CVE-2017-5664

State: PUBLISHED · Published: 2017-06-06 · Updated: 2024-08-05 · Assigner: apache

Description

The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method.

CWE

(none)

Affected

Apache Software Foundation / Apache Tomcat — v=9.0.0.M1 to 9.0.0.M20 [affected]; v=8.5.0 to 8.5.14 [affected]; v=8.0.0.RC1 to 8.0.43 [affected]; v=7.0.0 to 7.0.77 [affected]

CVSS

(none)

References

http://www.debian.org/security/2017/dsa-3891 vendor-advisory, x_refsource_DEBIAN
https://security.netapp.com/advisory/ntap-20171019-0002/ x_refsource_CONFIRM
http://www.securityfocus.com/bid/98888 vdb-entry, x_refsource_BID
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html x_refsource_CONFIRM
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2017:3080 vendor-advisory, x_refsource_REDHAT
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03828en_us x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2017:1801 vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2017:2635 vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2017:2638 vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2017:2494 vendor-advisory, x_refsource_REDHAT
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html x_refsource_CONFIRM
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html x_refsource_CONFIRM
https://lists.apache.org/thread.html/a42c48e37398d76334e17089e43ccab945238b8b7896538478d76066%40%3Cannounce.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://access.redhat.com/errata/RHSA-2017:2636 vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2017:1809 vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2017:2637 vendor-advisory, x_refsource_REDHAT
http://www.securitytracker.com/id/1038641 vdb-entry, x_refsource_SECTRACK
http://www.debian.org/security/2017/dsa-3892 vendor-advisory, x_refsource_DEBIAN
https://access.redhat.com/errata/RHSA-2017:2633 vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2017:1802 vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2017:2493 vendor-advisory, x_refsource_REDHAT
https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html x_refsource_MISC
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html x_refsource_MISC
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST

Source

cvelistV5-main/cves/2017/5xxx/CVE-2017-5664.json