CVE-2017-5648

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 9.0.0.M1 through 9.0.0.M17 Apache Tomcat versions 8.5.0 through 8.5.11 Apache Tomcat versions 8.0.0.RC1 through 8.0.41 Apache Tomcat versions 7.0.0 through 7.0.75

Description The issue arises from some calls to application listeners not using the appropriate facade object. When an untrusted application is run under a SecurityManager, it can retain a reference to the request or response object, allowing it to access and/or modify information associated with another web application.

Recommendations For Apache Tomcat versions 9.0.0.M1 through 9.0.0.M17, update to a version that uses the appropriate facade object for application listeners. For Apache Tomcat versions 8.5.0 through 8.5.11, update to a version that uses the appropriate facade object for application listeners. For Apache Tomcat versions 8.0.0.RC1 through 8.0.41, update to a version that uses the appropriate facade object for application listeners. For Apache Tomcat versions 7.0.0 through 7.0.75, update to a version that uses the appropriate facade object for application listeners. As a temporary workaround, consider restricting access to sensitive information when running untrusted applications under a SecurityManager.