CVE-2017-7674

Severity

4.3

Description

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

Mitigation

We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Related links:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7674

http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html

https://bz.apache.org/bugzilla/show_bug.cgi?id=61101

https://lists.apache.org/thread.html/22b4bb077502f847e2b9fcf00b96e81e734466ab459780ff73b60c0f@%3Cannounce.tomcat.apache.org%3E

Project

Apache Tomcat

Category

Cache Poisoning

Tags

data

configuration

Date Disclosed

2017-08-10

Date Discovered

2017-04-11

Apache Tomcat 8.5.x

First release:

2016-06-13

0

Support Lifecycle:

Maintenance Support

Namespace:

javax

8.5.0 8.5.2 8.5.3 8.5.4 8.5.5 8.5.6 8.5.8 8.5.9 8.5.11 8.5.12 8.5.13 8.5.14 8.5.15

Apache Tomcat 8.0.x

First release:

2014-06-25

First release:

2018-06-30

0

Support Lifecycle:

Namespace:

javax

8.0.1 8.0.3 8.0.5 8.0.8 8.0.9 8.0.11 8.0.12 8.0.14 8.0.15 8.0.17 8.0.18 8.0.20 8.0.21 8.0.22 8.0.23 8.0.24 8.0.26 8.0.27 8.0.28 8.0.29 8.0.30 8.0.32 8.0.33 8.0.35 8.0.36 8.0.37 8.0.38 8.0.39 8.0.41 8.0.42 8.0.43 8.0.44

Apache TomEE 7.0.x

First release:

2016-05-17

0

Support Lifecycle:

Maintenance Support

Namespace:

javax

7.0.0 7.0.1 7.0.2 7.0.3

Apache Tomcat 7.0.x

First release:

2011-01-14

First release:

2021-03-31

0

Support Lifecycle:

Maintenance Support

Namespace:

javax

7.0.41 7.0.42 7.0.47 7.0.50 7.0.52 7.0.53 7.0.54 7.0.55 7.0.56 7.0.57 7.0.59 7.0.61 7.0.62 7.0.63 7.0.64 7.0.65 7.0.67 7.0.68 7.0.69 7.0.70 7.0.72 7.0.73 7.0.75 7.0.76 7.0.77 7.0.78

Apache TomEE 1.7.x

First release:

2014-08-09

0

Support Lifecycle:

Namespace:

javax

1.7.0 1.7.1 1.7.2 1.7.3 1.7.4

Apache TomEE 1.6.x

First release:

2013-11-17

0

Support Lifecycle:

Namespace:

javax

1.6.0 1.6.0.1 1.6.0.2

Feel Vulnerable?

Contact us so we can help you.

First name ^*
Last name ^*
Email ^*
Company ^*
Product ^*
Heard about us from: ^*
Tell us more ^*

Send me a confirmation email

^* These fields are required.