Bug 865743 (CVE-2013-4590) - VUL-0: CVE-2013-4590: tomcat: information disclosure via XSS when running untrusted web applications
Summary: VUL-0: CVE-2013-4590: tomcat: information disclosure via XSS when running unt...
Status: RESOLVED FIXED
Alias: CVE-2013-4590
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.1
: P3 - Medium : Minor
Target Milestone: ---
Assignee: Fridrich Strba
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-26 08:59 UTC by Victor Pereira
Modified: 2014-09-01 13:57 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2014-02-26 08:59:36 UTC 
CVE-2013-4590

Application provided XML files such as web.xml, context.xml, *.tld, *.tagx and *.jspx allowed XXE which could be used to expose Tomcat internals to an attacker. This vulnerability only occurs when Tomcat is running web applications from untrusted sources such as in a shared hosting environment.

This has been corrected in upstream versions 8.0.0-rc10 [1], 7.0.50 [2], and 6.0.39 [3]

[1] http://svn.apache.org/viewvc?view=revision&revision=1549528
[2] http://svn.apache.org/viewvc?view=revision&revision=1549529
[3] http://svn.apache.org/viewvc?view=revision&revision=1558828
[4] https://bugzilla.redhat.com/show_bug.cgi?id=1069911
Comment 1 Swamp Workflow Management 2014-02-26 23:00:21 UTC 
bugbot adjusting priority
Comment 2 Marcus Meissner 2014-09-01 13:57:07 UTC 
we released a tomcat 6.0.41 version update for SLE11, SLE12 has 7.0.54