[arch-security] [ASA-201709-17] tomcat7: information disclosure
Arch Linux Security Advisory ASA-201709-17 ========================================== Severity: Medium Date : 2017-09-19 CVE-ID : CVE-2017-12616 Package : tomcat7 Type : information disclosure Remote : Yes Link : https://security.archlinux.org/AVG-408 Summary ======= The package tomcat7 before version 7.0.81-1 is vulnerable to information disclosure. Resolution ========== Upgrade to 7.0.81-1. # pacman -Syu "tomcat7>=7.0.81-1" The problem has been fixed upstream in version 7.0.81. Workaround ========== None. Description =========== It has been discovered that tomcat version 7.0.80 and before are vulnerable to information disclosure. When using a VirtualDirContext it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request. Impact ====== A remote attacker is able to view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request. References ========== http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81 https://mail-archives.apache.org/mod_mbox/tomcat-announce/201709.mbox/%3C0b4... http://svn.apache.org/viewvc?view=revision&revision=1804729 https://security.archlinux.org/CVE-2017-12616
participants (1)
-
Levente Polyak