CVE-2017-7674 – org.apache.tomcat:tomcat

Package

Manager: maven
Name: org.apache.tomcat:tomcat
Vulnerable Version: >=9.0.0.m1 <9.0.0.m22 || >=8.5.0 <8.5.16 || >=8.0.0.rc1 <8.0.45 || >=7.0.41 <7.0.79

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.04091 pctl0.8813

Details

Insufficient Verification of Data Authenticity in Apache Tomcat The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

Metadata

Created: 2022-05-14T01:10:15Z
Modified: 2024-02-22T22:27:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-73rx-3f9r-x949/GHSA-73rx-3f9r-x949.json
CWE IDs: ["CWE-345"]
Alternative ID: GHSA-73rx-3f9r-x949
Finding: F204
Auto approve: 1