CVE-2013-4590

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions prior to 6.0.39 Apache Tomcat versions 7.x prior to 7.0.50 Apache Tomcat versions 8.x prior to 8.0.0-RC10

Description The issue allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with certain XML documents containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. This occurs when Tomcat is running web applications from untrusted sources, such as in a shared hosting environment. The vulnerability can be exploited through XML files like web.xml, context.xml, *.tld, *.tagx, and *.jspx.

Recommendations For versions prior to 6.0.39, update to version 6.0.39 or later. For versions 7.x prior to 7.0.50, update to version 7.0.50 or later. For versions 8.x prior to 8.0.0-RC10, update to version 8.0.0-RC10 or later. As a temporary workaround, consider restricting access to untrusted web applications and limiting the use of XML files that may contain external entity declarations.