Описание
Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2013-4590
- https://github.com/apache/tomcat/commit/05c84ff8304a69a30b251f207a7b93c2c882564d
- https://github.com/apache/tomcat/commit/78dd7e6f3d8481bc3bcd71ca5b20296de1283888
- https://github.com/apache/tomcat/commit/b9e06ead01984483af73f48e7861bc7897f5e84f
- https://bugzilla.redhat.com/show_bug.cgi?id=1069911
- https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013
- https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E
- http://advisories.mageia.org/MGASA-2014-0148.html
- http://marc.info/?l=bugtraq&m=144498216801440&w=2
- http://svn.apache.org/viewvc?view=revision&revision=1549528
- http://svn.apache.org/viewvc?view=revision&revision=1549529
- http://svn.apache.org/viewvc?view=revision&revision=1558828
- http://tomcat.apache.org/security-6.html
- http://tomcat.apache.org/security-7.html
- http://tomcat.apache.org/security-8.html
- http://www-01.ibm.com/support/docview.wss?uid=swg21667883
- http://www-01.ibm.com/support/docview.wss?uid=swg21675886
- http://www-01.ibm.com/support/docview.wss?uid=swg21677147
- http://www-01.ibm.com/support/docview.wss?uid=swg21678231
- http://www.debian.org/security/2016/dsa-3530
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
- http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
- http://www.vmware.com/security/advisories/VMSA-2014-0008.html
Пакеты
org.apache.tomcat:tomcat
< 6.0.39
6.0.39
org.apache.tomcat:tomcat
>= 7.0.0, < 7.0.50
7.0.50
org.apache.tomcat:tomcat
>= 8.0.0-RC1, <= 8.0.0-RC9
8.0.0-RC10
Связанные уязвимости
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-R ...
