4.3
CVSSv2

CVE-2013-4590

Published: 26/02/2014 Updated: 15/04/2019
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Vulnerability Summary

Apache Tomcat prior to 6.0.39, 7.x prior to 7.0.50, and 8.x prior to 8.0.0-RC10 allows malicious users to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.
Vulnerable Product Search on Vulmon Subscribe to Product

apache tomcat 8.0.0

debian debian linux 7.0

apache tomcat 6.0.33

apache tomcat 6.0.32

apache tomcat 6.0.24

apache tomcat 6.0.20

apache tomcat 6.0.16

apache tomcat 6.0.15

apache tomcat 6.0.1

apache tomcat 6.0.0

apache tomcat 5.5.5

apache tomcat 5.5.4

apache tomcat 5.5.3

apache tomcat 5.5.29

apache tomcat 5.0.8

apache tomcat 5.5.14

apache tomcat 5.5.7

apache tomcat 5.0.7

apache tomcat 5.5.6

apache tomcat 5.5.15

apache tomcat 5.5.30

apache tomcat 5.5.21

apache tomcat 5.5.22

apache tomcat 6.0.10

apache tomcat 6.0.17

apache tomcat 5.5.31

apache tomcat 6.0.28

apache tomcat 5.5.0

apache tomcat 5.5.13

apache tomcat 5.5.24

apache tomcat 6.0.18

apache tomcat 5.5.16

apache tomcat 5.5.23

apache tomcat 6.0.26

apache tomcat 6.0.27

apache tomcat 6.0.35

apache tomcat 6.0.36

apache tomcat 5.5.27

apache tomcat 3.2.1

apache tomcat 5.0.19

apache tomcat 5.5.12

apache tomcat 3.2.2

apache tomcat 5.5.11

apache tomcat 5.5.28

apache tomcat 5.0.9

apache tomcat 5.5.35

apache tomcat 5.5.20

apache tomcat 5.0.2

apache tomcat 5.0.10

apache tomcat 5.0.21

apache tomcat 5.0.26

apache tomcat 6.0.31

apache tomcat 5.0.0

apache tomcat 5.0.6

apache tomcat 5.0.27

apache tomcat 4.1.29

apache tomcat 5.0.16

apache tomcat 6.0

apache tomcat 5.0.18

apache tomcat 6.0.14

apache tomcat 5.5.2

apache tomcat 5.0.5

apache tomcat 5.0.28

apache tomcat 5.0.29

apache tomcat 4.1.1

apache tomcat 5.0.13

apache tomcat 5.5.34

apache tomcat 4.1.3

apache tomcat 6.0.2

apache tomcat 5.0.17

apache tomcat 4.1.0

apache tomcat 5.5.19

apache tomcat 4.0.0

apache tomcat 4

apache tomcat 6.0.30

apache tomcat 5.0.25

apache tomcat 6.0.13

apache tomcat 5.0.1

apache tomcat 5.0.11

apache tomcat 5.0.3

apache tomcat 5.0.24

apache tomcat 5.0.12

apache tomcat 3.1

apache tomcat 4.1.2

apache tomcat 4.0.4

apache tomcat 4.1.36

apache tomcat 4.1.9

apache tomcat 5.5.18

apache tomcat 5

apache tomcat 6.0.11

apache tomcat 5.0.14

apache tomcat 4.1.24

apache tomcat 5.5.10

apache tomcat 5.0.22

apache tomcat 5.5.1

apache tomcat 6

apache tomcat 5.5.26

apache tomcat 5.0.15

apache tomcat 3.3.2

apache tomcat 5.0.30

apache tomcat 5.0.23

apache tomcat 1.1.3

apache tomcat 3.2.4

apache tomcat 3.0

apache tomcat 6.0.29

apache tomcat 6.0.3

apache tomcat 4.1.31

apache tomcat 4.0.6

apache tomcat 5.5.32

apache tomcat 5.5.9

apache tomcat 4.0.3

apache tomcat 5.5.25

apache tomcat

apache tomcat 5.5.33

apache tomcat 4.0.1

apache tomcat 3.3.1a

apache tomcat 6.0.12

apache tomcat 4.1.12

apache tomcat 4.1.28

apache tomcat 4.1.15

apache tomcat 4.1.10

apache tomcat 5.5.8

apache tomcat 3.1.1

apache tomcat 4.0.2

apache tomcat 5.5.17

apache tomcat 4.0.5

