www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject [CORRECTION][SECURITY] CVE-2017-12616 Apache Tomcat Information Disclosure
Date Tue, 19 Sep 2017 11:14:27 GMT
The body of the original advisory referred to CVE-2017-7674. This was
incorrect. It was a copy and paste error from a previous Tomcat advisory.

The correct CVE reference is CVE-2017-12616, as per the subject line.

On 19/09/17 11:58, Mark Thomas wrote:
> CVE-2017-7674 Apache Tomcat Information Disclosure
> 
> Severity: Important
> 
> Vendor: The Apache Software Foundation
> 
> Versions Affected:
> Apache Tomcat 7.0.0 to 7.0.80
> 
> Description:
> When using a VirtualDirContext it was possible to bypass security
> constraints and/or view the source code of JSPs for resources served by
> the VirtualDirContext using a specially crafted request.
> 
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 7.0.81
> 
> Credit:
> This issue was identified by the Tomcat Security Team while
> investigating CVE-2017-12615.
> 
> History:
> 2017-09-19 Original advisory
> 
> References:
> [1] http://tomcat.apache.org/security-7.html
> 


Mime
View raw message