CVE-2008-1232

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 4.1.0 through 4.1.37 Apache Tomcat versions 5.5.0 through 5.5.26 Apache Tomcat versions 6.0.0 through 6.0.16

Description The issue allows remote attackers to inject arbitrary web script or HTML via a crafted string that is used in the message argument to the HttpServletResponse.sendError method. This may include characters that are illegal in HTTP headers, resulting in arbitrary content being injected into the HTTP response. For a successful attack, unfiltered user-supplied data must be included in the message argument.

Recommendations For Apache Tomcat versions 4.1.0 through 4.1.37, update to a version outside of this range to resolve the issue. For Apache Tomcat versions 5.5.0 through 5.5.26, update to a version outside of this range to resolve the issue. For Apache Tomcat versions 6.0.0 through 6.0.16, update to a version outside of this range to resolve the issue. As a temporary workaround, consider filtering user-supplied data used in the message argument to the sendError method to minimize the risk of exploitation.