Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
- - Apache Tomcat 7.0.1 to 7.0.67
- - Apache Tomcat 8.0.0.RC1 to 8.0.31
- - Apache Tomcat 9.0.0.M1
Description:
The index page of the Manager and Host Manager applications included a
valid CSRF token when issuing a redirect as a result of an
unauthenticated request to the root of the web application. This token
could then be used by an attacker to construct a CSRF attack.
Mitigation:
Users of affected versions should apply one of the following mitigations
- - Upgrade to Apache Tomcat 9.0.0.M3 or later
(9.0.0.M2 has the fix but was not released)
- - Upgrade to Apache Tomcat 8.0.32 or later
(8.0.31 has the fix but was not released)
- - Upgrade to Apache Tomcat 7.0.68 or later
Credit:
This issue was discovered by the Apache Tomcat security team.
References:
[1] http://tomcat.apache.org/
[2] http://tomcat.apache.org/
[3] http://tomcat.apache.org/
Komentarų nėra:
Rašyti komentarą