Lucene search

K
redhatcveRedhat.comRH:CVE-2017-5664
HistoryFeb 07, 2021 - 3:15 p.m.

CVE-2017-5664

2021-02-0715:15:32
redhat.com
access.redhat.com
33
tomcat
defaultservlet
vulnerability
error page
http request
undesired side effects
error page replacement
mitigation
jsp error page
static html error page
deployment descriptor
errorreportvalve

EPSS

0.009

Percentile

82.7%

A vulnerability was discovered in the error page mechanism in Tomcat’s DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page.

Mitigation

If it is necessary to have the DefaultServlet property readonly=false, use a jsp error page, for example Error404.jsp rather than a static html error page. Alternatively do not specify an error-page in the Deployment Descriptor and use a custom ErrorReportValve.