CVE-2013-4590 — Sensitive Information Exposure in Apache Tomcat

CWE-200 — Sensitive Information Exposure CWE-611 — XML External Entity (XXE) Injection9 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

0.9%

top 23.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Tomcat Debian Linux Oracle Solaris

Timeline

PublishedFeb 26

Latest updateMay 14

Description

Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

▶NVDapache/tomcat6.0.37+173

▶NVDoracle/solaris11.2

Also affects: Debian Linux 7.0

🔴Vulnerability Details

GHSA

Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat↗2022-05-14

▶

OSV

Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat↗2022-05-14

▶

OSV

CVE-2013-4590: Apache Tomcat before 6↗2014-02-26

▶

CVEList

CVE-2013-4590: Apache Tomcat before 6↗2014-02-26

▶

📋Vendor Advisories

Red Hat

tomcat: information disclosure via XXE when running untrusted web applications↗2014-02-25

▶

Apache

Apache tomcat: CVE-2013-4590↗

▶

💬Community

Bugzilla

CVE-2013-4322 CVE-2013-4590 CVE-2013-4286 tomcat: various flaws [fedora-all]↗2014-02-25

▶

Bugzilla

CVE-2013-4590 tomcat: information disclosure via XXE when running untrusted web applications↗2014-02-25

▶