Apache Tomcat Information Disclosure Via XXE

2014.02.26
Credit: Apache
Risk: High
Local: No
Remote: Yes
CVE: CVE-2013-4590
CWE: CWE-200


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2013-4590 Information disclosure via XXE when running untrusted web applications Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 to 8.0.0-RC5 - - Apache Tomcat 7.0.0 to 7.0.47 - - Apache Tomcat 6.0.0 to 6.0.37 Description: Application provided XML files such as web.xml, context.xml, *.tld, *.tagx and *.jspx allowed XXE which could be used to expose Tomcat internals to an attacker. This vulnerability only occurs when Tomcat is running web applications from untrusted sources such as in a shared hosting environment. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 8.0.0-RC10 or later (8.0.0-RC6 to 8.0.0-RC9 contain the fix but were not released) - - Upgrade to Apache Tomcat 7.0.50 or later (7.0.48 to 7.0.49 contain the fix but were not released) - - Upgrade to Apache Tomcat 6.0.39 or later (6.0.38 contains the fix but was not released) Credit: This issue was identified by the Apache Tomcat security team. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTDHxJAAoJEBDAHFovYFnnyWAQAIoducHGYKhqCCq7SbbkeUxC 2y8HxdYKo0T/AfolZoTlFInPnVDG8cvoPjEKO7MVzmWJaXjH4lOPYWAzss/N5//M SCczevb1CSmw+m6d6TWs5YeJSGdJdEZuGjIo4GBTLYymUGPB88JdbeeIDvsVeWIx agPaXN80aNady+uPbbpPh3mLIRchi00Ui7vI+0eWMVzcOED1MsvNiPyaGk7eHIhQ nAoiG1QqY68yps1i9lTL1y5jaTklhf6Rh0BKRHA5oLBC2XH6vzKfVw4DVbYTDIve N74s4BssSCMgKDzIGG1zwvU6EdLrHW+NVmfKDey+D0j6THT3rTPiQC4QVjZfVY0u YLuLkX/kobjV2ESgXj7EBTzxuOB/F+bweZ4PfdSV723ggQclwotzLQvEfKkcc4WY taYl4D33gL55QvCsKCCDYbCZklZxOyQ34mly70064tOEFE/nuSq5hIS887Jh0WW2 5pDweW2GZxjXMPAs3sFpmx2UW8VEepxYOhVla/9O+AseHePlyjihEekpB+83Gotk YAFCpCrkXLX9i2B/LW65DYJYUycW+s6j1kQzGyJmsF0ff45airKhrcHvBLtPGm4B dhY5hLhaQh//eJvJlNoAq2QfDEiPEqR5Ks91mhkp+4JBP1ubMyGbQo/Di0jShoJR dwR7dpwk2mIO/l6BnAv6 =hR9C -----END PGP SIGNATURE-----

References:

http://tomcat.apache.org/security-8.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top