Apache Tomcat information disclosure vulnerability


Apache Tomcat from The Apache Software Foundation contains an information disclosure vulnerability.

Apache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies.
Apache Tomcat contains a vulnerability which may result in the disclosure of POSTed content from a previous request.

This vulnerability was addressed and solved in ASF Bugzilla - Bug 40771. However there was no description regarding this vulnerability in ASF Bugzilla - Bug 40771. Therefore, The Apache Tomcat Development Team has decided to publish an advisory regarding this issue.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products

Apache Software Foundation
  • Apache Tomcat 4.1.32 to 4.1.34
  • Apache Tomcat 5.5.10 to 5.5.20
  • Interstage Application Server
  • Interstage Business Application Server
  • Interstage Studio
  • Interstage Web Server


A remote attacker could possibly obtain user credentials such as password, session ID, user ID, etc.

According to the developer, unsupported Apache Tomcat 3.x, 4.0.x, and 5.0.x may also be affected. They have confirmed that Apache Tomcat 6.0.x is not affected.

[Update the Software]
Apply the latest udpate provided by the developer.
The following versions contain a fix of this vulnerability.

* Apache Tomcat 4.1.35 and later
* Apache Tomcat 5.5.21 and later
* Apache Tomcat 6.0.0 and later

For more information, refer to the developer's website.
Vendor Information

Apache Software Foundation FUJITSU
CWE (What is CWE?)

  1. Information Exposure(CWE-200) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2008-4308

  1. JVN : JVN#66905322
  2. National Vulnerability Database (NVD) : CVE-2008-4308
  3. Secunia Advisory : SA34057
  4. SecurityFocus : 33913
  5. VUPEN Security : VUPEN/ADV-2009-0541
  6. JVN iPedia (Japanese) : JVNDB-2009-000010
Revision History

  • [2009/02/26]
      Web page published