vulnerability

Apache Tomcat: Low: Information Disclosure (CVE-2017-5648)

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:P/A:N)

Published

Apr 11, 2017

Added

Apr 11, 2017

Modified

Mar 27, 2026

Description

While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.

Solutions

apache-tomcat-upgrade-7_0_76apache-tomcat-upgrade-8_0_42apache-tomcat-upgrade-8_5_12

References

CVE-2017-5648
https://attackerkb.com/topics/CVE-2017-5648
CWE-668
EUVD-EUVD-2022-2247
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-8.html
https://euvd.enisa.europa.eu/vulnerability/EUVD-2022-2247

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report