Apache Tomcat XML Validation Flaw Lets Applications Obtain Potentially Sensitive Information
SecurityTracker Alert ID: 1025924|
SecurityTracker URL: http://securitytracker.com/id/1025924
(Links to External Site)
Date: Aug 12 2011
Disclosure of system information, Disclosure of user information|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 7.0.0 to 7.0.16|
A vulnerability was reported in Apache Tomcat. A remote user may be able to obtain potentially sensitive information.|
A web application that is the first web application loaded can exploit an XML validation flaw to view or modify the web.xml, context.xml, and tld files of other web applications deployed on the Tomcat instance.
This vulnerability is a reintroduction of a previous vulnerability [CVE-2009-0783; Alert ID 1022336].
The Tomcat security team reported this vulnerability.
A web application can view or modify the web.xml, context.xml, and tld files of other web applications deployed on the Tomcat instance.|
The vendor has issued a fix (7.0.17).|
Vendor URL: tomcat.apache.org/ (Links to External Site)
Access control error, Input validation error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
Source Message Contents
Date: Fri, 12 Aug 2011 14:12:07 +0100|
Subject: [Full-disclosure] [SECURITY] CVE-2011-2481: Apache Tomcat information disclosure vulnerability
CVE-2011-2481: Apache Tomcat information disclosure vulnerability
The Apache Software Foundation
Tomcat 7.0.0 to 7.0.16
Previous versions are not affected.
The re-factoring of XML validation for Tomcat 7.0.x re-introduced the
vulnerability previously reported as CVE-2009-0783. This was initially
reported as a memory leak
(https://issues.apache.org/bugzilla/show_bug.cgi?id=51395). If a web
application is the first web
application loaded, this bug allows that web application to potentially
view and/or alter the web.xml, context.xml and tld files of other web
applications deployed on the Tomcat instance.
7.0.x users should upgrade to 7.0.17 or later
See https://issues.apache.org/bugzilla/show_bug.cgi?id=29936#c12 for an
example web application that can be used to replace the XML parser used
The security implications of bug 51395 were identified by the Tomcat
The Apache Tomcat Security Team
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/