CVE-2013-2071

Опубликовано: 10 мая 2013

Источник: redhat

CVSS2: 2.6

Описание

java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive request information intended for other applications in opportunistic circumstances via an application that records the requests that it processes.

Отчет

This flaw only affects tomcat 7. Tomcat 5 and 6 are not affected. The jbossweb servlet container is also not affected.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Enterprise Linux 5	tomcat5	Not affected
Red Hat Enterprise Linux 6	tomcat6	Not affected
Red Hat JBoss Enterprise Web Server 1	eap5	Not affected
Red Hat JBoss Enterprise Web Server 1	eap6	Not affected
Red Hat JBoss Enterprise Web Server 1	tomcat5	Not affected
Red Hat JBoss Enterprise Web Server 1	tomcat6	Not affected
Red Hat JBoss Enterprise Web Server 2 for RHEL 5	apache-commons-daemon-eap6	Fixed	RHSA-2013:1011	03.07.2013
Red Hat JBoss Enterprise Web Server 2 for RHEL 5	apache-commons-daemon-jsvc-eap6	Fixed	RHSA-2013:1011	03.07.2013
Red Hat JBoss Enterprise Web Server 2 for RHEL 5	apache-commons-pool-eap6	Fixed	RHSA-2013:1011	03.07.2013
Red Hat JBoss Enterprise Web Server 2 for RHEL 5	dom4j	Fixed	RHSA-2013:1011	03.07.2013

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low

https://bugzilla.redhat.com/show_bug.cgi?id=961803tomcat: Information disclosure in asynchronous context when using AsyncListeners that threw RuntimeExceptions

2.6 Low

CVSS2