PT-2017-16643 · Apache+5 · Apache Tomcat+5
Publicado
2017-03-13
·
Atualizado
2024-06-15
·
CVE-2017-5648
CVSS v3.1
9.1
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Tomcat versions 9.0.0.M1 through 9.0.0.M17
Apache Tomcat versions 8.5.0 through 8.5.11
Apache Tomcat versions 8.0.0.RC1 through 8.0.41
Apache Tomcat versions 7.0.0 through 7.0.75
Description
The issue arises from some calls to application listeners not using the appropriate facade object. When an untrusted application is run under a SecurityManager, it can retain a reference to the request or response object, allowing it to access and/or modify information associated with another web application.
Recommendations
For Apache Tomcat versions 9.0.0.M1 through 9.0.0.M17, update to a version that uses the appropriate facade object for application listeners.
For Apache Tomcat versions 8.5.0 through 8.5.11, update to a version that uses the appropriate facade object for application listeners.
For Apache Tomcat versions 8.0.0.RC1 through 8.0.41, update to a version that uses the appropriate facade object for application listeners.
For Apache Tomcat versions 7.0.0 through 7.0.75, update to a version that uses the appropriate facade object for application listeners.
As a temporary workaround, consider restricting access to sensitive information when running untrusted applications under a SecurityManager.
Correção
Exposure of Resource to Wrong Sphere
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Alt Linux
Apache Tomcat
Centos
Red Hat
Suse
Ubuntu