|
[Japanese]
|
JVNDB-2007-000598
|
Apache Tomcat Host Manager cross-site scripting vulnerability
|
|
Apache Tomcat, from the Apache Software Foundation, contains a cross-site scripting vulnerability.
Apache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies.
The Host Manager Servlet does not properly filter user supplied data. This enables an cross-site scripting attack.
|
|
CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
- Access Vector: Network
- Access Complexity: High
- Authentication: None
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
|
|
|
Apache Software Foundation
- Apache Tomcat 5.5.0 to 5.5.24
- Apache Tomcat 6.0.0 to 6.0.13
Hewlett-Packard Development Company, L.P
- HP-UX 11.11
- HP-UX 11.23
- HP-UX 11.31
MIRACLE LINUX CORPORATION
- Asianux Server 3 (x86)
- Asianux Server 3 (x86-64)
Red Hat, Inc.
- Red Hat Enterprise Linux 5 (server)
- Red Hat Enterprise Linux Desktop 5.0 (client)
- RHEL Desktop Workstation 5 (client)
|
|
|
An arbitrary script could be executed on the user's web browser who logged into Apache Tomcat Host Manager.
|
|
[Update the Software]
We recommend that users of Apache Tomcat 6.0.x upgrade to Apache Tomcat 6.0.14 following the information provided by the vendor.
Workarounds
The fixed version of Apache Tomcat 5.5.x is not available yet.
We recommend that users of Apache Tomcat 5.5.x apply the following workaround.
This issue can be mitigated by logging out (closing the web browser) from the Host Manager when finished.
|
|
Apache Software Foundation
Hewlett-Packard Development Company, L.P
MIRACLE LINUX CORPORATION
Red Hat, Inc.
|
|
- Cross-site Scripting(CWE-79) [NVD Evaluation]
|
|
- CVE-2007-3386
|
|
- JVN : JVN#59851336
- National Vulnerability Database (NVD) : CVE-2007-3386
- Secunia Advisory : SA26465
- SecurityFocus : 25314
- FrSIRT Advisories : FrSIRT/ADV-2007-2880
|
|
- [2008/05/21]
Web page published
|
