element, + # the text of which starts with, e.g., "Low:", so we look for these here, e.g., + #
Low: Apache Tomcat request smugglingCVE-2022-42252
+ + severity_scores = ("Low:", "Moderate:", "Important:", "High:", "Critical:") + # A list of groups of paragraphs, each for a single Tomcat Advisory. + advisory_groups = [] + + for para in fixed_version_paras.find_all("p"): + current_group = [] + if para.text.startswith(severity_scores): + current_group.append(para) + + test_next_siblings = para.find_next_siblings() + for next_sibling in test_next_siblings: + if not next_sibling.text.startswith(severity_scores): + current_group.append(next_sibling) + elif next_sibling.text.startswith(severity_scores): + break + + advisory_groups.append(current_group) + + yield TomcatAdvisoryData( + fixed_versions=fixed_versions, + advisory_groups=advisory_groups, + fixed_version_heading_text=fixed_version_heading.text, + ) + + +def generate_advisory_data_objects(tomcat_advisory_data_object): + fixed_versions = tomcat_advisory_data_object.fixed_versions + severity_scores = ("Low:", "Moderate:", "Important:", "High:", "Critical:") + + for para_list in tomcat_advisory_data_object.advisory_groups: + affected_versions = [] + fixed_commit_list = [] + references = [] + cve_url_list = [] + for para in para_list: + if para.text.startswith("Affects:"): + formatted_affected_version_data = para.text.split(":")[-1].split(", ") + affected_versions.extend(formatted_affected_version_data) + elif "was fixed in" in para.text or "was fixed with" in para.text: + fixed_commit_list = para.find_all("a") + references.extend([ref_url["href"] for ref_url in fixed_commit_list]) + elif para.text.startswith(severity_scores): + cve_url_list = para.find_all("a") + cve_list = [cve_url.text for cve_url in cve_url_list] + severity_score = para.text.split(":")[0] + + for cve_url in cve_url_list: + aliases = [] + aliases.append(cve_url.text) + + severity_list = [] + severity_list.append( + VulnerabilitySeverity( + system=APACHE_TOMCAT, + value=severity_score, + scoring_elements="", + ) + ) + + # This is the 1st `corrective_data_mapping` key: + fixed_version_heading_text = tomcat_advisory_data_object.fixed_version_heading_text + + if (fixed_version_heading_text, cve_url.text) in corrective_data_mapping.keys(): + fixed_versions = corrective_data_mapping[fixed_version_heading_text, cve_url.text][ + "fixed_versions" + ] + affected_versions = corrective_data_mapping[ + fixed_version_heading_text, cve_url.text + ]["affected_versions"] + else: + pass + + affected_version_range_apache = to_version_ranges_apache( + affected_versions, + fixed_versions, + ) + + affected_version_range_maven = to_version_ranges_maven( + affected_versions, + fixed_versions, + ) + + references = [ + Reference( + url=f"https://cve.mitre.org/cgi-bin/cvename.cgi?name={cve_url.text}", + reference_id=cve_url.text, + severities=severity_list, + ), + ] + + for commit_url in fixed_commit_list: + references.append(Reference(url=commit_url["href"])) + + affected_packages = [] + + affected_packages.append( + AffectedPackage( + package=PackageURL( + type="apache", + name="tomcat", + ), + affected_version_range=affected_version_range_apache, + ) + ) + + affected_packages.append( + AffectedPackage( + package=PackageURL( + type="maven", + namespace="org.apache.tomcat", + name="tomcat", + ), + affected_version_range=affected_version_range_maven, + ) + ) + + yield AdvisoryData( + aliases=aliases, + summary="", + affected_packages=affected_packages, + references=references, + ) + + +def to_version_ranges_apache(versions_data, fixed_versions): + constraints = [] + + VersionConstraintTuple = namedtuple("VersionConstraintTuple", ["comparator", "version"]) + affected_constraint_tuple_list = [] + fixed_constraint_tuple_list = [] + + for version_item in versions_data: + version_item = version_item.strip() + if "to" in version_item: + version_item_split = version_item.split(" ") + affected_constraint_tuple_list.append( + VersionConstraintTuple(">=", version_item_split[0]) + ) + affected_constraint_tuple_list.append( + VersionConstraintTuple("<=", version_item_split[-1]) + ) + + elif "-" in version_item: + version_item_split = version_item.split("-") + affected_constraint_tuple_list.append( + VersionConstraintTuple(">=", version_item_split[0]) + ) + affected_constraint_tuple_list.append( + VersionConstraintTuple("<=", version_item_split[-1]) + ) + + elif version_item.startswith("<"): + version_item_split = version_item.split("<") + affected_constraint_tuple_list.append( + VersionConstraintTuple("<", version_item_split[-1]) + ) + else: - lower_bound = upper_bound = version_range + version_item_split = version_item.split(" ") + affected_constraint_tuple_list.append( + VersionConstraintTuple("=", version_item_split[0]) + ) + + for fixed_item in fixed_versions: + + if "-" in fixed_item and not any([i.isalpha() for i in fixed_item]): + fixed_item_split = fixed_item.split(" ") + fixed_constraint_tuple_list.append(VersionConstraintTuple(">=", fixed_item_split[0])) + fixed_constraint_tuple_list.append(VersionConstraintTuple("<=", fixed_item_split[-1])) + + else: + fixed_item_split = fixed_item.split(" ") + fixed_constraint_tuple_list.append(VersionConstraintTuple("=", fixed_item_split[0])) + + for record in affected_constraint_tuple_list: + try: + constraints.append( + VersionConstraint( + comparator=record.comparator, + version=SemverVersion(record.version), + ) + ) + except Exception as e: + LOGGER.error(f"{record.version!r} is not a valid SemverVersion {e!r}") + continue + + for record in fixed_constraint_tuple_list: + constraints.append( + VersionConstraint( + comparator=record.comparator, + version=SemverVersion(record.version), + ).invert() + ) + + return ApacheVersionRange(constraints=constraints) + + +def