tomcat7, tomcat8, tomcat6
2017-10-23 14:19
CVE-2017-5648 tomcat6
CVE-2017-5648 tomcat8
CVE-2017-5648 tomcat7
2017-07-20 21:31
2017-06-16 19:22
2017-05-10 23:49
2017-04-28 18:03
2017-04-20 05:03
2017-04-14 10:21
2017-04-14 00:03


While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Release Package Patched in
artful tomcat8 None
devel tomcat8 None
trusty tomcat7 None
upstream tomcat7 7.0.72-3
tomcat8 8.5.11-2
xenial tomcat7 None
tomcat8 None
zesty tomcat8 None


Release Package Reason
precise tomcat7 ignored
tomcat6 not-affected
tomcat8 DNE
precise/esm tomcat7 DNE
tomcat6 not-affected
tomcat8 DNE
vivid/stable-phone-overlay tomcat7 DNE
tomcat6 DNE
tomcat8 DNE
vivid/ubuntu-core tomcat7 DNE
tomcat6 DNE
tomcat8 DNE
yakkety tomcat7 ignored
tomcat6 DNE
tomcat8 ignored
zesty tomcat7 not-affected
tomcat6 DNE
artful tomcat7 not-affected
tomcat6 DNE
devel tomcat7 not-affected
tomcat6 DNE
upstream tomcat6 not-affected
trusty tomcat6 not-affected
tomcat8 DNE
xenial tomcat6 not-affected