Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 19 Sep 2017 14:07:07 +0100
From: Mark Thomas <markt@...che.org>
To: oss-security@...ts.openwall.com
Subject: [SECURITY] CVE-2017-12616 Apache Tomcat Information Disclosure

CVE-2017-12616 Apache Tomcat Information Disclosure

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 7.0.0 to 7.0.80

Description:
When using a VirtualDirContext it was possible to bypass security
constraints and/or view the source code of JSPs for resources served by
the VirtualDirContext using a specially crafted request.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 7.0.81

Credit:
This issue was identified by the Tomcat Security Team while
investigating CVE-2017-12615.

History:
2017-09-19 Original advisory

References:
[1] http://tomcat.apache.org/security-7.html

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