to_version_ranges_maven(versions_data, fixed_versions): + constraints = [] + + for version_item in versions_data: + version_item = version_item.strip() + if "to" in version_item: + version_item_split = version_item.split(" ") + + constraints.append( + VersionConstraint( + comparator=">=", + version=MavenVersion(version_item_split[0]), + ) + ) + constraints.append( + VersionConstraint( + comparator="<=", + version=MavenVersion(version_item_split[-1]), + ) + ) + + elif "-" in version_item: + version_item_split = version_item.split("-") + + constraints.append( + VersionConstraint( + comparator=">=", + version=MavenVersion(version_item_split[0]), + ) + ) + constraints.append( + VersionConstraint( + comparator="<=", + version=MavenVersion(version_item_split[-1]), + ) + ) + + elif version_item.startswith("<"): + version_item_split = version_item.split("<") + + constraints.append( + VersionConstraint( + comparator="<", + version=MavenVersion(version_item_split[-1]), + ) + ) + + else: + version_item_split = version_item.split(" ") + + constraints.append( + VersionConstraint( + comparator="=", + version=MavenVersion(version_item_split[0]), + ) + ) + + for fixed_item in fixed_versions: + + if "-" in fixed_item and not any([i.isalpha() for i in fixed_item]): + fixed_item_split = fixed_item.split(" ") + + constraints.append( + VersionConstraint( + comparator=">=", + version=MavenVersion(fixed_item_split[0]), + ).invert() + ) + constraints.append( + VersionConstraint( + comparator="<=", + version=MavenVersion(fixed_item_split[-1]), + ).invert() + ) + + else: + fixed_item_split = fixed_item.split(" ") + + constraints.append( + VersionConstraint( + comparator="=", + version=MavenVersion(fixed_item_split[0]), + ).invert() + ) - yield MavenVersionRange.from_native(f">={lower_bound},<={upper_bound}") + return MavenVersionRange(constraints=constraints) diff --git a/vulnerabilities/severity_systems.py b/vulnerabilities/severity_systems.py index 2bf27de98..de0d45f69 100644 --- a/vulnerabilities/severity_systems.py +++ b/vulnerabilities/severity_systems.py @@ -124,6 +124,27 @@ def compute(self, scoring_elements: str) -> str: name="Apache Httpd Severity", url="https://httpd.apache.org/security/impact_levels.html", ) +APACHE_HTTPD.choices = [ + "Critical", + "Important", + "Moderate", + "Low", +] + +# This is essentially identical to apache_http except for the addition of the "High" score, +# which seems to be used interchangeably for "Important". +APACHE_TOMCAT = ScoringSystem( + identifier="apache_tomcat", + name="Apache Tomcat Severity", + url="https://tomcat.apache.org/security-impact.html", +) +APACHE_TOMCAT.choices = [ + "Critical", + "High", + "Important", + "Moderate", + "Low", +] SCORING_SYSTEMS = { system.identifier: system @@ -137,5 +158,6 @@ def compute(self, scoring_elements: str) -> str: CVSS31_QUALITY, GENERIC, APACHE_HTTPD, + APACHE_TOMCAT, ) } diff --git a/vulnerabilities/tests/conftest.py b/vulnerabilities/tests/conftest.py index 8ee0affda..c692c2a80 100644 --- a/vulnerabilities/tests/conftest.py +++ b/vulnerabilities/tests/conftest.py @@ -26,7 +26,6 @@ def no_rmtree(monkeypatch): # Step 3: Migrate all the tests collect_ignore = [ "test_apache_kafka.py", - "test_apache_tomcat.py", "test_api.py", "test_models.py", "test_package_managers.py", diff --git a/vulnerabilities/tests/test_apache_tomcat.py b/vulnerabilities/tests/test_apache_tomcat.py index 1e7bb34b1..4c5033e14 100644 --- a/vulnerabilities/tests/test_apache_tomcat.py +++ b/vulnerabilities/tests/test_apache_tomcat.py @@ -9,216 +9,382 @@ import os from unittest import TestCase -from unittest.mock import patch -from packageurl import PackageURL +from univers.version_constraint import VersionConstraint +from univers.version_range import ApacheVersionRange +from univers.version_range import MavenVersionRange +from univers.versions import MavenVersion +from univers.versions import SemverVersion -from vulnerabilities.importer import AdvisoryData -from vulnerabilities.importer import Reference from vulnerabilities.importers.apache_tomcat import ApacheTomcatImporter -from vulnerabilities.package_managers import MavenVersionAPI -from vulnerabilities.package_managers import PackageVersion -from vulnerabilities.utils import AffectedPackage +from vulnerabilities.importers.apache_tomcat import extract_tomcat_advisory_data_from_page +from vulnerabilities.importers.apache_tomcat import to_version_ranges_apache +from vulnerabilities.importers.apache_tomcat import to_version_ranges_maven +from vulnerabilities.tests import util_tests BASE_DIR = os.path.dirname(os.path.abspath(__file__)) -TEST_DATA = os.path.join(BASE_DIR, "test_data", "apache_tomcat", "security-9.html") - - -class TestApacheTomcatImporter(TestCase): - @classmethod - def setUpClass(cls): - data_source_cfg = {"etags": {}} - mock_api = MavenVersionAPI( - cache={ - "org.apache.tomcat:tomcat": [ - PackageVersion("9.0.0.M1"), - PackageVersion("9.0.0.M2"), - PackageVersion("8.0.0.M1"), - PackageVersion("6.0.0M2"), +TEST_DATA = os.path.join(BASE_DIR, "test_data/apache_tomcat") + + +def test_method_extract_advisories_from_page(): + with open(os.path.join(TEST_DATA, "apache_tomcat-selected-advisories.html")) as f: + raw_data = f.read() + extracted_advisories = ApacheTomcatImporter().extract_advisories_from_page(raw_data) + + results = [adv.to_dict() for adv in extracted_advisories] + + expected_file = os.path.join( + TEST_DATA, f"parse-apache_tomcat-selected-advisories-expected.json" + ) + util_tests.check_results_against_json(results, expected_file) + + +def test_extract_advisories_from_page(): + page = """ +6 April 2021 Fixed in Apache Tomcat 10.0.5
Important: Denial of Service + CVE-2021-30639
+ +An error introduced as part of a change to improve error handling.
