www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject [SECURITY] CVE-2017-7674 Apache Tomcat Cache Poisoning
Date Thu, 10 Aug 2017 22:01:38 GMT
CVE-2017-7674 Apache Tomcat Cache Poisoning

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.0.M21
Apache Tomcat 8.5.0 to 8.5.15
Apache Tomcat 8.0.0.RC1 to 8.0.44
Apache Tomcat 7.0.41 to 7.0.78

The CORS Filter did not an HTTP Vary header indicating that the response
varies depending on Origin. This permitted client and server side cache
poisoning in some circumstances.

Users of the affected versions should apply one of the following
- Upgrade to Apache Tomcat 9.0.0.M22 or later
- Upgrade to Apache Tomcat 8.5.16 or later
- Upgrade to Apache Tomcat 8.0.45 or later
- Upgrade to Apache Tomcat 7.0.79 or later

The issue was reported as Bug 61101 and the security implications
identified by the Apache Tomcat Security Team.

2017-08-10 Original advisory

[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html
[4] https://bz.apache.org/bugzilla/show_bug.cgi?id=61101

View raw message