SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Apache Tomcat Vendors:   Apache Software Foundation
Apache Tomcat VirtualDirContext Flaw Lets Remote Users View JSP Source Code for the Affected Resource
SecurityTracker Alert ID:  1039393
SecurityTracker URL:  http://securitytracker.com/id/1039393
CVE Reference:   CVE-2017-12616   (Links to External Site)
Date:  Sep 20 2017
Impact:   Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 7.0.0 to 7.0.80
Description:   A vulnerability was reported in Apache Tomcat. A remote user can obtain potentially sensitive information on the target system.

A remote user can send a specially crafted request to view JSP source code for resources on the target system served via the VirtualDirContext.

Systems and resources using the VirtualDirContext are affected.

The Tomcat Security Team reported this vulnerability.

Impact:   A remote user can obtain JSP source code on the target system.
Solution:   The vendor has issued a fix (7.0.81).

The vendor advisory is available at:

https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81

Vendor URL:  tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81 (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 3 2018 (HPE Issues Fix for HP-UX) Apache Tomcat VirtualDirContext Flaw Lets Remote Users View JSP Source Code for the Affected Resource
HPE has issued a fix for the HP-UX Tomcat-based Servlet Engine.
May 31 2018 (Ubuntu Issues Fix) Apache Tomcat VirtualDirContext Flaw Lets Remote Users View JSP Source Code for the Affected Resource
Ubuntu has issued a fix for Ubuntu Linux 14.04 LTS, 16.04 LTS, 17.10, and 18.04 LTS.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC