CVE-2017-5648

Description

While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Release Package Patched in
trusty tomcat7 7.0.52-1ubuntu0.13
upstream tomcat7 7.0.72-3
tomcat8 8.5.11-2
xenial tomcat7 None
tomcat8 8.0.32-1ubuntu1.5
zesty tomcat8 8.0.38-2ubuntu2.2

Unaffected

Release Package Reason
precise tomcat7 ignored
tomcat6 not-affected
tomcat8 DNE
precise/esm tomcat7 DNE
tomcat6 not-affected
tomcat8 DNE
vivid/stable-phone-overlay tomcat7 DNE
tomcat6 DNE
tomcat8 DNE
vivid/ubuntu-core tomcat7 DNE
tomcat6 DNE
tomcat8 DNE
yakkety tomcat7 ignored
tomcat6 DNE
tomcat8 ignored
zesty tomcat7 not-affected
tomcat6 DNE
artful tomcat7 not-affected
tomcat6 DNE
tomcat8 not-affected
devel tomcat7 not-affected
tomcat6 DNE
tomcat8 not-affected
upstream tomcat6 not-affected
trusty tomcat6 not-affected
tomcat8 DNE
xenial tomcat6 not-affected