Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2017-7674

Опубликовано: 10 авг. 2017
Источник: redhat
CVSS3: 5.9
EPSS Низкий

Описание

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

A vulnerability was discovered in Tomcat where the CORS Filter did not send a "Vary: Origin" HTTP header. This potentially allowed sensitive data to be leaked to other visitors through both client-side and server-side caches.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 6tomcat6Not affected
Red Hat JBoss Data Grid 6jbosswebNot affected
Red Hat JBoss Data Virtualization 6jbosswebNot affected
Red Hat JBoss Enterprise Application Platform 6jbosswebNot affected
Red Hat JBoss Enterprise Web Server 2tomcat6Will not fix
Red Hat JBoss Enterprise Web Server 2tomcat7Will not fix
Red Hat JBoss Fuse 6jbosswebNot affected
Red Hat JBoss Fuse 6tomcat7Under investigation
Red Hat JBoss Fuse 6tomcat8Under investigation
Red Hat JBoss Fuse Service Works 6jbosswebNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
https://bugzilla.redhat.com/show_bug.cgi?id=1480618tomcat: Vary header not added by CORS filter leading to cache poisoning

EPSS

Процентиль: 88%
0.04091
Низкий

5.9 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2017-7674

CVSS3: 4.3
ubuntu
почти 8 лет назад

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

nvd логотип

CVE-2017-7674

CVSS3: 4.3
nvd
почти 8 лет назад

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

debian логотип

CVE-2017-7674

CVSS3: 4.3
debian
почти 8 лет назад

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.1 ...

github логотип

GHSA-73rx-3f9r-x949

CVSS3: 4.3
github
около 3 лет назад

Insufficient Verification of Data Authenticity in Apache Tomcat

fstec логотип

BDU:2017-02035

fstec
почти 8 лет назад

Уязвимость фильтра CORS сервера приложений Apache Tomcat, позволяющая нарушителю осуществить заражение клиента и сервера при определенных обстоятельствах

EPSS

Процентиль: 88%
0.04091
Низкий

5.9 Medium

CVSS3