This script is Copyright (C) 2017 Tenable Network Security, Inc.
The remote Apache Tomcat server is affected by a remote error page
According to its self-reported version number, the Apache Tomcat
service running on the remote host is 7.0.x prior to 7.0.78, 8.0.x
prior to 8.0.44, or 8.5.x prior to 8.5.15. It is, therefore, affected
by an implementation flaw in the error page reporting mechanism in
which it does not conform to the Java Servlet Specification that
requires static error pages to be processed as an HTTP GET request
nothwithstanding the HTTP request method that was originally used when
the error occurred. Depending on the original request and the
configuration of the Default Servlet, an unauthenticated, remote
attacker can exploit this issue to replace or remove custom error
Note that Nessus has not attempted to exploit this issue but has
instead relied only on the application's self-reported version number.
See also :
Upgrade to Apache Tomcat version 7.0.78 / 8.0.44 / 8.5.15 or later.
Risk factor :
Medium / CVSS Base Score : 5.0
CVSS Temporal Score : 4.1
Public Exploit Available : true