5
MEDIUM

CVE-2017-7675

Published: 11/08/2017 Updated: 16/06/2018
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

Vulnerability Summary

Oracle Solaris 11: CVE-2017-7675: Vulnerability in Apache Tomcat

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8.5.0 to 8.5.15 bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using a specially crafted URL.

Two issues were discovered in the Tomcat servlet and JSP engine. CVE-2017-7674 Rick Riemer discovered that the Cross-Origin Resource Sharing filter did not add a Vary header indicating possible different responses, which could lead to cache poisoning. CVE-2017-7675 (stretch only) Markus Dörschmidt found that the HTTP/2 implementation bypassed some security checks, thus allowing an attacker to conduct directory traversal attacks by using specially crafted URLs. For the oldstable distribution (jessie), these problems have been fixed in version 8.0.14-1+deb8u11. For the stable distribution (stretch), these problems have been fixed in version 8.5.14-1+deb9u2. We recommend that you upgrade your tomcat8 packages.

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Access Complexity: LOW
Authentication: NONE
Access Vector: NETWORK
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Affected Products

Vendor Product Versions
ApacheTomcat8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.5.4, 8.5.5, 8.5.6, 8.5.7, 8.5.8, 8.5.9, 8.5.10, 8.5.11, 8.5.12, 8.5.13, 8.5.14, 8.5.15, 9.0.0

Vendor Advisories

Two issues were discovered in the Tomcat servlet and JSP engine CVE-2017-7674 Rick Riemer discovered that the Cross-Origin Resource Sharing filter did not add a Vary header indicating possible different responses, which could lead to cache poisoning CVE-2017-7675 (stretch only) Markus Dörschmidt found that the HTTP/2 implementat ...
The HTTP/2 implementation in Apache Tomcat 900M1 to 900M21 and 850 to 8515 bypassed a number of security checks that prevented directory traversal attacks It was therefore possible to bypass security constraints using a specially crafted URL ...

References