Lucene search

K
ubuntucveUbuntu.comUB:CVE-2017-5664
HistoryJun 06, 2017 - 12:00 a.m.

CVE-2017-5664

2017-06-0600:00:00
ubuntu.com
ubuntu.com
8

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.009 Low

EPSS

Percentile

82.2%

The error page mechanism of the Java Servlet Specification requires that,
when an error occurs and an error page is configured for the error that
occurred, the original request and response are forwarded to the error
page. This means that the request is presented to the error page with the
original HTTP method. If the error page is a static file, expected
behaviour is to serve content of the file as if processing a GET request,
regardless of the actual HTTP method. The Default Servlet in Apache Tomcat
9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to
7.0.77 did not do this. Depending on the original request this could lead
to unexpected and undesirable results for static error pages including, if
the DefaultServlet is configured to permit writes, the replacement or
removal of the custom error page. Notes for other user provided error
pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method.
JSPs used as error pages must must ensure that they handle any error
dispatch as a GET request, regardless of the actual method. (2) By default,
the response generated by a Servlet does depend on the HTTP method. Custom
Servlets used as error pages must ensure that they handle any error
dispatch as a GET request, regardless of the actual method.

Bugs

OSVersionArchitecturePackageVersionFilename
ubuntu14.04noarchtomcat6< anyUNKNOWN
ubuntu16.04noarchtomcat7< anyUNKNOWN
ubuntu14.04noarchtomcat7< 7.0.52-1ubuntu0.13UNKNOWN
ubuntu16.04noarchtomcat8< 8.0.32-1ubuntu1.5UNKNOWN
ubuntu17.04noarchtomcat8< 8.0.38-2ubuntu2.2UNKNOWN

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.009 Low

EPSS

Percentile

82.2%