Информационная безопасность
[RU] switch to English

Дополнительная информация

  Многочисленные уязвимости безопасности в Apache Tomcat

  [SECURITY] CVE-2014-0119 Apache Tomcat information disclosure

  [SECURITY] CVE-2014-0097 Apache Tomcat information disclosure

  [SECURITY] CVE-2014-0095 Apache Tomcat denial of service

  [SECURITY] CVE-2014-0075 Apache Tomcat denial of service

Date:29 мая 2014 г.
Subject:[SECURITY] CVE-2014-0096 Apache Tomcat information disclosure

CVE-2014-0096 Information Disclosure

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- Apache Tomcat 8.0.0-RC1 to 8.0.3
- Apache Tomcat 7.0.0 to 7.0.52
- Apache Tomcat 6.0.0 to 6.0.39

The default servlet allows web applications to define (at multiple
levels) an XSLT to be used to format a directory listing. When running
under a security manager, the processing of these was not subject to the
same constraints as the web application. This enabled a malicious web
application to bypass the file access constraints imposed by the
security manager via the use of external XML entities.

Users of affected versions should apply one of the following mitigations
- Upgrade to Apache Tomcat 8.0.5 or later
 (8.0.4 contains the fix but was not released)
- Upgrade to Apache Tomcat 7.0.53 or later
- Upgrade to Apache Tomcat 6.0.41 or later
 (6.0.40 contains the fix but was not released)

This issue was identified by the Tomcat security team.

[1] http://tomcat.apache.org/security-8.html
[2] http://tomcat.apache.org/security-7.html
[3] http://tomcat.apache.org/security-6.html

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород