Vulnerability Description
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Tomcat | 8.0.0 |
| Debian | Debian Linux | 7.0 |
| Oracle | Solaris | 11.2 |
Related Weaknesses (CWE)
References
- http://advisories.mageia.org/MGASA-2014-0148.htmlThird Party Advisory
- http://marc.info/?l=bugtraq&m=144498216801440&w=2Mailing List
- http://secunia.com/advisories/59036Permissions RequiredThird Party Advisory
- http://secunia.com/advisories/59722Permissions RequiredThird Party Advisory
- http://secunia.com/advisories/59724Permissions RequiredThird Party Advisory
- http://secunia.com/advisories/59873Permissions RequiredThird Party Advisory
- http://svn.apache.org/viewvc?view=revision&revision=1549528Issue Tracking
- http://svn.apache.org/viewvc?view=revision&revision=1549529Issue Tracking
- http://svn.apache.org/viewvc?view=revision&revision=1558828Issue Tracking
- http://tomcat.apache.org/security-6.htmlVendor Advisory
- http://tomcat.apache.org/security-7.htmlVendor Advisory
- http://tomcat.apache.org/security-8.htmlVendor Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg21667883Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg21675886Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg21677147Third Party Advisory
FAQ
What is CVE-2013-4590?
CVE-2013-4590 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a co...
How severe is CVE-2013-4590?
CVE-2013-4590 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2013-4590?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat, Debian Debian Linux, Oracle Solaris.