Published: 26/02/2014 Updated: 07/11/2023

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

VMScore: 383

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Apache Tomcat prior to 6.0.39, 7.x prior to 7.0.50, and 8.x prior to 8.0.0-RC10 allows malicious users to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Vulnerable Product	Search on Vulmon	Subscribe to Product
apache tomcat 8.0.0
debian debian linux 7.0
apache tomcat 5.5.27
apache tomcat 6.0.33
apache tomcat 6.0.0
apache tomcat 3.1
apache tomcat 4.1.2
apache tomcat 4.0.4
apache tomcat 4.1.36
apache tomcat 3.2.1
apache tomcat 4.1.9
apache tomcat 5.5.18
apache tomcat 5.0.8
apache tomcat 5
apache tomcat 5.0.19
apache tomcat 6.0.11
apache tomcat 5.5.12
apache tomcat 5.0.14
apache tomcat 5.5.14
apache tomcat 4.1.24
apache tomcat 3.2.2
apache tomcat 5.5.10
apache tomcat 5.0.22
apache tomcat 5.5.4
apache tomcat 5.5.7
apache tomcat 5.5.1
apache tomcat 6
apache tomcat 5.0.7
apache tomcat 5.5.11
apache tomcat 5.5.28
apache tomcat 5.5.6
apache tomcat 5.5.26
apache tomcat 5.0.9
apache tomcat 5.0.15
apache tomcat 5.5.35
apache tomcat 3.3.2
apache tomcat 5.0.30
apache tomcat 5.5.20
apache tomcat 5.5.15
apache tomcat 5.0.23
apache tomcat 1.1.3
apache tomcat 3.2.4
apache tomcat 5.0.2
apache tomcat 5.5.5
apache tomcat 5.0.10
apache tomcat 6.0.15
apache tomcat 5.5.30
apache tomcat 5.0.21
apache tomcat 3.0
apache tomcat 5.0.26
apache tomcat 5.5.21
apache tomcat 5.5.22
apache tomcat 6.0.20
apache tomcat 6.0.10
apache tomcat 6.0.31
apache tomcat 6.0.29
apache tomcat 6.0.3
apache tomcat 5.0.0
apache tomcat 5.0.6
apache tomcat 4.1.31
apache tomcat 6.0.1
apache tomcat 6.0.24
apache tomcat 5.5.3
apache tomcat 5.0.27
apache tomcat 4.1.29
apache tomcat 5.0.16
apache tomcat 6.0.17
apache tomcat 4.0.6
apache tomcat 6.0
apache tomcat 5.5.32
apache tomcat 6.0.32
apache tomcat 5.5.31
apache tomcat 6.0.28
apache tomcat 5.5.9
apache tomcat 4.0.3
apache tomcat 5.5.25
apache tomcat
apache tomcat 5.0.18
apache tomcat 5.5.33
apache tomcat 4.0.1
apache tomcat 3.3.1a
apache tomcat 6.0.14
apache tomcat 5.5.2
apache tomcat 5.0.5
apache tomcat 5.0.28
apache tomcat 5.0.29
apache tomcat 5.5.0
apache tomcat 4.1.1
apache tomcat 5.5.13
apache tomcat 6.0.12
apache tomcat 5.5.24
apache tomcat 4.1.12
apache tomcat 4.1.28
apache tomcat 5.0.13
apache tomcat 6.0.18
apache tomcat 5.5.34
apache tomcat 4.1.15
apache tomcat 4.1.3
apache tomcat 6.0.2
apache tomcat 4.1.10
apache tomcat 5.5.8
apache tomcat 5.0.17
apache tomcat 5.5.16
apache tomcat 4.1.0
apache tomcat 3.1.1
apache tomcat 4.0.2
apache tomcat 5.5.17
apache tomcat 5.5.29
apache tomcat 5.5.19
apache tomcat 4.0.5
apache tomcat 4.0.0
apache tomcat 4
apache tomcat 5.0.4
apache tomcat 3.2.3
apache tomcat 6.0.30
apache tomcat 5.0.25
apache tomcat 6.0.13
apache tomcat 5.0.1
apache tomcat 3.2
apache tomcat 3.3.1
apache tomcat 5.0.11
apache tomcat 5.5.23
apache tomcat 6.0.26
apache tomcat 5.0.3
apache tomcat 6.0.19
apache tomcat 5.0.24
apache tomcat 6.0.27
apache tomcat 6.0.35
apache tomcat 6.0.16
apache tomcat 3.3
apache tomcat 6.0.36
apache tomcat 5.0.12
apache tomcat 7.0.2
apache tomcat 7.0.12
apache tomcat 7.0.20
apache tomcat 7.0.34
apache tomcat 7.0.1
apache tomcat 7.0.4
apache tomcat 7.0.22
apache tomcat 7.0.39
apache tomcat 7.0.26
apache tomcat 7.0.46
apache tomcat 7.0.28
apache tomcat 7.0.0
apache tomcat 7.0.50
apache tomcat 7.0.18
apache tomcat 7.0.14
apache tomcat 7.0.11
apache tomcat 7.0.23
apache tomcat 7.0.44
apache tomcat 7.0.42
apache tomcat 7.0.37
apache tomcat 7.0.29
apache tomcat 7.0.45
apache tomcat 7.0.13
apache tomcat 7.0.41
apache tomcat 7.0.31
apache tomcat 7.0.30
apache tomcat 7.0.15
apache tomcat 7.0.19
apache tomcat 7.0.16
apache tomcat 7.0.10
apache tomcat 7.0.36
apache tomcat 7.0.25
apache tomcat 7.0.35
apache tomcat 7.0.43
apache tomcat 7.0.32
apache tomcat 7.0.38
apache tomcat 7.0.21
apache tomcat 7.0.27
apache tomcat 7.0.24
apache tomcat 7.0.17
apache tomcat 7.0.40
apache tomcat 7.0.3
apache tomcat 7.0.33
oracle solaris 11.2

It was found that several application-provided XML files, such as webxml, contentxml, *tld, *tagx, and *jspx, resolved external entities, permitting XML External Entity (XXE) attacks An attacker able to deploy malicious applications to Tomcat could use this flaw to circumvent security restrictions set by the JSM, and gain access to sensitive ...

CWE-200 http://tomcat.apache.org/security-7.html http://svn.apache.org/viewvc?view=revision&revision=1558828 https://bugzilla.redhat.com/show_bug.cgi?id=1069911 http://tomcat.apache.org/security-6.html http://svn.apache.org/viewvc?view=revision&revision=1549529 http://svn.apache.org/viewvc?view=revision&revision=1549528 http://tomcat.apache.org/security-8.html http://www-01.ibm.com/support/docview.wss?uid=swg21675886 http://secunia.com/advisories/59873 http://secunia.com/advisories/59036 http://secunia.com/advisories/59722 http://www.securityfocus.com/bid/65768 http://www-01.ibm.com/support/docview.wss?uid=swg21677147 http://secunia.com/advisories/59724 http://www-01.ibm.com/support/docview.wss?uid=swg21678231 http://www-01.ibm.com/support/docview.wss?uid=swg21667883 http://www.mandriva.com/security/advisories?name=MDVSA-2015:052 http://advisories.mageia.org/MGASA-2014-0148.html http://www.mandriva.com/security/advisories?name=MDVSA-2015:084 http://www.debian.org/security/2016/dsa-3530 http://marc.info/?l=bugtraq&m=144498216801440&w=2 http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013 http://www.vmware.com/security/advisories/VMSA-2014-0008.html http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2013-4590

Get Started

CVE-2013-4590

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect