#VU8543 Information disclosure in Apache Tomcat - CVE-2017-12616

Cybersecurity Help s.r.o.

Published: 2017-09-21

Vulnerability identifier: #VU8543

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-12616

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Tomcat
Server applications / Web servers

Vendor: Apache Foundation

Description
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists in the systems and resources using the VirtualDirContext due to input validation flaw. A remote attacker can send a specially crafted request to bypass security constraints and view JSP source code for resources on the target system served by the VirtualDirContext.

Successful exploitation of the vulnerability results in information disclosure.

Mitigation
Update to version 7.0.81.

Vulnerable software versions

Apache Tomcat: 7.0.0 - 7.0.80

External links
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Ubuntu update for tomcat7

HP-UX update for Tomcat

SUSE Linux update for tomcat

Arch Linux update for tomcat7

Multiple vulnerabilities in Apache Tomcat