Apache TomcatTOMCAT:34B8E0132E7832F3AE76A036F797C1D3Fixed in Apache Tomcat 7.0.50
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.93 High
EPSS
Percentile
99.1%
Note: The issues below were fixed in Apache Tomcat 7.0.48 but the release votes for 7.0.48 to 7.0.49 did not pass. Therefore, although users must download 7.0.50 to obtain a version that includes fixes for these issues, versions 7.0.48 to 7.0.49 are not included in the list of affected versions.
Important: Denial of service CVE-2013-4322
The fix for CVE-2012-3544 was not complete. It did not cover the following cases:
- chunk extensions were not limited
- whitespace after the : in a trailing header was not limited
This was fixed in revisions 1521864 and 1549523.
The first part of this issue was identified by the Apache Tomcat security team on 27 August 2013 and the second part by Saran Neti of TELUS Security Labs on 5 November 2013. It was made public on 25 February 2014.
Affects: 7.0.0 to 7.0.47
Low: Information disclosure CVE-2013-4590
Application provided XML files such as web.xml, context.xml, *.tld, *.tagx and *.jspx allowed XXE which could be used to expose Tomcat internals to an attacker. This vulnerability only occurs when Tomcat is running web applications from untrusted sources such as in a shared hosting environment.
This was fixed in revision 1549529.
This issue was identified by the Apache Tomcat security team on 29 October 2013 and made public on 25 February 2014.
Affects: 7.0.0 to 7.0.47
| CPE | Name | Operator | Version |
|---|---|---|---|
| apache tomcat | ge | 7.0.0 | |
| apache tomcat | le | 7.0.47 |
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.93 High
EPSS
Percentile
99.1%