{ "threat_severity" : "Moderate", "public_date" : "2017-08-10T00:00:00Z", "bugzilla" : { "description" : "tomcat: Vary header not added by CORS filter leading to cache poisoning", "id" : "1480618", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1480618" }, "cvss3" : { "cvss3_base_score" : "5.9", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "status" : "verified" }, "details" : [ "The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.", "A vulnerability was discovered in Tomcat where the CORS Filter did not send a \"Vary: Origin\" HTTP header. This potentially allowed sensitive data to be leaked to other visitors through both client-side and server-side caches." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2017-10-30T00:00:00Z", "advisory" : "RHSA-2017:3081", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "tomcat-0:7.0.76-3.el7_4" }, { "product_name" : "Red Hat JBoss Web Server 3.1", "release_date" : "2017-07-25T00:00:00Z", "advisory" : "RHSA-2017:1802", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2017-07-25T00:00:00Z", "advisory" : "RHSA-2017:1801", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6", "package" : "log4j-eap6-0:1.2.16-12.redhat_3.1.ep6.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2017-07-25T00:00:00Z", "advisory" : "RHSA-2017:1801", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6", "package" : "tomcat7-0:7.0.70-22.ep7.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2017-07-25T00:00:00Z", "advisory" : "RHSA-2017:1801", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6", "package" : "tomcat8-0:8.0.36-24.ep7.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2017-07-25T00:00:00Z", "advisory" : "RHSA-2017:1801", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6", "package" : "tomcat-native-0:1.2.8-10.redhat_10.ep7.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2017-07-25T00:00:00Z", "advisory" : "RHSA-2017:1801", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7", "package" : "log4j-eap6-0:1.2.16-12.redhat_3.1.ep6.el7" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2017-07-25T00:00:00Z", "advisory" : "RHSA-2017:1801", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7", "package" : "tomcat7-0:7.0.70-22.ep7.el7" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2017-07-25T00:00:00Z", "advisory" : "RHSA-2017:1801", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7", "package" : "tomcat8-0:8.0.36-24.ep7.el7" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2017-07-25T00:00:00Z", "advisory" : "RHSA-2017:1801", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7", "package" : "tomcat-native-0:1.2.8-10.redhat_10.ep7.el7" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "tomcat6", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat JBoss Data Grid 6", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_data_grid:6" }, { "product_name" : "Red Hat JBoss Data Virtualization 6", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2", "fix_state" : "Will not fix", "package_name" : "tomcat6", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2", "fix_state" : "Will not fix", "package_name" : "tomcat7", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Under investigation", "package_name" : "tomcat7", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Under investigation", "package_name" : "tomcat8", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat JBoss Operations Network 3", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_operations_network:3" }, { "product_name" : "Red Hat JBoss Portal 6", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_portal_platform:6" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Not affected", "package_name" : "rh-java-common-tomcat", "cpe" : "cpe:/a:redhat:rhel_software_collections:2" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2017-7674\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-7674\nhttps://tomcat.apache.org/security-7.html\nhttps://tomcat.apache.org/security-8.html" ], "name" : "CVE-2017-7674", "csaw" : false }