+This was fixed with commit + b59099e4.
+ +This issue was reported publicly as 65203.
+ +Affects: 10.0.3 to 10.0.4
+ +Important: Denial of Service\n" + "CVE-2021-30639
', + "An error introduced as part of a change to improve " "error handling.
", + "This was fixed with commit\n" + " b59099e4.
', + "This issue was reported publicly as 65203.
', + "Affects: 10.0.3 to 10.0.4
", ] - } - ) - with patch("vulnerabilities.importers.apache_tomcat.MavenVersionAPI"): - with patch("vulnerabilities.importers.apache_tomcat.asyncio"): - cls.data_src = ApacheTomcatImporter(1, config=data_source_cfg) - cls.data_src.version_api = mock_api - - def test_to_advisories(self): - expected_advisories = [ - AdvisoryData( - summary="", - vulnerability_id="CVE-2015-5351", - affected_packages=[ - AffectedPackage( - vulnerable_package=PackageURL( - type="maven", - namespace="apache", - name="tomcat", - version="8.0.0.M1", - qualifiers={}, - subpath=None, - ), - patched_package=PackageURL( - type="maven", - namespace="apache", - name="tomcat", - version="9.0.0.M3", - qualifiers={}, - subpath=None, - ), - ), - AffectedPackage( - vulnerable_package=PackageURL( - type="maven", - namespace="apache", - name="tomcat", - version="9.0.0.M1", - ), - patched_package=PackageURL( - type="maven", - namespace="apache", - name="tomcat", - version="9.0.0.M3", - ), - ), - AffectedPackage( - vulnerable_package=PackageURL( - type="maven", - namespace="apache", - name="tomcat", - version="9.0.0.M2", - ), - patched_package=PackageURL( - type="maven", - namespace="apache", - name="tomcat", - version="9.0.0.M3", - ), - ), - ], - references=[ - Reference( - reference_id="", - url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5351", - severities=[], - ), - Reference( - reference_id="", - url="https://svn.apache.org/viewvc?view=rev&rev=1720652", - severities=[], - ), - Reference( - reference_id="", - url="https://svn.apache.org/viewvc?view=rev&rev=1720655", - severities=[], - ), - ], - ), - AdvisoryData( - summary="", - vulnerability_id="CVE-2016-0706", - affected_packages=[ - AffectedPackage( - vulnerable_package=PackageURL( - type="maven", - namespace="apache", - name="tomcat", - version="9.0.0.M1", - ), - patched_package=PackageURL( - type="maven", - namespace="apache", - name="tomcat", - version="9.0.0.M3", - ), - ) - ], - references=[ - Reference( - reference_id="", - url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0706", - severities=[], - ), - Reference( - reference_id="", - url="https://svn.apache.org/viewvc?view=rev&rev=1722799", - severities=[], - ), + ], + "fixed_versions": ["10.0.5"], + }, + ] + results = extract_tomcat_advisory_data_from_page(page) + results = [d.to_dict() for d in results] + assert results == expected + + +def test_extract_advisories_from_page_with_multiple_groups(): + page = """ +2 February 2021 Fixed in Apache Tomcat 10.0.2
Note: The issues below were fixed in Apache Tomcat 10.0.1 but the + release vote for the 10.0.1 release candidate did not pass. Therefore, + although users must download 10.0.2 to obtain a version that includes a + fix for these issues, version 10.0.1 is not included in the list of + affected versions.
+ +Low: Fix for CVE-2020-9484 was incomplete + CVE-2021-25329
+ +The fix for CVE-2020-9484 was incomplete. When using a + highly unlikely configuration edge case, the Tomcat instance was still + vulnerable to CVE-2020-9484. Note that both the previously + published prerequisites for CVE-2020-9484 and the previously + published non-upgrade mitigations for CVE-2020-9484 also apply to + this issue.
+ +This was fixed with commit + 6d66e99e.
+ +This issue was reported to the Apache Tomcat Security team by Trung Pham + of Viettel Cyber Security on 12 January 2021. The issue was made public + on 1 March 2021.
