SCA: security update for org.apache.tomcat:tomcat (GHSA-jmvv-524f-hj5j)

high Tenable Cloud Security Plugin ID 416473

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an
error page is configured for the error that occurred, the original request and response are forwarded to
the error page. This means that the request is presented to the error page with the original HTTP method.
If the error page is a static file, expected behaviour is to serve content of the file as if processing a
GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to
9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the
original request this could lead to unexpected and undesirable results for static error pages including,
if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page.
Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP
method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request,
regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the
HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET
request, regardless of the actual method. (CVE-2017-5664)

See Also

https://github.com/advisories/GHSA-jmvv-524f-hj5j

Plugin Details

Severity: High

ID: 416473

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2017-5664

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/13/2022

Vulnerability Publication Date: 5/16/2017

Reference Information

CVE: CVE-2017-5664

BID: 98888

cwe: CWE-755