[Japanese]
|
JVNDB-2007-000456
|
Apache Tomcat sample web application cross-site scripting vulnerability
|
Apache Tomcat, from the Apache Software Foundation, contains a cross-site scripting vulnerability in its sample program.
Apache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies.
jsp-examples, a sample web application included in Apache Tomcat, contains a cross-site scripting vulnerability.
|
CVSS V2 Severity: Base Metrics 4.3 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: None
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
|
|
Apache Software Foundation
- Apache Tomcat 4.0.0 - 4.0.6
- Apache Tomcat 4.1.0 - 4.1.36
- Apache Tomcat 5.0.0 - 5.0.30
- Apache Tomcat 5.5.0 - 5.5.24
- Apache Tomcat 6.0.0 - 6.0.13
Apple Inc.
- Apple Mac OS X v10.4.11
- Apple Mac OS X Server v10.4.11
Hewlett-Packard Development Company, L.P
- HP-UX 11.11
- HP-UX 11.23
- HP-UX 11.31
MIRACLE LINUX CORPORATION
- Asianux Server 2.0
- Asianux Server 2.1
Red Hat, Inc.
- Red Hat Enterprise Linux 5 (server)
- Red Hat Enterprise Linux Desktop 5.0 (client)
- RHEL Desktop Workstation 5 (client)
|
|
An arbitrary script may be executed on the user's web browser.
|
[Update the Software]
Update to Apache Tomcat 6.0.14, available from the vendor as of August 9, 2007.
[Workarounds]
Avoid installing the sample program.
We recommend that users of Apache Tomcat 4.x and 5.x apply the above workaround, as the latest version is not available yet.
|
Apache Software Foundation
Apple Inc.
Hewlett-Packard Development Company, L.P
MIRACLE LINUX CORPORATION
Red Hat, Inc.
|
|
- CVE-2007-2449
|
- JVN : JVN#64851600
- National Vulnerability Database (NVD) : CVE-2007-2449
- SecurityFocus : 24476
- SecurityTracker : 1018245
- FrSIRT Advisories : FrSIRT/ADV-2007-2213
|
- [2008/05/21]
Web page published
[2008/06/06]
Affected Products : Added MIRACLE LINUX CORPORATION (tomcat4 (V2.x)).
Vendor Information : Added MIRACLE LINUX CORPORATION (tomcat4 (V2.x)).
[2008/07/11]
Affected Products : Added Apple Inc.(Security Update 2008-004).
Vendor Information : Added Apple Inc.(Security Update 2008-004).
|