Apache Tomcat Lets Remote Authenticated Users Bypass Security Controls and View Files
|
|
SecurityTracker Alert ID: 1030298 |
|
SecurityTracker URL: http://securitytracker.com/id/1030298
|
|
CVE Reference:
CVE-2014-0119
(Links to External Site)
|
Date: May 27 2014
|
Impact:
Disclosure of system information, Disclosure of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 6.0.0 to 6.0.39, 7.0.0 to 7.0.53, 8.0.0-RC1 to 8.0.5
|
Description:
A vulnerability was reported in Apache Tomcat. A remote authenticated user can bypass security restrictions and view certain files on the target system.
In certain situations, a specially crafted web application can replace the XML parsers used by Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs), and tag plugin configuration files and then bypass XML external entity restrictions and view XML files of other applications.
The Tomcat security team reported this vulnerability.
|
Impact:
A remote authenticated user can bypass security restrictions and view certain files on the target system.
|
Solution:
The vendor has issued a fix (6.0.41, 7.0.54, 8.0.8).
The vendor's advisory is available at:
http://tomcat.apache.org/security-8.html
|
Vendor URL: tomcat.apache.org/security-8.html (Links to External Site)
|
Cause:
Access control error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Subject: [FD] [SECURITY] CVE-2014-0119 Apache Tomcat information disclosure
|
CVE-2014-0119 Information Disclosure
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- Apache Tomcat 8.0.0-RC1 to 8.0.5
- Apache Tomcat 7.0.0 to 7.0.53
- Apache Tomcat 6.0.0 to 6.0.39
Description:
In limited circumstances it was possible for a malicious web application
to replace the XML parsers used by Tomcat to process XSLTs for the
default servlet, JSP documents, tag library descriptors (TLDs) and tag
plugin configuration files. The injected XMl parser(s) could then bypass
the limits imposed on XML external entities and/or have visibility of
the XML files processed for other web applications deployed on the same
Tomcat instance.
Mitigation:
Users of affected versions should apply one of the following mitigations
- Upgrade to Apache Tomcat 8.0.8 or later
(8.0.6 and 8.0.7 contain the fix but were not released)
- Upgrade to Apache Tomcat 7.0.54 or later
- Upgrade to Apache Tomcat 6.0.41 or later
(6.0.40 contains the fix but was not released)
Credit:
This issue was identified by the Tomcat security team.
References:
[1] http://tomcat.apache.org/security-8.html
[2] http://tomcat.apache.org/security-7.html
[3] http://tomcat.apache.org/security-6.html
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
|
|
