www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject [UPDATE][SECURITY] CVE-2017-7675 Apache Tomcat Security Constraint Bypass
Date Thu, 10 Aug 2017 22:10:34 GMT
CVE-2017-7675 Apache Tomcat Security Constraint Bypass

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.0.M21
Apache Tomcat 8.5.0 to 8.5.15

The HTTP/2 implementation bypassed a number of security checks that
prevented directory traversal attacks. It was therefore possible to
bypass security constraints using an specially crafted URL.

Users of the affected versions should apply one of the following
- Upgrade to Apache Tomcat 9.0.0.M22 or later
- Upgrade to Apache Tomcat 8.5.16 or later

The issue was reported as Bug 61120 and the security implications
identified by the Apache Tomcat Security Team.

2017-08-10 Original advisory
2017-08-10 Correct copy/paste error in title

[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html
[4] https://bz.apache.org/bugzilla/show_bug.cgi?id=61120

View raw message