Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
Apache Tomcat Information Disclosure Vulnerability - Jan21 (Linux)
Information
Severity
Severity
Family
Family
CVSSv2 Base
CVSSv2 Base
CVSSv2 Vector
CVSSv2 Vector
Solution Type
Solution Type
Created
Created
Modified
Modified
Summary
Apache Tomcat is prone to an information disclosure vulnerability.
Insight
Insight
When serving resources from a network location using the NTFS file system it was possible to bypass security constraints and/or view the source code for JSPs in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.
Affected Software
Affected Software
Apache Tomcat 7.0.0 to 7.0.106, 8.5.0 to 8.5.59, 9.0.0.M1 to 9.0.39 and 10.0.0-M1 to 10.0.0-M9.
Detection Method
Detection Method
Checks if a vulnerable version is present on the target host.
Solution
Solution
Update to version 7.0.107, 8.5.60, 9.0.40, 10.0.0-M10 or later.
Common Vulnerabilities and Exposures (CVE)
References
- https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0
- https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.4
- https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.6
- https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.1
- https://lists.apache.org/thread.html/rce5ac9a40173651d540babce59f6f382