CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
98.9%
The CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances (CVE-2017-7674). When using a VirtualDirContext it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request (CVE-2017-12616). Note that CVE-2017-12616 only affected tomcat 7 in Mageia 5.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Mageia | 5 | noarch | tomcat | < 7.0.81-1 | tomcat-7.0.81-1.mga5 |
Mageia | 6 | noarch | tomcat | < 8.0.46-1 | tomcat-8.0.46-1.mga6 |
openwall.com/lists/oss-security/2017/09/19/2
bugs.mageia.org/show_bug.cgi?id=21714
lists.fedoraproject.org/archives/list/[email protected]/thread/CH5PGYTIBGQHGGUEXRIIGNXJSLBNYYUS/
tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.79
tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.45
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
98.9%