Bug 865743 - (CVE-2013-4590) VUL-0: CVE-2013-4590: tomcat: information disclosure via XSS when running untrusted web applications
VUL-0: CVE-2013-4590: tomcat: information disclosure via XSS when running unt...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other openSUSE 13.1
: P3 - Medium : Minor
: ---
Assigned To: Fridrich Strba
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2014-02-26 08:59 UTC by Victor Pereira
Modified: 2014-09-01 13:57 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2014-02-26 08:59:36 UTC

Application provided XML files such as web.xml, context.xml, *.tld, *.tagx and *.jspx allowed XXE which could be used to expose Tomcat internals to an attacker. This vulnerability only occurs when Tomcat is running web applications from untrusted sources such as in a shared hosting environment.

This has been corrected in upstream versions 8.0.0-rc10 [1], 7.0.50 [2], and 6.0.39 [3]

[1] http://svn.apache.org/viewvc?view=revision&revision=1549528
[2] http://svn.apache.org/viewvc?view=revision&revision=1549529
[3] http://svn.apache.org/viewvc?view=revision&revision=1558828
[4] https://bugzilla.redhat.com/show_bug.cgi?id=1069911
Comment 1 Swamp Workflow Management 2014-02-26 23:00:21 UTC
bugbot adjusting priority
Comment 2 Marcus Meissner 2014-09-01 13:57:07 UTC
we released a tomcat 6.0.41 version update for SLE11, SLE12 has 7.0.54