[Japanese]

JVNDB-2007-000456

Apache Tomcat sample web application cross-site scripting vulnerability

Overview

Apache Tomcat, from the Apache Software Foundation, contains a cross-site scripting vulnerability in its sample program.

Apache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies.

jsp-examples, a sample web application included in Apache Tomcat, contains a cross-site scripting vulnerability.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


Apache Software Foundation
  • Apache Tomcat 4.0.0 - 4.0.6
  • Apache Tomcat 4.1.0 - 4.1.36
  • Apache Tomcat 5.0.0 - 5.0.30
  • Apache Tomcat 5.5.0 - 5.5.24
  • Apache Tomcat 6.0.0 - 6.0.13
Apple Inc.
  • Apple Mac OS X v10.4.11
  • Apple Mac OS X Server v10.4.11
Hewlett-Packard Development Company, L.P
  • HP-UX 11.11
  • HP-UX 11.23
  • HP-UX 11.31
MIRACLE LINUX CORPORATION
  • Asianux Server 2.0
  • Asianux Server 2.1
Red Hat, Inc.
  • Red Hat Enterprise Linux 5 (server)
  • Red Hat Enterprise Linux Desktop 5.0 (client)
  • RHEL Desktop Workstation 5 (client)

Impact

An arbitrary script may be executed on the user's web browser.
Solution

[Update the Software]
Update to Apache Tomcat 6.0.14, available from the vendor as of August 9, 2007.

[Workarounds]
Avoid installing the sample program.
We recommend that users of Apache Tomcat 4.x and 5.x apply the above workaround, as the latest version is not available yet.
Vendor Information

Apache Software Foundation Apple Inc. Hewlett-Packard Development Company, L.P MIRACLE LINUX CORPORATION Red Hat, Inc.
CWE (What is CWE?)

CVE (What is CVE?)

  1. CVE-2007-2449
References

  1. JVN : JVN#64851600
  2. National Vulnerability Database (NVD) : CVE-2007-2449
  3. SecurityFocus : 24476
  4. SecurityTracker : 1018245
  5. FrSIRT Advisories : FrSIRT/ADV-2007-2213
Revision History

  • [2008/05/21]
      Web page published
    [2008/06/06]
      Affected Products : Added MIRACLE LINUX CORPORATION (tomcat4 (V2.x)).
      Vendor Information : Added MIRACLE LINUX CORPORATION (tomcat4 (V2.x)).
    [2008/07/11]
      Affected Products : Added Apple Inc.(Security Update 2008-004).
      Vendor Information : Added Apple Inc.(Security Update 2008-004).