5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.932 High
EPSS
Percentile
99.0%
Note: The issue below was fixed in Apache Tomcat 8.0.0-RC6 but the release votes for 8.0.0-RC6 to 8.0.0-RC9 did not pass. Therefore, although users must download 8.0.0-RC10 to obtain a version that includes a fix for this issue, versions 8.0.0-RC6 to 8.0.0-RC9 are not included in the list of affected versions.
Important: Denial of service CVE-2013-4322
The fix for CVE-2012-3544 was not complete. It did not cover the following cases:
This was fixed in revisions 1521834 and 1549522.
The first part of this issue was identified by the Apache Tomcat security team on 27 August 2013 and the second part by Saran Neti of TELUS Security Labs on 5 November 2013. It was made public on 25 February 2014.
Affects: 8.0.0-RC1 to 8.0.0-RC5
Low: Information disclosure CVE-2013-4590
Application provided XML files such as web.xml, context.xml, *.tld, *.tagx and *.jspx allowed XXE which could be used to expose Tomcat internals to an attacker. This vulnerability only occurs when Tomcat is running web applications from untrusted sources such as in a shared hosting environment.
This was fixed in revision 1549528.
This issue was identified by the Apache Tomcat security team on 29 October 2013 and made public on 25 February 2014.
Affects: 8.0.0-RC1 to 8.0.0-RC5
CPE | Name | Operator | Version |
---|---|---|---|
apache tomcat | ge | 8.0.0-RC1 | |
apache tomcat | le | 8.0.0-RC5 |