+ +Affects: 10.0.0-M1 to 10.0.0
+ +Important: Request mix-up with h2c + CVE-2021-25122
+ +When responding to new h2c connection requests, Apache Tomcat could + duplicate request headers and a limited amount of request body from one + request to another meaning user A and user B could both see the results of + user A's request.
+ +This was fixed with commit + dd757c0a.
+ +This issue was identified by the Apache Tomcat Security team on 11 + January 2021. The issue was made public on 1 March 2021.
+ +Affects: 10.0.0-M1 to 10.0.0
+ +17 November 2020 Fixed in Apache Tomcat 10.0.0-M10
Important: Information disclosure + CVE-2021-24122
+ +When serving resources from a network location using the NTFS file system
+ it was possible to bypass security constraints and/or view the source
+ code for JSPs in some configurations. The root cause was the unexpected
+ behaviour of the JRE API File.getCanonicalPath() which in
+ turn was caused by the inconsistent behaviour of the Windows API
+ (FindFirstFileW) in some circumstances.
+
This was fixed with commit + 7f004ac4.
+ +This issue was reported the Apache Tomcat Security team by Ilja Brander + on 26 October 2020. The issue was made public on 14 January 2021.
+ +Affects: 10.0.0-M1 to 10.0.0-M9
+ +Moderate: HTTP/2 request header mix-up + CVE-2020-17527
+ +While investigating issue 64830 it was discovered that Apache + Tomcat could re-use an HTTP request header value from the previous stream + received on an HTTP/2 connection for the request associated with the + subsequent stream. While this would most likely lead to an error and the + closure of the HTTP/2 connection, it is possible that information could + leak between requests. +
+ +This was fixed with commit + 8d2fe689.
+ +This issue was identified by the Apache Tomcat Security team on 10 + November 2020. The issue was made public on 3 December 2020.
+ +Affects: 10.0.0-M1 to 10.0.0-M9
+ +Low: Fix for CVE-2020-9484 was ' + "incomplete\n" + "CVE-2021-25329
', + "The fix for CVE-2020-9484 was incomplete. When ' + "using a\n" + " highly unlikely configuration edge case, the " + "Tomcat instance was still\n" + " vulnerable to CVE-2020-9484. Note that both the ' + "previously\n" + " published prerequisites for CVE-2020-9484 and the previously\n' + " published non-upgrade mitigations for CVE-2020-9484 also apply to\n' + " this issue.
", + "This was fixed with commit\n" + " 6d66e99e.
', + "This issue was reported to the Apache Tomcat " + "Security team by Trung Pham\n" + " of Viettel Cyber Security on 12 January 2021. " + "The issue was made public\n" + " on 1 March 2021.
", + "Affects: 10.0.0-M1 to 10.0.0
", ], - ), - AdvisoryData( - summary="", - vulnerability_id="CVE-2016-0714", - affected_packages={}, - references=[ - Reference( - reference_id="", - url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0714", - severities=[], - ), - Reference( - reference_id="", - url="https://svn.apache.org/viewvc?view=rev&rev=1725263", - severities=[], - ), - Reference( - reference_id="", - url="https://svn.apache.org/viewvc?view=rev&rev=1725914", - severities=[], - ), + [ + "Important: Request mix-up with " + "h2c\n" + "CVE-2021-25122
', + "When responding to new h2c connection requests, " + "Apache Tomcat could\n" + " duplicate request headers and a limited amount of " + "request body from one\n" + " request to another meaning user A and user B could " + "both see the results of\n" + " user A's request.
", + "This was fixed with commit\n" + " dd757c0a.
', + "This issue was identified by the Apache Tomcat " + "Security team on 11\n" + " January 2021. The issue was made public on 1 " + "March 2021.
", + "Affects: 10.0.0-M1 to 10.0.0
", ], - ), - AdvisoryData( - summary="", - vulnerability_id="CVE-2016-0763", - affected_packages=[ - AffectedPackage( - vulnerable_package=PackageURL( - type="maven", - namespace="apache", - name="tomcat", - version="9.0.0.M1", - ), - patched_package=PackageURL( - type="maven", - namespace="apache", - name="tomcat", - version="9.0.0.M3", - ), - ), - AffectedPackage( - vulnerable_package=PackageURL( - type="maven", - namespace="apache", - name="tomcat", - version="9.0.0.M2", - ), - patched_package=PackageURL( - type="maven", - namespace="apache", - name="tomcat", - version="9.0.0.M3", - ), - ), + ], + "fixed_versions": ["10.0.2"], + }, + { + "advisory_groups": [ + [ + "Important: Information disclosure\n" + "CVE-2021-24122
', + "When serving resources from a network location "
+ "using the NTFS file system\n"
+ " it was possible to bypass security constraints "
+ "and/or view the source\n"
+ " code for JSPs in some configurations. The root "
+ "cause was the unexpected\n"
+ " behaviour of the JRE API "
+ "File.getCanonicalPath() which in\n"
+ " turn was caused by the inconsistent behaviour "
+ "of the Windows API\n"
+ " (FindFirstFileW) in some "
+ "circumstances.\n"
+ "
This was fixed with commit\n" + " 7f004ac4.
', + "This issue was reported the Apache Tomcat Security " + "team by Ilja Brander\n" + " on 26 October 2020. The issue was made public " + "on 14 January 2021.
