versions
Apache Tomcat	Version 7.0.0
Apache Tomcat	Version 7.0.0 beta
Apache Tomcat	Version 7.0.10
Apache Tomcat	Version 7.0.11
Apache Tomcat	Version 7.0.12
Apache Tomcat	Version 7.0.13
Apache Tomcat	Version 7.0.14
Apache Tomcat	Version 7.0.15
Apache Tomcat	Version 7.0.16
Apache Tomcat	Version 7.0.17
Apache Tomcat	Version 7.0.18
Apache Tomcat	Version 7.0.19
Apache Tomcat	Version 7.0.1
Apache Tomcat	Version 7.0.20
Apache Tomcat	Version 7.0.21
Apache Tomcat	Version 7.0.22
Apache Tomcat	Version 7.0.23
Apache Tomcat	Version 7.0.25
Apache Tomcat	Version 7.0.28
Apache Tomcat	Version 7.0.2
Apache Tomcat	Version 7.0.2 beta
Apache Tomcat	Version 7.0.30
Apache Tomcat	Version 7.0.3
Apache Tomcat	Version 7.0.4
Apache Tomcat	Version 7.0.4 beta
Apache Tomcat	Version 7.0.5
Apache Tomcat	Version 7.0.6
Apache Tomcat	Version 7.0.7
Apache Tomcat	Version 7.0.8
Apache Tomcat	Version 7.0.9

Related CWEs

References (50)

http://archives.neohapsis.com/archives/bugtraq/2012-12/0045.html

Source: secalert@redhat.com

http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html

Source: secalert@redhat.com

http://lists.opensuse.org/opensuse-updates/2012-12/msg00090.html

Source: secalert@redhat.com

http://lists.opensuse.org/opensuse-updates/2013-01/msg00037.html

Source: secalert@redhat.com

http://lists.opensuse.org/opensuse-updates/2013-01/msg00051.html

Source: secalert@redhat.com

http://lists.opensuse.org/opensuse-updates/2013-01/msg00080.html

Source: secalert@redhat.com

http://marc.info/?l=bugtraq&m=136612293908376&w=2

Source: secalert@redhat.com

http://marc.info/?l=bugtraq&m=139344343412337&w=2

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2013-0267.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2013-0268.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2013-0647.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2013-0648.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2013-1437.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2013-1853.html

Source: secalert@redhat.com

http://secunia.com/advisories/57126

Source: secalert@redhat.com

http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java?r1=1393088&r2=1393087&pathrev=1393088

Source: secalert@redhat.com

Patch

http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?r1=1393088&r2=1393087&pathrev=1393088

Source: secalert@redhat.com

Patch

http://svn.apache.org/viewvc?view=revision&revision=1393088

Source: secalert@redhat.com

Patch

http://tomcat.apache.org/security-6.html

Source: secalert@redhat.com

Vendor Advisory

http://tomcat.apache.org/security-7.html

Source: secalert@redhat.com

Vendor Advisory

http://www.securityfocus.com/bid/56814

Source: secalert@redhat.com

http://www.securitytracker.com/id?1027834

Source: secalert@redhat.com

http://www.ubuntu.com/usn/USN-1685-1

Source: secalert@redhat.com

https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03748878

Source: secalert@redhat.com

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18541

Source: secalert@redhat.com

http://archives.neohapsis.com/archives/bugtraq/2012-12/0045.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-updates/2012-12/msg00090.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-updates/2013-01/msg00037.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-updates/2013-01/msg00051.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-updates/2013-01/msg00080.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://marc.info/?l=bugtraq&m=136612293908376&w=2

Source: af854a3a-2127-422b-91ae-364da2661108

http://marc.info/?l=bugtraq&m=139344343412337&w=2

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2013-0267.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2013-0268.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2013-0647.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2013-0648.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2013-1437.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2013-1853.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/57126

Source: af854a3a-2127-422b-91ae-364da2661108

http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java?r1=1393088&r2=1393087&pathrev=1393088

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?r1=1393088&r2=1393087&pathrev=1393088

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://svn.apache.org/viewvc?view=revision&revision=1393088

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://tomcat.apache.org/security-6.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://tomcat.apache.org/security-7.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://www.securityfocus.com/bid/56814

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securitytracker.com/id?1027834

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.ubuntu.com/usn/USN-1685-1

Source: af854a3a-2127-422b-91ae-364da2661108

https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03748878

Source: af854a3a-2127-422b-91ae-364da2661108

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18541

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.