Back to list
[SECURITY] CVE-2008-4308: Tomcat information disclosure vulnerability
Feb 25 2009 11:17PM
Mark Thomas (markt apache org)
-----BEGIN PGP SIGNED MESSAGE-----
CVE-2008-4308: Tomcat information disclosure vulnerability
The Apache Software Foundation
Tomcat 4.1.32 to 4.1.34
Tomcat 5.5.10 to 5.5.20
Tomcat 6.0.x is not affected
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected
Note: Although this vulnerability affects relatively old versions of
Apache Tomcat, it was only discovered and reported to the Apache Tomcat
Security team in October 2008. Publication of this issue was then
postponed until now at the request of the reporter.
Bug 40771 (https://issues.apache.org/bugzilla/show_bug.cgi?id=40771) may
result in the disclosure of POSTed content from a previous request. For
a vulnerability to exist the content read from the input stream must be
disclosed, eg via writing it to the response and committing the
response, before the ArrayIndexOutOfBoundsException occurs which will
halt processing of the request.
4.1.35 or later
5.5.21 or later
6.0.0 or later
See original bug report for example of how to create the error condition.
This issue was discovered by Fujitsu and reported to the Tomcat Security
Team via JPCERT.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
[ reply ]
Copyright 2010, SecurityFocus