CVE-2017-7674

MEDIUM

Apache Tomcat <9.0.0.M21,8.5.15,8.0.44,7.0.78 - Info Disclosure

Title source: llm

Description

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

References (29)

[Third Party Advisory] http://www.debian.org/security/2017/dsa-3974

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/100280

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2017:1801

[Mailing List] https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html

[Vendor Advisory] https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03828en_us

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20180614-0003/

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2017:1802

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2017:3081

[Vendor Advisory] http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

[Mailing List] https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/22b4bb077502f847e2b9fcf00b96e81e734466ab459780ff73b60c0f%40%3Cannounce.tomcat.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E

... and 9 more

Scores

CVSS v3 4.3

EPSS 0.0592

EPSS Percentile 90.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Details

CWE

CWE-345

Status published

Products (50)

apache/tomcat

apache/tomcat

apache/tomcat

apache/tomcat

apache/tomcat

apache/tomcat

apache/tomcat

apache/tomcat

apache/tomcat

apache/tomcat

... and 40 more

Published Aug 11, 2017

Tracked Since Feb 18, 2026