", + "Affects: 10.0.0-M1 to 10.0.0-M9
", ], - references=[ - Reference( - reference_id="", - url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0763", - severities=[], - ), - Reference( - reference_id="", - url="https://svn.apache.org/viewvc?view=rev&rev=1725926", - severities=[], - ), + [ + "Moderate: HTTP/2 request header " + "mix-up\n" + "CVE-2020-17527
', + "While investigating issue 64830 ' + "it was discovered that Apache\n" + " Tomcat could re-use an HTTP request header " + "value from the previous stream\n" + " received on an HTTP/2 connection for the " + "request associated with the\n" + " subsequent stream. While this would most likely " + "lead to an error and the\n" + " closure of the HTTP/2 connection, it is " + "possible that information could\n" + " leak between requests.\n" + "
", + "This was fixed with commit\n" + " 8d2fe689.
', + "This issue was identified by the Apache Tomcat " + "Security team on 10\n" + " November 2020. The issue was made public on 3 " + "December 2020.
", + "Affects: 10.0.0-M1 to 10.0.0-M9
", ], - ), - ] + ], + "fixed_versions": ["10.0.0-M10"], + }, + ] + + results = extract_tomcat_advisory_data_from_page(page) + results = [d.to_dict() for d in results] + assert results == expected + + +def test_fetch_links(): + retrieved_links = ApacheTomcatImporter().fetch_advisory_links( + "https://tomcat.apache.org/security" + ) + + generator_result = [] + for link in retrieved_links: + generator_result.append(link) + + assert generator_result == [ + "https://tomcat.apache.org/security-11.html", + "https://tomcat.apache.org/security-10.html", + "https://tomcat.apache.org/security-9.html", + "https://tomcat.apache.org/security-8.html", + "https://tomcat.apache.org/security-7.html", + "https://tomcat.apache.org/security-6.html", + "https://tomcat.apache.org/security-5.html", + "https://tomcat.apache.org/security-4.html", + "https://tomcat.apache.org/security-3.html", + ] + + +def test_to_version_ranges(): + versions_data = [ + "1.0.0-2.0.0", + "3.2.2-3.2.3", + "3.3a-3.3.1", + "9.0.0.M1 to 9.0.0.M9", + "10.1.0-M1 to 10.1.0-M16", + ] + fixed_versions = ["3.0.0", "3.3.1a"] + + expected_versions_data_maven = "vers:maven/>=1.0.0|<=2.0.0|!=3.0.0|>=3.2.2|<=3.2.3|>=3.3a|<=3.3.1|!=3.3.1a|>=9.0.0.M1|<=9.0.0.M9|>=10.1.0-M1|<=10.1.0-M16" + + expected_MavenVersionRange_versions_data = MavenVersionRange( + constraints=( + VersionConstraint(comparator=">=", version=MavenVersion(string="1.0.0")), + VersionConstraint(comparator="<=", version=MavenVersion(string="2.0.0")), + VersionConstraint(comparator="!=", version=MavenVersion(string="3.0.0")), + VersionConstraint(comparator=">=", version=MavenVersion(string="3.2.2")), + VersionConstraint(comparator="<=", version=MavenVersion(string="3.2.3")), + VersionConstraint(comparator=">=", version=MavenVersion(string="3.3a")), + VersionConstraint(comparator="<=", version=MavenVersion(string="3.3.1")), + VersionConstraint(comparator="!=", version=MavenVersion(string="3.3.1a")), + VersionConstraint(comparator=">=", version=MavenVersion(string="9.0.0.M1")), + VersionConstraint(comparator="<=", version=MavenVersion(string="9.0.0.M9")), + VersionConstraint(comparator=">=", version=MavenVersion(string="10.1.0-M1")), + VersionConstraint(comparator="<=", version=MavenVersion(string="10.1.0-M16")), + ) + ) + + converted_versions_data_maven = to_version_ranges_maven(versions_data, fixed_versions) + + assert expected_MavenVersionRange_versions_data == converted_versions_data_maven + assert ( + MavenVersionRange.from_string(expected_versions_data_maven) == converted_versions_data_maven + ) + + expected_versions_data_apache = "vers:apache/>=1.0.0|<=2.0.0|!=3.0.0|>=3.2.2|<=3.2.3|>=3.3a|<=3.3.1|!=3.3.1a|>=9.0.0.M1|<=9.0.0.M9|>=10.1.0-M1|<=10.1.0-M16" + + expected_ApacheVersionRange_versions_data = ApacheVersionRange( + constraints=( + VersionConstraint(comparator=">=", version=SemverVersion(string="1.0.0")), + VersionConstraint(comparator="<=", version=SemverVersion(string="2.0.0")), + VersionConstraint(comparator="!=", version=SemverVersion(string="3.0.0")), + VersionConstraint(comparator=">=", version=SemverVersion(string="3.2.2")), + VersionConstraint(comparator="<=", version=SemverVersion(string="3.2.3")), + VersionConstraint(comparator=">=", version=SemverVersion(string="3.3a")), + VersionConstraint(comparator="<=", version=SemverVersion(string="3.3.1")), + VersionConstraint(comparator="!=", version=SemverVersion(string="3.3.1a")), + VersionConstraint(comparator=">=", version=SemverVersion(string="9.0.0.M1")), + VersionConstraint(comparator="<=", version=SemverVersion(string="9.0.0.M9")), + VersionConstraint(comparator=">=", version=SemverVersion(string="10.1.0-M1")), + VersionConstraint(comparator="<=", version=SemverVersion(string="10.1.0-M16")), + ) + ) - with open(TEST_DATA) as f: - found_advisories = self.data_src.to_advisories(f) + converted_versions_data_apache = to_version_ranges_apache(versions_data, fixed_versions) - found_advisories = list(map(AdvisoryData.normalized, found_advisories)) - expected_advisories = list(map(AdvisoryData.normalized, expected_advisories)) - assert sorted(found_advisories) == sorted(expected_advisories) + assert expected_ApacheVersionRange_versions_data == converted_versions_data_apache + assert ( + ApacheVersionRange.from_string(expected_versions_data_apache) + == converted_versions_data_apache + ) diff --git a/vulnerabilities/tests/test_data/apache_tomcat/apache_tomcat-selected-advisories.html b/vulnerabilities/tests/test_data/apache_tomcat/apache_tomcat-selected-advisories.html new file mode 100644 index 000000000..29be45f6c --- /dev/null +++ b/vulnerabilities/tests/test_data/apache_tomcat/apache_tomcat-selected-advisories.html @@ -0,0 +1,395 @@ + + + + + + + +2 February 2021 Fixed in Apache Tomcat 9.0.43
+Note: The issues below were fixed in Apache Tomcat 9.0.42 but the + release vote for the 9.0.42 release candidate did not pass. Therefore, + although users must download 9.0.43 to obtain a version that includes a + fix for these issues, version 9.0.42 is not included in the list of + affected versions.
