Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
debianDebianDEBIAN:DLA-1400-1:35C3A
HistoryJun 27, 2018 - 8:56 p.m.

[SECURITY] [DLA 1400-1] tomcat7 security update

2018-06-2720:56:21
lists.debian.org
21

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.003 Low

EPSS

Percentile

69.8%

JSON

Package : tomcat7
Version : 7.0.56-3+really7.0.88-1
CVE ID : CVE-2017-7674 CVE-2017-12616 CVE-2018-1304
CVE-2018-1305 CVE-2018-8014
Debian Bug : 802312 898935

Several security vulnerabilities have been discovered in the Tomcat
servlet and JSP engine.

CVE-2017-7674
The CORS Filter in Apache Tomcat did not add an HTTP Vary header
indicating that the response varies depending on Origin. This
permitted client and server side cache poisoning in some
circumstances.

CVE-2017-12616
When using a VirtualDirContext with Apache Tomcat it was possible to
bypass security constraints and/or view the source code of JSPs for
resources served by the VirtualDirContext using a specially crafted
request.

CVE-2018-1304
The URL pattern of "" (the empty string) which exactly maps to the
context root was not correctly handled in Apache Tomcat when used as
part of a security constraint definition. This caused the constraint
to be ignored. It was, therefore, possible for unauthorized users to
gain access to web application resources that should have been
protected. Only security constraints with a URL pattern of the empty
string were affected.

CVE-2018-1305
Security constraints defined by annotations of Servlets in Apache
Tomcat were only applied once a Servlet had been loaded. Because
security constraints defined in this way apply to the URL pattern
and any URLs below that point, it was possible - depending on the
order Servlets were loaded - for some security constraints not to be
applied. This could have exposed resources to users who were not
authorized to access them.

CVE-2018-8014
The defaults settings for the CORS filter provided in Apache Tomcat
are insecure and enable 'supportsCredentials' for all origins. It is
expected that users of the CORS filter will have configured it
appropriately for their environment rather than using it in the
default configuration. Therefore, it is expected that most users
will not be impacted by this issue.

For Debian 8 "Jessie", these problems have been fixed in version
7.0.56-3+really7.0.88-1.

We recommend that you upgrade your tomcat7 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian8alltomcat8-user< 8.0.14-1+deb8u12tomcat8-user_8.0.14-1+deb8u12_all.deb
Debian8alltomcat7-admin< 7.0.56-3+really7.0.88-1tomcat7-admin_7.0.56-3+really7.0.88-1_all.deb
Debian7alltomcat7-docs< 7.0.28-4+deb7u18tomcat7-docs_7.0.28-4+deb7u18_all.deb
Debian7alltomcat7< 7.0.28-4+deb7u18tomcat7_7.0.28-4+deb7u18_all.deb
Debian8alltomcat7< 7.0.56-3+really7.0.88-1tomcat7_7.0.56-3+really7.0.88-1_all.deb
Debian7alltomcat7-common< 7.0.28-4+deb7u18tomcat7-common_7.0.28-4+deb7u18_all.deb
Debian8alltomcat7-docs< 7.0.56-3+really7.0.88-1tomcat7-docs_7.0.56-3+really7.0.88-1_all.deb
Debian9alltomcat8< 8.5.14-1+deb9u3tomcat8_8.5.14-1+deb9u3_all.deb
Debian8alltomcat7-examples< 7.0.56-3+really7.0.88-1tomcat7-examples_7.0.56-3+really7.0.88-1_all.deb
Debian8alltomcat8-common< 8.0.14-1+deb8u12tomcat8-common_8.0.14-1+deb8u12_all.deb
Rows per page:
1-10 of 371

Related

osv 16
openvas 20
ubuntu 1
nessus 45
mageia 2
centos 1
redhat 6
fedora 4
ibm 22
debian 7
kaspersky 3
tomcat 12
amazon 6
freebsd 1
oraclelinux 1
prion 5
debiancve 5
veracode 6
github 5
cve 5
suse 1
ubuntucve 5
checkpoint_advisories 1
redhatcve 5
archlinux 1
photon 2
f5 5
dsquare 1
seebug 2
symantec 1
cisa 1
myhack58 1
osv
osv
tomcat7 - security update
2018-06-27 00:00:00
tomcat7 - security update
2018-03-06 00:00:00
tomcat8 - security update
2018-07-29 00:00:00
openvas
openvas
Ubuntu Update for tomcat8 USN-3665-1
2018-06-05 00:00:00
Fedora Update for tomcat FEDORA-2018-50f0da5d38
2018-04-06 00:00:00
Debian LTS: Security Advisory for tomcat8 (DLA-1450-1)
2018-07-30 00:00:00
ubuntu
ubuntu
Tomcat vulnerabilities
2018-05-30 00:00:00
nessus
nessus
Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : Tomcat vulnerabilities (USN-3665-1)
2018-05-31 00:00:00
Scientific Linux Security Update : tomcat on SL7.x x86_64 (20190806)
2019-08-27 00:00:00
Oracle Linux 7 : tomcat (ELSA-2019-2205)
2023-09-07 00:00:00
mageia
mageia
Updated tomcat packages fix security vulnerability
2017-09-21 16:43:32
Updated tomcat packages fix security vulnerabilities
2018-02-28 16:55:21
centos
centos
tomcat security update
2019-08-30 04:27:31
redhat
redhat
(RHSA-2019:2205) Moderate: tomcat security, bug fix, and enhancement update
2019-08-06 08:13:03
(RHSA-2018:0466) Important: Red Hat JBoss Web Server 3.1.0 Service Pack 2 security update
2018-03-07 15:08:21
(RHSA-2018:0465) Important: Red Hat JBoss Web Server 3.1.0 Service Pack 2 security update
2018-03-07 15:08:16
fedora
fedora
[SECURITY] Fedora 26 Update: tomcat-8.0.50-1.fc26
2018-04-04 16:47:53
[SECURITY] Fedora 27 Update: tomcat-8.0.50-1.fc27
2018-04-04 17:10:49
[SECURITY] Fedora 25 Update: tomcat-8.0.46-1.fc25
2017-09-15 03:51:31
ibm
ibm
Security Bulletin: Rational DOORS Web Access is affected by Apache Tomcat vulnerabilities
2018-06-22 03:56:40
Security Bulletin: Rational Build Forge Security Advisory for Apache Tomcat (CVE-2018-1304 and CVE-2018-1305)
2020-04-20 14:40:53
Security Bulletin: Multiple Vulnerabilities in Apache Tomcat affects IBM UrbanCode Deploy (CVE-2018-1304, CVE-2018-1305)
2018-10-25 20:45:01
debian
debian
[SECURITY] [DLA 1450-1] tomcat8 security update
2018-07-29 11:57:59
[SECURITY] [DLA 1301-1] tomcat7 security update
2018-03-06 13:24:42
[SECURITY] [DLA 1108-1] tomcat7 security update
2017-09-24 16:53:09
kaspersky
kaspersky
KLA11203 Multiple vulnerabilities in Apache Tomcat
2018-02-13 00:00:00
KLA11256 SB vulnerability in Apache Tomcat
2018-05-15 00:00:00
KLA11106 Multiple vulnerabilities in Apache Tomcat
2017-09-19 00:00:00
tomcat
tomcat
Fixed in Apache Tomcat 8.5.28
2018-02-11 00:00:00
Fixed in Apache Tomcat 8.0.50
2018-02-13 00:00:00
Fixed in Apache Tomcat 9.0.5
2018-02-11 00:00:00
amazon
amazon
Medium: tomcat7, tomcat8
2018-03-21 22:06:00
Important: tomcat
2020-03-09 19:23:00
Medium: tomcat80
2018-03-21 22:08:00
freebsd
freebsd
tomcat -- Security constraints ignored or applied too late
2018-02-23 00:00:00
oraclelinux
oraclelinux
tomcat security, bug fix, and enhancement update
2019-08-13 00:00:00
prion
prion
Design/Logic Flaw
2017-09-19 13:29:00
Default configuration
2018-05-16 16:29:00
Design/Logic Flaw
2017-08-11 02:29:00
debiancve
debiancve
CVE-2017-12616
2017-09-19 13:29:00
CVE-2017-7674
2017-08-11 02:29:00
CVE-2018-8014
2018-05-16 16:29:00
veracode
veracode
Information Disclosure
2017-09-20 02:23:33
Insecure Defaults
2018-05-17 04:40:32
Insecure Defaults
2019-01-15 09:24:32
github
github
The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins
2018-10-17 16:32:32
Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
2022-05-14 01:10:16
Insufficient Verification of Data Authenticity in Apache Tomcat
2022-05-14 01:10:15
cve
cve
CVE-2018-8014
2018-05-16 16:29:00
CVE-2017-7674
2017-08-11 02:29:00
CVE-2017-12616
2017-09-19 13:29:00
suse
suse
Security update for tomcat (important)
2017-11-23 21:09:20
ubuntucve
ubuntucve
CVE-2018-8014
2018-05-16 00:00:00
CVE-2017-7674
2017-08-10 00:00:00
CVE-2018-1305
2018-02-23 00:00:00
checkpoint_advisories
checkpoint_advisories
Apache Tomcat VirtualDirContext Information Disclosure (CVE-2017-12616)
2017-10-02 00:00:00
redhatcve
redhatcve
CVE-2017-7674
2017-08-11 14:19:00
CVE-2017-12616
2019-10-08 03:55:37
CVE-2018-8014
2020-04-06 17:04:57
archlinux
archlinux
[ASA-201709-17] tomcat7: information disclosure
2017-09-19 00:00:00
photon
photon
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2018-2.0-0065
2018-07-02 00:00:00
Critical Photon OS Security Update - PHSA-2018-0065
2018-07-03 00:00:00
f5
f5
K11420556 : Apache Tomcat vulnerability CVE-2018-8014
2018-07-17 00:00:00
K24335161 : Apache Tomcat vulnerability CVE-2017-12616
2017-09-28 00:00:00
K32051722 : Apache Tomcat vulnerability CVE-2018-1305
2018-03-12 00:00:00
dsquare
dsquare
Apache Tomcat VirtualDirContext Class File Handling Remote JSP Source Code Disclosure
2018-03-09 00:00:00
seebug
seebug
Apache Tomcat Security Bypass Vulnerability(CVE-2018-1305)
2018-02-27 00:00:00
Tomcat code execution vulnerability(CVE-2017-12615)
2017-09-20 00:00:00
symantec
symantec
Apache Tomcat Vulnerabilities Jan-Aug 2018
2018-10-11 08:01:01
cisa
cisa
Apache Releases Security Updates for Apache Tomcat
2017-09-19 00:00:00
myhack58
myhack58
Tomcat remote code execution vulnerability flaws bug research CVE-2017-12615 and patch Bypass-vulnerability warning-the black bar safety net
2017-09-20 00:00:00

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.003 Low

EPSS

Percentile

69.8%

JSON
Related for DEBIAN:DLA-1400-1:35C3A
osv16openvas20ubuntu1nessus45mageia2centos1redhat6fedora4ibm22debian7kaspersky3tomcat12amazon6freebsd1oraclelinux1prion5debiancve5veracode6github5cve5suse1ubuntucve5checkpoint_advisories1redhatcve5archlinux1photon2f55dsquare1seebug2symantec1cisa1myhack581