Details
Trivial Description
Quoting a message from announce@apache.org
VE-2017-5648 Apache Tomcat Information Disclosure
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.0.M17
Apache Tomcat 8.5.0 to 8.5.11
Apache Tomcat 8.0.0.RC1 to 8.0.41
Apache Tomcat 7.0.0 to 7.0.75
Apache Tomcat 6.0.x is not affectedDescription
While investigating bug 60718, it was noticed that some calls to
application listeners did not use the appropriate facade object. When
running an untrusted application under a SecurityManager, it was
therefore possible for that untrusted application to retain a reference
to the request or response object and thereby access and/or modify
information associated with another web application.Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 9.0.0.M18 or later
- Upgrade to Apache Tomcat 8.5.12 or later
- Upgrade to Apache Tomcat 8.0.42 or later
- Upgrade to Apache Tomcat 7.0.76 or later
Credit:
This issue was identified by the Tomcat security team.History:
2017-04-10 Original advisoryReferences:
[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=60718
[2] http://tomcat.apache.org/security-9.html
[3] http://tomcat.apache.org/security-8.html
[4] http://tomcat.apache.org/security-7.html
It's a low security issue so I'll not backport on no longer or not released branches
All tests pass and UI seems OK.