CVE-2013-6357

Published: Nov 13, 2013Modified: Apr 29, 2026

6.8

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability: 8.6 / Impact: 6.4

Source: NVD

Description

Cross-site request forgery (CSRF) vulnerability in the Manager application in Apache Tomcat 5.5.25 and earlier allows remote attackers to hijack the authentication of administrators for requests that manipulate application deployment via the POST method, as demonstrated by a /manager/html/undeploy?path= URI. NOTE: the vendor disputes the significance of this report, stating that "the Apache Tomcat Security team has not accepted any reports of CSRF attacks against the Manager application ... as they require a reckless system administrator.

Affected (93)

Products: Apache: Tomcat

Apache

1 product

Tomcat

Configuration A

93 vulnerable

Vulnerable Software	Affected Versions
Apache Tomcat	Up to 5.5.25
Apache Tomcat	Version 1.1.3
Apache Tomcat	Version 3.0
Apache Tomcat	Version 3.1.1
Apache Tomcat	Version 3.1
Apache Tomcat	Version 3.2.1
Apache Tomcat	Version 3.2.2
Apache Tomcat	Version 3.2.2 beta2
Apache Tomcat	Version 3.2.3
Apache Tomcat	Version 3.2.4
Apache Tomcat	Version 3.2
Apache Tomcat	Version 3.3.1
Apache Tomcat	Version 3.3.1a
Apache Tomcat	Version 3.3.2
Apache Tomcat	Version 3.3
Apache Tomcat	Version 4.0.0
Apache Tomcat	Version 4.0.1
Apache Tomcat	Version 4.0.2
Apache Tomcat	Version 4.0.3
Apache Tomcat	Version 4.0.4
Apache Tomcat	Version 4.0.5
Apache Tomcat	Version 4.0.6
Apache Tomcat	Version 4.1.0
Apache Tomcat	Version 4.1.10
Apache Tomcat	Version 4.1.12
Apache Tomcat	Version 4.1.15
Apache Tomcat	Version 4.1.1
Apache Tomcat	Version 4.1.24
Apache Tomcat	Version 4.1.28
Apache Tomcat	Version 4.1.29
Apache Tomcat	Version 4.1.2
Apache Tomcat	Version 4.1.31
Apache Tomcat	Version 4.1.36
Apache Tomcat	Version 4.1.3
Apache Tomcat	Version 4.1.3 beta
Apache Tomcat	Version 4.1.9 beta
Apache Tomcat	Version 4
Apache Tomcat	Version 5.0.0
Apache Tomcat	Version 5.0.10
Apache Tomcat	Version 5.0.11
Apache Tomcat	Version 5.0.12
Apache Tomcat	Version 5.0.13
Apache Tomcat	Version 5.0.14
Apache Tomcat	Version 5.0.15
Apache Tomcat	Version 5.0.16
Apache Tomcat	Version 5.0.17
Apache Tomcat	Version 5.0.18
Apache Tomcat	Version 5.0.19
Apache Tomcat	Version 5.0.1
Apache Tomcat	Version 5.0.21
Apache Tomcat	Version 5.0.22
Apache Tomcat	Version 5.0.23
Apache Tomcat	Version 5.0.24
Apache Tomcat	Version 5.0.25
Apache Tomcat	Version 5.0.26
Apache Tomcat	Version 5.0.27
Apache Tomcat	Version 5.0.28
Apache Tomcat	Version 5.0.29
Apache Tomcat	Version 5.0.2
Apache Tomcat	Version 5.0.30
Apache Tomcat	Version 5.0.3
Apache Tomcat	Version 5.0.4
Apache Tomcat	Version 5.0.5
Apache Tomcat	Version 5.0.6
Apache Tomcat	Version 5.0.7
Apache Tomcat	Version 5.0.8
Apache Tomcat	Version 5.0.9
Apache Tomcat	Version 5.5.0
Apache Tomcat	Version 5.5.10
Apache Tomcat	Version 5.5.11
Apache Tomcat	Version 5.5.12
Apache Tomcat	Version 5.5.13
Apache Tomcat	Version 5.5.14
Apache Tomcat	Version 5.5.15
Apache Tomcat	Version 5.5.16
Apache Tomcat	Version 5.5.17
Apache Tomcat	Version 5.5.18
Apache Tomcat	Version 5.5.19
Apache Tomcat	Version 5.5.1
Apache Tomcat	Version 5.5.20
Apache Tomcat	Version 5.5.21
Apache Tomcat	Version 5.5.22
Apache Tomcat	Version 5.5.23
Apache Tomcat	Version 5.5.24
Apache Tomcat	Version 5.5.2
Apache Tomcat	Version 5.5.3
Apache Tomcat	Version 5.5.4
Apache Tomcat	Version 5.5.5
Apache Tomcat	Version 5.5.6
Apache Tomcat	Version 5.5.7
Apache Tomcat	Version 5.5.8
Apache Tomcat	Version 5.5.9
Apache Tomcat	Version 5

Related CWEs

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (2)

http://www.webapp-security.com/wp-content/uploads/2013/11/Apache-Tomcat-5.5.25-CSRF-Vulnerabilities.txt

Source: cve@mitre.org

Exploit

http://www.webapp-security.com/wp-content/uploads/2013/11/Apache-Tomcat-5.5.25-CSRF-Vulnerabilities.txt

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

Timeline

No history available yet.