Detections
Analytics

Apache Tomcat Long URL Information Disclosure

medium Nessus Plugin ID 49701

Language:

Synopsis

The remote Apache Tomcat server is affected by an information disclosure vulnerability.

Description

The remote Apache Tomcat web server is affected by an information disclosure vulnerability. The full install path of Apache Tomcat can be obtained by sending an HTTP request which contains a long URL.

Note that there reportedly is an additional install path disclosure vulnerability in this version of Apache Tomcat; however, Nessus has not explicitly tested for it.

Solution

Update to Apache Tomcat version 4.0.2 or later.

See Also

http://tomcat.apache.org/security-4.html#Fixed_in_Apache_Tomcat_4.0.2

https://seclists.org/bugtraq/2001/Nov/190

Plugin Details

Severity: Medium

ID: 49701

File Name: tomcat_long_url_path_disclose.nasl

Version: 1.15

Type: remote

Family: Web Servers

Published: 10/1/2010

Updated: 11/15/2018

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.3

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apache:tomcat

Required KB Items: installed_sw/Apache Tomcat

Exploit Ease: No known exploits are available

Patch Publication Date: 2/12/2002

Vulnerability Publication Date: 11/22/2001

Reference Information

CVE: CVE-2001-0917, CVE-2002-2009

BID: 4557, 3199