CVE-2013-4590

Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Published Bysecalert@redhat.com

Published DateFeb 26, 2014, 14:55

Affected Versions(3)

org.apache.tomcat:tomcat(Maven)

Introduced0

Fixed6.0.39

LimitN/A

org.apache.tomcat:tomcat(Maven)

Introduced7.0.0

Fixed7.0.50

LimitN/A

org.apache.tomcat:tomcat(Maven)

Introduced8.0.0-RC1

Fixed8.0.0-RC10

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.apache.tomcat:tomcat(Maven)	0	6.0.39	N/A
org.apache.tomcat:tomcat(Maven)	7.0.0	7.0.50	N/A
org.apache.tomcat:tomcat(Maven)	8.0.0-RC1	8.0.0-RC10	N/A

Weakness Type (CWE):CWE-200

CVSS Metrics

Base Score

4.3

Vector String

AV:N/AC:M/Au:N/C:P/I:N/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

NONE

Availability (A)

NONE

References

Weakness Type (CWE):CWE-200

CVSS Metrics

Base Score

4.3

Vector String

AV:N/AC:M/Au:N/C:P/I:N/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

NONE

Availability (A)

NONE