Bug 865743 (CVE-2013-4590)

Summary: VUL-0: CVE-2013-4590: tomcat: information disclosure via XSS when running untrusted web applications
Product: [Novell Products] SUSE Security Incidents Reporter: Victor Pereira <vpereira>
Component: IncidentsAssignee: Fridrich Strba <fstrba>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: openSUSE 13.1   
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Victor Pereira 2014-02-26 08:59:36 UTC

Application provided XML files such as web.xml, context.xml, *.tld, *.tagx and *.jspx allowed XXE which could be used to expose Tomcat internals to an attacker. This vulnerability only occurs when Tomcat is running web applications from untrusted sources such as in a shared hosting environment.

This has been corrected in upstream versions 8.0.0-rc10 [1], 7.0.50 [2], and 6.0.39 [3]

[1] http://svn.apache.org/viewvc?view=revision&revision=1549528
[2] http://svn.apache.org/viewvc?view=revision&revision=1549529
[3] http://svn.apache.org/viewvc?view=revision&revision=1558828
[4] https://bugzilla.redhat.com/show_bug.cgi?id=1069911
Comment 1 Swamp Workflow Management 2014-02-26 23:00:21 UTC
bugbot adjusting priority
Comment 2 Marcus Meissner 2014-09-01 13:57:07 UTC
we released a tomcat 6.0.41 version update for SLE11, SLE12 has 7.0.54