The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8.5.0 to 8.5.15 bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using a specially crafted URL.

The version of Apache Tomcat installed on the remote host is 8.5.x prior to 8.5.16. It is, therefore, affected by multiple vulnerabilities :

 - A flaw exists in the CORS filter because the HTTP Vary header was not properly added. This allows a remote attacker to conduct client-side and server-side cache poisoning attacks. (CVE-2017-7674)

 - A flaw exists in the HTTP/2 implementation that bypasses a number of security checks that prevented directory traversal attacks. A remote attacker can exploit this to bypass security constraints. (CVE-2017-7675)

Note that the scanner has not attempted to exploit this issue but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is 9.0.0.M1 or later but prior to 9.0.0.M22. It is, therefore, affected by multiple vulnerabilities :

 - A flaw exists in the CORS filter because the HTTP Vary header was not properly added. This allows a remote attacker to conduct client-side and server-side cache poisoning attacks. (CVE-2017-7674)

 - A flaw exists in the HTTP/2 implementation that bypasses a number of security checks that prevented directory traversal attacks. A remote attacker can exploit this to bypass security constraints. (CVE-2017-7675)

Note that the scanner has not attempted to exploit this issue but has instead relied only on the application's self-reported version number.

Two issues were discovered in the Tomcat servlet and JSP engine.

  - CVE-2017-7674     Rick Riemer discovered that the Cross-Origin Resource     Sharing filter did not add a Vary header indicating     possible different responses, which could lead to cache     poisoning.

  - CVE-2017-7675 (stretch only)     Markus Dorschmidt found that the HTTP/2 implementation     bypassed some security checks, thus allowing an attacker     to conduct directory traversal attacks by using     specially crafted URLs.

The version of Tomcat installed on the remote host is prior to 9.0.0.M22. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_9.0.0.m22_security-9 advisory.

  - The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8.5.0 to 8.5.15 bypassed a number of     security checks that prevented directory traversal attacks. It was therefore possible to bypass security     constraints using a specially crafted URL. (CVE-2017-7675)

  - The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to     7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This     permitted client and server side cache poisoning in some circumstances. (CVE-2017-7674)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 8.5.16. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_8.5.16_security-8 advisory.

  - The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8.5.0 to 8.5.15 bypassed a number of     security checks that prevented directory traversal attacks. It was therefore possible to bypass security     constraints using a specially crafted URL. (CVE-2017-7675)

  - The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to     7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This     permitted client and server side cache poisoning in some circumstances. (CVE-2017-7674)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
112301	Apache Tomcat 8.5.x < 8.5.16 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
112295	Apache Tomcat 9.0.0.M1 < 9.0.0.M22 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
103259	Debian DSA-3974-1 : tomcat8 - security update	Nessus	Debian Local Security Checks	high
102590	Apache Tomcat 9.0.0.M1 < 9.0.0.M22 multiple vulnerabilities	Nessus	Web Servers	high
102589	Apache Tomcat 8.5.0 < 8.5.16 multiple vulnerabilities	Nessus	Web Servers	high

Detections

Analytics

CVE-2017-7675

high

Tenable Plugins

high

high

high

high

high