Lucene search

K
tomcatApache TomcatTOMCAT:FC12A40DC49D58432E9FA6889FA7EAFC
HistoryJul 01, 2017 - 12:00 a.m.

Fixed in Apache Tomcat 7.0.79

2017-07-0100:00:00
Apache Tomcat
tomcat.apache.org
51

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

AI Score

5.9

Confidence

High

EPSS

0.003

Percentile

68.3%

Moderate: Cache Poisoning CVE-2017-7674

The CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

This was fixed in revision 1795816.

The issue was reported as bug 61101 on 16 May 2017. The full implications of this issue were identified by the Tomcat Security Team the same day. This issue was made public on 10 August 2017.

Affects: 7.0.41 to 7.0.78

Affected configurations

Vulners
Node
apachetomcatRange7.0.41
OR
apachetomcatRange7.0.78
VendorProductVersionCPE
apachetomcat*cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

AI Score

5.9

Confidence

High

EPSS

0.003

Percentile

68.3%