CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
EPSS
Percentile
99.5%
CentOS Errata and Security Advisory CESA-2007:0569
Tomcat is a servlet container for Java Servlet and JavaServer Pages (JSP)
technologies.
Some JSPs within the ‘examples’ web application did not escape user
provided data. If the JSP examples were accessible, this flaw could allow a
remote attacker to perform cross-site scripting attacks (CVE-2007-2449).
Note: it is recommended the ‘examples’ web application not be installed on
a production system.
The Manager and Host Manager web applications did not escape user provided
data. If a user is logged in to the Manager or Host Manager web
application, an attacker could perform a cross-site scripting attack
(CVE-2007-2450).
Users of Tomcat should update to these erratum packages, which contain
backported patches to correct these issues.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2007-July/076229.html
https://lists.centos.org/pipermail/centos-announce/2007-July/076230.html
https://lists.centos.org/pipermail/centos-announce/2007-September/076417.html
https://lists.centos.org/pipermail/centos-announce/2007-September/076418.html
Affected packages:
tomcat5
tomcat5-admin-webapps
tomcat5-common-lib
tomcat5-jasper
tomcat5-jasper-javadoc
tomcat5-jsp-2.0-api
tomcat5-jsp-2.0-api-javadoc
tomcat5-server-lib
tomcat5-servlet-2.4-api
tomcat5-servlet-2.4-api-javadoc
tomcat5-webapps
Upstream details at:
https://access.redhat.com/errata/RHSA-2007:0569