CVE-2017-5648

Summary

While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Tomcat9.0.0.M1 to 9.0.0.M17affected
Apache Software FoundationApache Tomcat8.5.0 to 8.5.11affected
Apache Software FoundationApache Tomcat8.0.0.RC1 to 8.0.41affected
Apache Software FoundationApache Tomcat7.0.0 to 7.0.75affected

Weaknesses

  • Information Disclosure

ADP Enrichment

CVE Program Container

Additional References

References