| VID |
22813 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The version of Apache Tomcat installed on the remote host is 6.0.x prior to 6.0.24. It is, therefore, affected by multiple vulnerabilities :
- An unspecified flaw exists in the handling of pipelined requests when 'Sendfile' was used. If sendfile processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could lead to invalid responses or information disclosure. (CVE-2017-5647)
- An unspecified flaw in error page mechanism of the DefaultServlet implementation allows a specially-crafted HTTP request to cause undesired side effects, including the removal or replacement of the custom error page. (CVE-2017-5664)
- An unspecified flaw affects servlet contexts configured as readonly=false with HTTP PUT requests allowed. An attacker can upload a JSP file to that context and execute arbitrary code. (CVE-2017-12615, CVE-2017-12617)
* References:
https://lists.apache.org/thread.html/5796678c5a773c6f3ff57c178ac247d85ceca0dee9190ba48171451a@%3Cusers.tomcat.apache.org%3E
* Platforms Affected:
Apache Tomcat Server versions 6.0.x prior to 6.0.24
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of Apache Tomcat Server (6.0.24 or later), available from the Apache Software Foundation download site, http://tomcat.apache.org/ |
| Related URL |
CVE-2017-5647,CVE-2017-5664,CVE-2017-12615,CVE-2017-12617 (CVE) |
| Related URL |
98888,100901,100954 (SecurityFocus) |
| Related URL |
(ISS) |
|