+ +Low: Fix for CVE-2020-9484 was incomplete + CVE-2021-25329 +
+ +The fix for CVE-2020-9484 was incomplete. When using a + highly unlikely configuration edge case, the Tomcat instance was still + vulnerable to CVE-2020-9484. Note that both the previously + published prerequisites for CVE-2020-9484 and the previously + published non-upgrade mitigations for CVE-2020-9484 also apply to + this issue.
+ +This was fixed with commit + 4785433a. +
+ +This issue was reported to the Apache Tomcat Security team by Trung Pham + of Viettel Cyber Security on 12 January 2021. The issue was made public + on 1 March 2021.
+ +Affects: 9.0.0.M1 to 9.0.41
+ +Important: Request mix-up with h2c + CVE-2021-25122 +
+ +When responding to new h2c connection requests, Apache Tomcat could + duplicate request headers and a limited amount of request body from one + request to another meaning user A and user B could both see the results of + user A's request.
+ +This was fixed with commit + d47c20a7. +
+ +This issue was identified by the Apache Tomcat Security team on 11 + January 2021. The issue was made public on 1 March 2021.
+ +Affects: 9.0.0.M1 to 9.0.41
+ +11 May 2020 Fixed in Apache Tomcat 9.0.35
+Important: Remote Code Execution via session persistence + CVE-2020-9484 +
+ +If:
+-
+
- an attacker is able to control the contents and name of a file on the + server; and +
- the server is configured to use the
PersistenceManager+ with aFileStore; and
+ - the
PersistenceManageris configured with +sessionAttributeValueClassNameFilter="null"(the default + unless aSecurityManageris used) or a sufficiently lax + filter to allow the attacker provided object to be deserialized; + and +
+ - the attacker knows the relative file path from the storage location
+ used by
FileStoreto the file the attacker has control + over;
+
then, using a specifically crafted request, the attacker will be able to + trigger remote code execution via deserialization of the file under their + control.
+ +Note: All of conditions above must be true for the + attack to succeed.
+ +As an alternative to upgrading to 9.0.35 or later, users may configure
+ the PersistenceManager with an appropriate value for
+ sessionAttributeValueClassNameFilter to ensure that only
+ application provided attributes are serialized and deserialized.
+
This was fixed with commit + 3aa8f28d. +
+ +This issue was reported to the Apache Tomcat Security Team by by jarvis + threedr3am of pdd security research on 12 April 2020. The issue was made + public on 20 May 2020.
+ +Affects: 9.0.0.M1 to 9.0.34
+ +not released Fixed in Apache Tomcat 9.0.9
+Low: CORS filter has insecure defaults + CVE-2018-8014 +
+ +The defaults settings for the CORS filter are insecure and enable
+ supportsCredentials for all origins. It is expected that
+ users of the CORS filter will have configured it appropriately for their
+ environment rather than using it in the default configuration. Therefore,
+ it is expected that most users will not be impacted by this issue.
+
This was fixed in revision 1831726.
+ +This issue was reported publicly on 1 May 2018 and formally announced as + a vulnerability on 16 May 2018.
+ +13 June 2016 Fixed in Apache Tomcat 8.5.3 and 8.0.36
+Moderate: Denial of Service + CVE-2016-3092 +
+ +Apache Tomcat uses a package renamed copy of Apache Commons FileUpload to + implement the file upload requirements of the Servlet specification. A + denial of service vulnerability was identified in Commons FileUpload that + occurred when the length of the multipart boundary was just below the + size of the buffer (4096 bytes) used to read the uploaded file. This + caused the file upload process to take several orders of magnitude + longer than if the boundary was the typical tens of bytes long.
+ +This was fixed in revision 1743722 for + 8.5.x and revision 1743738 for + 8.0.x.
+ +This issue was identified by the TERASOLUNA Framework Development Team + and reported to the Apache Commons team via JPCERT on 9 May 2016. It was + made public on 21 June 2016.
