Lucene search

[email protected]NVD:CVE-2017-7674

HistoryAug 11, 2017 - 2:29 a.m.

CVE-2017-7674

2017-08-1102:29:00

CWE-345

[email protected]

web.nvd.nist.gov

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

5.8 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

68.4%

JSON

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

Affected configurations

NVD

Node

apachetomcatMatch7.0.41

apachetomcatMatch7.0.42

apachetomcatMatch7.0.43

apachetomcatMatch7.0.44

apachetomcatMatch7.0.45

apachetomcatMatch7.0.46

apachetomcatMatch7.0.47

apachetomcatMatch7.0.48

apachetomcatMatch7.0.49

apachetomcatMatch7.0.50

apachetomcatMatch7.0.52

apachetomcatMatch7.0.53

apachetomcatMatch7.0.54

apachetomcatMatch7.0.55

apachetomcatMatch7.0.56

apachetomcatMatch7.0.57

apachetomcatMatch7.0.58

apachetomcatMatch7.0.59

apachetomcatMatch7.0.60

apachetomcatMatch7.0.61

apachetomcatMatch7.0.62

apachetomcatMatch7.0.63

apachetomcatMatch7.0.64

apachetomcatMatch7.0.65

apachetomcatMatch7.0.66

apachetomcatMatch7.0.67

apachetomcatMatch7.0.68

apachetomcatMatch7.0.69

apachetomcatMatch7.0.70

apachetomcatMatch7.0.71

apachetomcatMatch7.0.72

apachetomcatMatch7.0.73

apachetomcatMatch7.0.74

apachetomcatMatch7.0.75

apachetomcatMatch7.0.76

apachetomcatMatch7.0.77

apachetomcatMatch7.0.78

apachetomcatMatch8.0

apachetomcatMatch8.0.0rc1

apachetomcatMatch8.0.0rc10

apachetomcatMatch8.0.0rc3

apachetomcatMatch8.0.0rc5

apachetomcatMatch8.0.1

apachetomcatMatch8.0.2

apachetomcatMatch8.0.3

apachetomcatMatch8.0.4

apachetomcatMatch8.0.5

apachetomcatMatch8.0.6

apachetomcatMatch8.0.7

apachetomcatMatch8.0.8

apachetomcatMatch8.0.9

apachetomcatMatch8.0.10

apachetomcatMatch8.0.11

apachetomcatMatch8.0.12

apachetomcatMatch8.0.13

apachetomcatMatch8.0.14

apachetomcatMatch8.0.15

apachetomcatMatch8.0.16

apachetomcatMatch8.0.17

apachetomcatMatch8.0.18

apachetomcatMatch8.0.19

apachetomcatMatch8.0.20

apachetomcatMatch8.0.21

apachetomcatMatch8.0.22

apachetomcatMatch8.0.23

apachetomcatMatch8.0.24

apachetomcatMatch8.0.25

apachetomcatMatch8.0.26

apachetomcatMatch8.0.27

apachetomcatMatch8.0.28

apachetomcatMatch8.0.29

apachetomcatMatch8.0.30

apachetomcatMatch8.0.31

apachetomcatMatch8.0.32

apachetomcatMatch8.0.33

apachetomcatMatch8.0.34

apachetomcatMatch8.0.35

apachetomcatMatch8.0.36

apachetomcatMatch8.0.37

apachetomcatMatch8.0.38

apachetomcatMatch8.0.39

apachetomcatMatch8.0.40

apachetomcatMatch8.0.41

apachetomcatMatch8.0.42

apachetomcatMatch8.0.43

apachetomcatMatch8.0.44

apachetomcatMatch8.5.0

apachetomcatMatch8.5.1

apachetomcatMatch8.5.2

apachetomcatMatch8.5.3

apachetomcatMatch8.5.4

apachetomcatMatch8.5.5

apachetomcatMatch8.5.6

apachetomcatMatch8.5.7

apachetomcatMatch8.5.8

apachetomcatMatch8.5.9

apachetomcatMatch8.5.10

apachetomcatMatch8.5.11

apachetomcatMatch8.5.12

apachetomcatMatch8.5.13

apachetomcatMatch8.5.14

apachetomcatMatch8.5.15

apachetomcatMatch9.0.0milestone1

apachetomcatMatch9.0.0milestone10

apachetomcatMatch9.0.0milestone11

apachetomcatMatch9.0.0milestone12

apachetomcatMatch9.0.0milestone13

apachetomcatMatch9.0.0milestone14

apachetomcatMatch9.0.0milestone15

apachetomcatMatch9.0.0milestone16

apachetomcatMatch9.0.0milestone17

apachetomcatMatch9.0.0milestone18

apachetomcatMatch9.0.0milestone19

apachetomcatMatch9.0.0milestone2

apachetomcatMatch9.0.0milestone20

apachetomcatMatch9.0.0milestone21

apachetomcatMatch9.0.0milestone3

apachetomcatMatch9.0.0milestone4

apachetomcatMatch9.0.0milestone5

apachetomcatMatch9.0.0milestone6

apachetomcatMatch9.0.0milestone7

apachetomcatMatch9.0.0milestone8

apachetomcatMatch9.0.0milestone9

References

www.debian.org/security/2017/dsa-3974

www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

www.securityfocus.com/bid/100280

access.redhat.com/errata/RHSA-2017:1801

access.redhat.com/errata/RHSA-2017:1802

access.redhat.com/errata/RHSA-2017:3081

lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/22b4bb077502f847e2b9fcf00b96e81e734466ab459780ff73b60c0f%40%3Cannounce.tomcat.apache.org%3E

lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r15695e6203b026c9e9070ca9fa95fb17dd4cd88e5342a7dc5e1e7b85%40%3Cusers.tomcat.apache.org%3E

lists.apache.org/thread.html/r1c62634b7426bee5f553307063457b99c84af73b078ede4f2592b34e%40%3Cusers.tomcat.apache.org%3E

lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r409efdf706c2077ae5c37018a87da725a3ca89570a9530342cdc53e4%40%3Cusers.tomcat.apache.org%3E

lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E

lists.debian.org/debian-lts-announce/2018/06/msg00008.html

security.netapp.com/advisory/ntap-20180614-0003/

support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03828en_us

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

5.8 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

68.4%

JSON

Related for NVD:CVE-2017-7674

tomcat4 fedora2 ibm14 debiancve1 redhatcve1 nessus23 osv4 cvelist1 cve1 openvas14 prion1 veracode1 ubuntucve1 amazon3 github1 mageia1 f51 debian3 suse4 centos1 ubuntu1 redhat3 oraclelinux1 symantec1 oracle1