CVE-2017-12616

Impact:
Moderate
Public Date:
2017-09-19
CWE:
CWE-200
Bugzilla:
1493222: CVE-2017-12616 tomcat: Information Disclosure when using VirtualDirContext

The MITRE CVE dictionary describes this issue as:

When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request.

Find out more about CVE-2017-12616 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

VirtualDirContext is not designed to be used in production, but only to ease development with IDEs without needing to fully republish jars in WEB-INF/lib.

CVSS v3 metrics

CVSS3 Base Score 5.3
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Impact None
Availability Impact None

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Web Server 3.1 for RHEL 7 RHSA-2018:0466 2018-03-07
Red Hat JBoss Web Server 3.1 for RHEL 6 RHSA-2018:0466 2018-03-07
Red Hat JBoss Web Server 3.1 RHSA-2018:0465 2018-03-07

Affected Packages State

Platform Package State
Red Hat Software Collections for Red Hat Enterprise Linux rh-java-common-tomcat Not affected
Red Hat JBoss Portal Platform 6 jbossweb Will not fix
Red Hat JBoss Operations Network 3 jbossweb Will not fix
Red Hat JBoss Fuse 6 jbossweb Not affected
Red Hat JBoss EWS 2 tomcat7 Will not fix
Red Hat JBoss EAP 6 jbossweb Will not fix
Red Hat JBoss Data Virtualization 6 jbossweb Not affected
Red Hat JBoss Data Grid 6 jbossweb Not affected
Red Hat Enterprise Linux 7 tomcat Will not fix
Red Hat Enterprise Linux 6 tomcat6 Will not fix
Red Hat Enterprise Linux 5 tomcat5 Not affected

External References

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.