6.0.28

DATE	CVE	VULNERABILITY TITLE	RISK
2012-11-17	CVE-2012-5885	Permissions, Privileges, and Access Controls vulnerability in Apache Tomcat The replay-countermeasure functionality in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 tracks cnonce (aka client nonce) values instead of nonce (aka server nonce) and nc (aka nonce-count) values, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, a different vulnerability than CVE-2011-1184. network low complexity apache CWE-264	5.0
2012-11-16	CVE-2012-2733	Improper Input Validation vulnerability in Apache Tomcat java/org/apache/coyote/http11/InternalNioInputBuffer.java in the HTTP NIO connector in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28 does not properly restrict the request-header size, which allows remote attackers to cause a denial of service (memory consumption) via a large amount of header data. network low complexity apache CWE-20	5.0
2010-11-26	CVE-2010-4312	Configuration vulnerability in Apache Tomcat The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie. network low complexity apache CWE-16	6.4