apache tomcat 5.0.4

apache tomcat 3.2.3

apache tomcat 3.2

apache tomcat 3.3.1

apache tomcat 6.0.19

apache tomcat 3.3

apache tomcat 7.0.50

apache tomcat 7.0.46

apache tomcat 7.0.4

apache tomcat 7.0.32

apache tomcat 7.0.31

apache tomcat 7.0.25

apache tomcat 7.0.24

apache tomcat 7.0.19

apache tomcat 7.0.18

apache tomcat 7.0.10

apache tomcat 7.0.1

apache tomcat 7.0.2

apache tomcat 7.0.12

apache tomcat 7.0.34

apache tomcat 7.0.22

apache tomcat 7.0.39

apache tomcat 7.0.26

apache tomcat 7.0.0

apache tomcat 7.0.11

apache tomcat 7.0.23

apache tomcat 7.0.44

apache tomcat 7.0.45

apache tomcat 7.0.41

apache tomcat 7.0.30

apache tomcat 7.0.15

apache tomcat 7.0.16

apache tomcat 7.0.43

apache tomcat 7.0.38

apache tomcat 7.0.27

apache tomcat 7.0.17

apache tomcat 7.0.40

apache tomcat 7.0.3

apache tomcat 7.0.33

apache tomcat 7.0.20

apache tomcat 7.0.28

apache tomcat 7.0.14

apache tomcat 7.0.42

apache tomcat 7.0.37

apache tomcat 7.0.29

apache tomcat 7.0.13

apache tomcat 7.0.36

apache tomcat 7.0.35

apache tomcat 7.0.21

oracle solaris 11.2

Vendor Advisories

It was found that several application-provided XML files, such as webxml, contentxml, *tld, *tagx, and *jspx, resolved external entities, permitting XML External Entity (XXE) attacks An attacker able to deploy malicious applications to Tomcat could use this flaw to circumvent security restrictions set by the JSM, and gain access to sensitive ...
Oracle Critical Patch Update Advisory - October 2016 Description A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previou ...

References

CWE-200http://tomcat.apache.org/security-7.htmlhttp://svn.apache.org/viewvc?view=revision&revision=1558828https://bugzilla.redhat.com/show_bug.cgi?id=1069911http://tomcat.apache.org/security-6.htmlhttp://svn.apache.org/viewvc?view=revision&revision=1549529http://svn.apache.org/viewvc?view=revision&revision=1549528http://tomcat.apache.org/security-8.htmlhttp://www-01.ibm.com/support/docview.wss?uid=swg21675886http://secunia.com/advisories/59873http://secunia.com/advisories/59036http://secunia.com/advisories/59722http://www.securityfocus.com/bid/65768http://www-01.ibm.com/support/docview.wss?uid=swg21677147http://secunia.com/advisories/59724http://www-01.ibm.com/support/docview.wss?uid=swg21678231http://www-01.ibm.com/support/docview.wss?uid=swg21667883http://www.mandriva.com/security/advisories?name=MDVSA-2015:052http://advisories.mageia.org/MGASA-2014-0148.htmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2015:084http://www.debian.org/security/2016/dsa-3530http://marc.info/?l=bugtraq&m=144498216801440&w=2http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.htmlhttps://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013http://www.vmware.com/security/advisories/VMSA-2014-0008.htmlhttp://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.htmlhttps://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3Ehttp://tools.cisco.com/security/center/viewAlert.x?alertId=33030https://nvd.nist.govhttps://access.redhat.com/security/cve/cve-2013-4590