tomcat -- information disclosure vulnerability

ID 3383E706-4FC3-11DF-83FB-0015587E2CC1
Type freebsd
Reporter FreeBSD
Modified 2010-04-22T00:00:00


The Apache software foundation reports:

The "WWW-Authenticate" header for BASIC and DIGEST authentication includes a realm name. If a <realm-name> element is specified for the application in web.xml it will be used. However, a <realm-name> is not specified then Tomcat will generate one. In some circumstances this can expose the local hostname or IP address of the machine running Tomcat.