CVE-2017-5648

Published: 17 April 2017

While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.

Priority

Medium

CVSS 3 base score: 9.1

Status

Package Release Status
tomcat6
Launchpad, Ubuntu, Debian
Upstream Not vulnerable

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable

Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable

tomcat7
Launchpad, Ubuntu, Debian
Upstream
Released (7.0.72-3)
Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(7.0.75-1)
Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(end of standard support, was needed)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (7.0.52-1ubuntu0.13)
Patches:
Upstream: https://svn.apache.org/viewvc?view=revision&revision=1785777
tomcat8
Launchpad, Ubuntu, Debian
Upstream
Released (8.5.11-2)
Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(8.5.21-1ubuntu1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (8.0.32-1ubuntu1.5)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://svn.apache.org/viewvc?view=revision&revision=1785776