You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2017/09/19 10:58:28 UTC
[SECURITY] CVE-2017-12616 Apache Tomcat Information Disclosure
CVE-2017-7674 Apache Tomcat Information Disclosure
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 7.0.0 to 7.0.80
Description:
When using a VirtualDirContext it was possible to bypass security
constraints and/or view the source code of JSPs for resources served by
the VirtualDirContext using a specially crafted request.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 7.0.81
Credit:
This issue was identified by the Tomcat Security Team while
investigating CVE-2017-12615.
History:
2017-09-19 Original advisory
References:
[1] http://tomcat.apache.org/security-7.html
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[CORRECTION][SECURITY] CVE-2017-12616 Apache Tomcat Information
Disclosure
Posted by Mark Thomas <ma...@apache.org>.
The body of the original advisory referred to CVE-2017-7674. This was
incorrect. It was a copy and paste error from a previous Tomcat advisory.
The correct CVE reference is CVE-2017-12616, as per the subject line.
On 19/09/17 11:58, Mark Thomas wrote:
> CVE-2017-7674 Apache Tomcat Information Disclosure
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 7.0.0 to 7.0.80
>
> Description:
> When using a VirtualDirContext it was possible to bypass security
> constraints and/or view the source code of JSPs for resources served by
> the VirtualDirContext using a specially crafted request.
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 7.0.81
>
> Credit:
> This issue was identified by the Tomcat Security Team while
> investigating CVE-2017-12615.
>
> History:
> 2017-09-19 Original advisory
>
> References:
> [1] http://tomcat.apache.org/security-7.html
>
[CORRECTION][SECURITY] CVE-2017-12616 Apache Tomcat Information
Disclosure
Posted by Mark Thomas <ma...@apache.org>.
The body of the original advisory referred to CVE-2017-7674. This was
incorrect. It was a copy and paste error from a previous Tomcat advisory.
The correct CVE reference is CVE-2017-12616, as per the subject line.
On 19/09/17 11:58, Mark Thomas wrote:
> CVE-2017-7674 Apache Tomcat Information Disclosure
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 7.0.0 to 7.0.80
>
> Description:
> When using a VirtualDirContext it was possible to bypass security
> constraints and/or view the source code of JSPs for resources served by
> the VirtualDirContext using a specially crafted request.
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 7.0.81
>
> Credit:
> This issue was identified by the Tomcat Security Team while
> investigating CVE-2017-12615.
>
> History:
> 2017-09-19 Original advisory
>
> References:
> [1] http://tomcat.apache.org/security-7.html
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
[CORRECTION][SECURITY] CVE-2017-12616 Apache Tomcat Information
Disclosure
Posted by Mark Thomas <ma...@apache.org>.
The body of the original advisory referred to CVE-2017-7674. This was
incorrect. It was a copy and paste error from a previous Tomcat advisory.
The correct CVE reference is CVE-2017-12616, as per the subject line.
On 19/09/17 11:58, Mark Thomas wrote:
> CVE-2017-7674 Apache Tomcat Information Disclosure
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 7.0.0 to 7.0.80
>
> Description:
> When using a VirtualDirContext it was possible to bypass security
> constraints and/or view the source code of JSPs for resources served by
> the VirtualDirContext using a specially crafted request.
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 7.0.81
>
> Credit:
> This issue was identified by the Tomcat Security Team while
> investigating CVE-2017-12615.
>
> History:
> 2017-09-19 Original advisory
>
> References:
> [1] http://tomcat.apache.org/security-7.html
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[CORRECTION][SECURITY] CVE-2017-12616 Apache Tomcat Information
Disclosure
Posted by Mark Thomas <ma...@apache.org>.
The body of the original advisory referred to CVE-2017-7674. This was
incorrect. It was a copy and paste error from a previous Tomcat advisory.
The correct CVE reference is CVE-2017-12616, as per the subject line.
On 19/09/17 11:58, Mark Thomas wrote:
> CVE-2017-7674 Apache Tomcat Information Disclosure
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 7.0.0 to 7.0.80
>
> Description:
> When using a VirtualDirContext it was possible to bypass security
> constraints and/or view the source code of JSPs for resources served by
> the VirtualDirContext using a specially crafted request.
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 7.0.81
>
> Credit:
> This issue was identified by the Tomcat Security Team while
> investigating CVE-2017-12615.
>
> History:
> 2017-09-19 Original advisory
>
> References:
> [1] http://tomcat.apache.org/security-7.html
>