Lucene search

K
kasperskyKaspersky LabKLA12087
HistoryNov 17, 2020 - 12:00 a.m.

KLA12087 Multiple vulnerabilities in Apache Tomcat

2020-11-1700:00:00
Kaspersky Lab
threats.kaspersky.com
20

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.4 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.003 Low

EPSS

Percentile

69.6%

Multiple vulnerabilities were found in Apache Tomcat. Malicious users can exploit these vulnerabilities to obtain sensitive information, spoof user interface.

Below is a complete list of vulnerabilities:

  1. An information disclosure vulnerability can be exploited to obtain sensitive information.
  2. A security UI vulnerability in HTTP/2 client can be exploited remotely to spoof user interface.

Original advisories

Apache Tomcat 8.5.x vulnerabilities

Apache Tomcat 9.x vulnerabilities

Related products

Apache-Tomcat

CVE list

CVE-2021-24122 high

CVE-2020-17527 critical

Solution

Update to the latest versionTomcat 9 Software Downloads

Tomcat 8.5 Software Downloads

Impacts

  • OSI

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

  • SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

  • SUI

Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.

Affected Products

  • Apache Tomcat 8.5.x earlier than 8.5.60Apache Tomcat 9.x earlier than 9.0.40

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.4 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.003 Low

EPSS

Percentile

69.6%