CVE-2003-0042 — tomcat - information exposure, cross site scripting

Description

Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, allows remote attackers to list directories even with an index.html or other file present, or obtain unprocessed source code for a JSP file, via a URL containing a null character.

How to fix CVE-2003-0042

To remediate CVE-2003-0042, upgrade the affected package to a fixed version below.

Debian/tomcat—upgrade to 3.3a-4woody.1 or later
Maven/org.apache.tomcat:tomcat—upgrade to 3.3.1a or later

Is CVE-2003-0042 being exploited?

Likely — EPSS is 55.8%, placing CVE-2003-0042 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (2)

from 0, < 3.3a-4woody.1
from 0, < 3.3.1a

References (12)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2003-0042
PATCHgithub.com/apache/tomcat
WEBjakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a
WEBjakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/RELEASE-NOTES-3.3.1a.txt