+ +Affects: 8.5.0 to 8.5.2, 8.0.0.RC1 to 8.0.35
+ +released 4 Sep 2009 Fixed in Apache Tomcat 5.5.28
+Important: Information Disclosure + CVE-2008-5515 +
+ +When using a RequestDispatcher obtained from the Request, the target path + was normalised before the query string was removed. A request that + included a specially crafted request parameter could be used to access + content that would otherwise be protected by a security constraint or by + locating it in under the WEB-INF directory.
+ +This was fixed in revisions 782757 and + 783291. +
+ +This was first reported to the Tomcat security team on 11 Dec 2008 and + made public on 8 Jun 2009.
+ +Affects: 5.5.0-5.5.27
+ +Important: Denial of Service + CVE-2009-0033 +
+ +If Tomcat receives a request with invalid headers via the Java AJP + connector, it does not return an error and instead closes the AJP + connection. In case this connector is member of a mod_jk load balancing + worker, this member will be put into an error state and will be blocked + from use for approximately one minute. Thus the behaviour can be used for + a denial of service attack using a carefully crafted request.
+ +This was fixed in revision 781362.
+ +This was first reported to the Tomcat security team on 26 Jan 2009 and + made public on 3 Jun 2009.
+ +Affects: 5.5.0-5.5.27
+ +Low: Information disclosure + CVE-2009-0580 +
+ +Due to insufficient error checking in some authentication classes, Tomcat + allows for the enumeration (brute force testing) of user names by + supplying illegally URL encoded passwords. The attack is possible if FORM + based authentication (j_security_check) is used with the MemoryRealm. + Note that in early versions, the DataSourceRealm and JDBCRealm were also + affected.
+ +This was fixed in revision 781379.
+ +This was first reported to the Tomcat security team on 25 Feb 2009 and + made public on 3 Jun 2009.
+ +Affects: 5.5.0-5.5.27 (Memory Realm), 5.5.0-5.5.5 (DataSource and JDBC + Realms)
+ +Low: Cross-site scripting + CVE-2009-0781 +
+ +The calendar application in the examples web application contains an + XSS flaw due to invalid HTML which renders the XSS filtering protection + ineffective.
+ +This was fixed in revision 750928.
+ +This was first reported to the Tomcat security team on 5 Mar 2009 and + made public on 6 Mar 2009.
+ +Affects: 5.5.0-5.5.27
+ +Low: Information disclosure + CVE-2009-0783 +
+ +Bugs 29936 and 45933 allowed a web application + to replace the XML parser used by + Tomcat to process web.xml, context.xml and tld files. In limited + circumstances these bugs may allow a rogue web application to view and/or + alter the web.xml, context.xml and tld files of other web applications + deployed on the Tomcat instance.
+ +This was fixed in revisions 681156 and + 781542. +
+ +This was first reported to the Tomcat security team on 2 Mar 2009 and + made public on 4 Jun 2009.
+ +Affects: 5.5.0-5.5.27
+ +Will not be fixed in Apache Tomcat 4.1.x
+Moderate: Information disclosure + CVE-2005-4836 +
+ +The deprecated HTTP/1.1 connector does not reject request URIs containing + null bytes when used with contexts that are configured with + allowLinking="true". Failure to reject the null byte enables an attacker + to obtain the source for any JSP page in these contexts. Users of Tomcat + 4.1.x are advised to use the default, supported Coyote HTTP/1.1 connector + which does not exhibit this issue. There are no plans to issue an update + to Tomcat 4.1.x for this issue.
+ +Affects: 4.1.15-4.1.SVN
+ +Fixed in Apache Tomcat 4.1.35
+Low: Information disclosure + CVE-2008-4308 +
+ +Bug + 40771 may result in the disclosure of POSTed content from a previous + request. For a vulnerability to exist, the content read from the input + stream must be disclosed, eg via writing it to the response and committing + the response, before the ArrayIndexOutOfBoundsException occurs which will + halt processing of the request.
+ +Affects: 4.1.32-4.1.34 (4.0.x unknown)
+Fixed in Apache Tomcat 4.1.3
+Important: Denial of service + CVE-2002-0935 +
+ +A malformed HTTP request can cause the request processing thread to + become unresponsive. A sequence of such requests will cause all request + processing threads, and hence Tomcat as a whole, to become unresponsive.
+ +Affects: 4.0.0-4.0.2?, 4.0.3, 4.0.4-4.0.6?, 4.1.0-4.1.2?
+ +Fixed in Apache Tomcat 3.3a
+Moderate: Information disclosure + CVE-2002-2007 +
+ +Non-standard requests to the sample applications installed by default + could result in unexpected directory listings or disclosure of the full + file system path for a JSP.
+ +Affects: 3.2.3-3.2.4
+ +Low: Information disclosure + CVE-2002-2006, + CVE-2000-0760 +
+ +The snoop servlet installed as part of the examples includes output that + identifies the Tomcat installation path. There are no plans to issue a an + update to Tomcat 3.x for this issue.
