CVE-2017-7674 — Insufficient Verification of Data Authenticity in Software Foundation Apache Tomcat

CWE-345 — Insufficient Verification of Data Authenticity13 documents9 sources

Severity

4.3MEDIUMNVD

EPSS

5.9%

top 9.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Tomcat Apache Tomcat

Timeline

PublishedAug 11

Latest updateMay 14

Description

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDapache/tomcat100 versions+99

▶CVEListV5apache_software_foundation/apache_tomcat4 versions+3

🔴Vulnerability Details

GHSA

Insufficient Verification of Data Authenticity in Apache Tomcat↗2022-05-14

▶

OSV

Insufficient Verification of Data Authenticity in Apache Tomcat↗2022-05-14

▶

OSV

tomcat7, tomcat8 vulnerabilities↗2018-01-08

▶

CVEList

CVE-2017-7674: The CORS Filter in Apache Tomcat 9↗2017-08-11

▶

OSV

CVE-2017-7674: The CORS Filter in Apache Tomcat 9↗2017-08-10

▶

📋Vendor Advisories

Ubuntu

Tomcat vulnerabilities↗2018-01-08

▶

Red Hat

tomcat: Vary header not added by CORS filter leading to cache poisoning↗2017-08-10

▶

Debian

CVE-2017-7674: tomcat9 - The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.R...↗2017

▶

Apache

Apache tomcat: CVE-2017-7674↗

▶

💬Community

Bugzilla

CVE-2017-7674 tomcat: Cache Poisoning [fedora-all]↗2017-08-11

▶

Bugzilla

CVE-2017-7674 tomcat: Vary header not added by CORS filter leading to cache poisoning↗2017-08-11

▶

Bugzilla

CVE-2017-7674 tomcat: Cache Poisoning [epel-6]↗2017-08-11

▶