CVE-2017-5648

State: PUBLISHED · Published: 2017-04-17 · Updated: 2024-08-05 · Assigner: apache

Description

While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.

CWE

(none)

Affected

Apache Software Foundation / Apache Tomcat — v=9.0.0.M1 to 9.0.0.M17 [affected]; v=8.5.0 to 8.5.11 [affected]; v=8.0.0.RC1 to 8.0.41 [affected]; v=7.0.0 to 7.0.75 [affected]

CVSS

(none)

References

https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600%40%3Cannounce.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://security.gentoo.org/glsa/201705-09 vendor-advisory, x_refsource_GENTOO
https://security.netapp.com/advisory/ntap-20180614-0001/ x_refsource_CONFIRM
http://www.securityfocus.com/bid/97530 vdb-entry, x_refsource_BID
https://access.redhat.com/errata/RHSA-2017:1801 vendor-advisory, x_refsource_REDHAT
http://www.debian.org/security/2017/dsa-3843 vendor-advisory, x_refsource_DEBIAN
http://www.securitytracker.com/id/1038220 vdb-entry, x_refsource_SECTRACK
http://www.debian.org/security/2017/dsa-3842 vendor-advisory, x_refsource_DEBIAN
https://access.redhat.com/errata/RHSA-2017:1809 vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2017:1802 vendor-advisory, x_refsource_REDHAT
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
http://www.openwall.com/lists/oss-security/2020/07/20/8 mailing-list, x_refsource_MLIST

Source

cvelistV5-main/cves/2017/5xxx/CVE-2017-5648.json