+ +Affects:3.1-3.1.1, 3.2-3.2.4
+
Apache Tomcat®
Content
Table of Contents
- Apache Tomcat 9.x vulnerabilities
- Fixed in Apache Tomcat 9.0.38
- Fixed in Apache Tomcat 9.0.37
- Fixed in Apache Tomcat 9.0.36
- Fixed in Apache Tomcat 9.0.35
- Fixed in Apache Tomcat 9.0.31
- Fixed in Apache Tomcat 9.0.30
- Fixed in Apache Tomcat 9.0.29
- Fixed in Apache Tomcat 9.0.20
- Fixed in Apache Tomcat 9.0.19
- Fixed in Apache Tomcat 9.0.16
- Fixed in Apache Tomcat 9.0.12
- Fixed in Apache Tomcat 9.0.10
- Fixed in Apache Tomcat 9.0.9
- Fixed in Apache Tomcat 9.0.8
- Fixed in Apache Tomcat 9.0.5
- Fixed in Apache Tomcat 9.0.2
- Fixed in Apache Tomcat 9.0.1
- Fixed in Apache Tomcat 9.0.0.M22
- Fixed in Apache Tomcat 9.0.0.M21
- Fixed in Apache Tomcat 9.0.0.M19
- Fixed in Apache Tomcat 9.0.0.M18
- Fixed in Apache Tomcat 9.0.0.M17
- Fixed in Apache Tomcat 9.0.0.M15
- Fixed in Apache Tomcat 9.0.0.M13
- Fixed in Apache Tomcat 9.0.0.M10
- Fixed in Apache Tomcat 9.0.0.M8
- Fixed in Apache Tomcat 9.0.0.M3
Apache Tomcat 9.x vulnerabilities
This page lists all security vulnerabilities fixed in released versions - of Apache Tomcat 9.x. Each vulnerability is given a - security impact rating by the Apache - Tomcat security team — please note that this rating may vary from - platform to platform. We also list the versions of Apache Tomcat the flaw - is known to affect, and where a flaw has not been verified list the - version with a question mark.
- -Note: Vulnerabilities that are not Tomcat vulnerabilities - but have either been incorrectly reported against Tomcat or where Tomcat - provides a workaround are listed at the end of this page.
- -Please note that binary patches are never provided. If you need to
- apply a source code patch, use the building instructions for the
- Apache Tomcat version that you are using. For Tomcat 9.0 those are
- building.html and
- BUILDING.txt.
- Both files can be found in the webapps/docs subdirectory
- of a binary distribution. You may also want to review the
- Security Considerations
- page in the documentation.
If you need help on building or configuring Tomcat or other help on - following the instructions to mitigate the known vulnerabilities listed - here, please send your questions to the public - Tomcat Users mailing list -
- -If you have encountered an unlisted security vulnerability or other - unexpected behaviour that has security - impact, or if the descriptions here are incomplete, - please report them privately to the - Tomcat Security Team. Thank you. -
-5 January 2016 Fixed in Apache Tomcat 9.0.0.M3
Moderate: Security Manager bypass - CVE-2016-0763
- -This issue only affects users running untrusted web applications under a - security manager.
- -ResourceLinkFactory.setGlobalContext() is a public method
- and was accessible to web applications even when running under a security
- manager. This allowed a malicious web application to inject a malicious
- global context that could in turn be used to disrupt other web
- applications and/or read and write data owned by other web
- applications.
This was fixed in revision 1725926.
- -This issue was identified by the Tomcat security team on 18 January 2016 - and made public on 22 February 2016.
- -Affects: 9.0.0.M1 to 9.0.0.M2
- -Note: The issues below were fixed in Apache Tomcat 9.0.0.M2 but the - release vote for the 9.0.0.M2 release candidate did not pass. Therefore, - although users must download 9.0.0.M3 to obtain a version that includes - fixes for these issues, version 9.0.0.M2 is not included in the list of - affected versions.
- -Moderate: CSRF token leak - CVE-2015-5351
- -The index page of the Manager and Host Manager applications included a - valid CSRF token when issuing a redirect as a result of an - unauthenticated request to the root of the web application. If an - attacker had access to the Manager or Host Manager applications - (typically these applications are only accessible to internal users, not - exposed to the Internet), this token could then be used by the attacker - to construct a CSRF attack.
- -This was fixed in revisions 1720652 and - 1720655.
- -This issue was identified by the Tomcat security team on 8 December 2015 - and made public on 22 February 2016.
- -Affects: 8.0.0.M1 to 9.0.0, 9.0.1.M1 to 9.0.1.M2-
- -Low: Security Manager bypass - CVE-2016-0706
- -This issue only affects users running untrusted web applications under a - security manager.
- -The internal StatusManagerServlet could be loaded by a malicious web - application when a security manager was configured. This servlet could - then provide the malicious web application with a list of all deployed - applications and a list of the HTTP request lines for all requests - currently being processed. This could have exposed sensitive information - from other web applications, such as session IDs, to the web - application.
- -This was fixed in revision 1722799.
- -This issue was identified by the Tomcat security team on 27 December 2015 - and made public on 22 February 2016.
- -Affects: 9.0.0.M1
- -Moderate: Security Manager bypass - CVE-2016-0714
- -This issue only affects users running untrusted web applications under a - security manager.
- -Tomcat provides several session persistence mechanisms. The
- StandardManager persists session over a restart. The
- PersistentManager is able to persist sessions to files, a
- database or a custom Store. The cluster implementation
- persists sessions to one or more additional nodes in the cluster. All of
- these mechanisms could be exploited to bypass a security manager. Session
- persistence is performed by Tomcat code with the permissions assigned to
- Tomcat internal code. By placing a carefully crafted object into a
- session, a malicious web application could trigger the execution of
- arbitrary code.
This was fixed in revisions 1725263 and - 1725914.
- -This issue was identified by the Tomcat security team on 12 November 2015 - and made public on 22 February 2016.
- -Affects: 9.0.0.M1-9.0.0.M2
- -