4.3

CVE-2017-7674

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

Data is provided by the National Vulnerability Database (NVD)
ApacheTomcat Version7.0.41
ApacheTomcat Version7.0.42
ApacheTomcat Version7.0.43
ApacheTomcat Version7.0.44
ApacheTomcat Version7.0.45
ApacheTomcat Version7.0.46
ApacheTomcat Version7.0.47
ApacheTomcat Version7.0.48
ApacheTomcat Version7.0.49
ApacheTomcat Version7.0.50
ApacheTomcat Version7.0.52
ApacheTomcat Version7.0.53
ApacheTomcat Version7.0.54
ApacheTomcat Version7.0.55
ApacheTomcat Version7.0.56
ApacheTomcat Version7.0.57
ApacheTomcat Version7.0.58
ApacheTomcat Version7.0.59
ApacheTomcat Version7.0.60
ApacheTomcat Version7.0.61
ApacheTomcat Version7.0.62
ApacheTomcat Version7.0.63
ApacheTomcat Version7.0.64
ApacheTomcat Version7.0.65
ApacheTomcat Version7.0.66
ApacheTomcat Version7.0.67
ApacheTomcat Version7.0.68
ApacheTomcat Version7.0.69
ApacheTomcat Version7.0.70
ApacheTomcat Version7.0.71
ApacheTomcat Version7.0.72
ApacheTomcat Version7.0.73
ApacheTomcat Version7.0.74
ApacheTomcat Version7.0.75
ApacheTomcat Version7.0.76
ApacheTomcat Version7.0.77
ApacheTomcat Version7.0.78
ApacheTomcat Version8.0
ApacheTomcat Version8.0.0 Updaterc1
ApacheTomcat Version8.0.0 Updaterc10
ApacheTomcat Version8.0.0 Updaterc3
ApacheTomcat Version8.0.0 Updaterc5
ApacheTomcat Version8.0.1
ApacheTomcat Version8.0.2
ApacheTomcat Version8.0.3
ApacheTomcat Version8.0.4
ApacheTomcat Version8.0.5
ApacheTomcat Version8.0.6
ApacheTomcat Version8.0.7
ApacheTomcat Version8.0.8
ApacheTomcat Version8.0.9
ApacheTomcat Version8.0.10
ApacheTomcat Version8.0.11
ApacheTomcat Version8.0.12
ApacheTomcat Version8.0.13
ApacheTomcat Version8.0.14
ApacheTomcat Version8.0.15
ApacheTomcat Version8.0.16
ApacheTomcat Version8.0.17
ApacheTomcat Version8.0.18
ApacheTomcat Version8.0.19
ApacheTomcat Version8.0.20
ApacheTomcat Version8.0.21
ApacheTomcat Version8.0.22
ApacheTomcat Version8.0.23
ApacheTomcat Version8.0.24
ApacheTomcat Version8.0.25
ApacheTomcat Version8.0.26
ApacheTomcat Version8.0.27
ApacheTomcat Version8.0.28
ApacheTomcat Version8.0.29
ApacheTomcat Version8.0.30
ApacheTomcat Version8.0.31
ApacheTomcat Version8.0.32
ApacheTomcat Version8.0.33
ApacheTomcat Version8.0.34
ApacheTomcat Version8.0.35
ApacheTomcat Version8.0.36
ApacheTomcat Version8.0.37
ApacheTomcat Version8.0.38
ApacheTomcat Version8.0.39
ApacheTomcat Version8.0.40
ApacheTomcat Version8.0.41
ApacheTomcat Version8.0.42
ApacheTomcat Version8.0.43
ApacheTomcat Version8.0.44
ApacheTomcat Version8.5.0
ApacheTomcat Version8.5.1
ApacheTomcat Version8.5.2
ApacheTomcat Version8.5.3
ApacheTomcat Version8.5.4
ApacheTomcat Version8.5.5
ApacheTomcat Version8.5.6
ApacheTomcat Version8.5.7
ApacheTomcat Version8.5.8
ApacheTomcat Version8.5.9
ApacheTomcat Version8.5.10
ApacheTomcat Version8.5.11
ApacheTomcat Version8.5.12
ApacheTomcat Version8.5.13
ApacheTomcat Version8.5.14
ApacheTomcat Version8.5.15
ApacheTomcat Version9.0.0 Updatemilestone1
ApacheTomcat Version9.0.0 Updatemilestone10
ApacheTomcat Version9.0.0 Updatemilestone11
ApacheTomcat Version9.0.0 Updatemilestone12
ApacheTomcat Version9.0.0 Updatemilestone13
ApacheTomcat Version9.0.0 Updatemilestone14
ApacheTomcat Version9.0.0 Updatemilestone15
ApacheTomcat Version9.0.0 Updatemilestone16
ApacheTomcat Version9.0.0 Updatemilestone17
ApacheTomcat Version9.0.0 Updatemilestone18
ApacheTomcat Version9.0.0 Updatemilestone19
ApacheTomcat Version9.0.0 Updatemilestone2
ApacheTomcat Version9.0.0 Updatemilestone20
ApacheTomcat Version9.0.0 Updatemilestone21
ApacheTomcat Version9.0.0 Updatemilestone3
ApacheTomcat Version9.0.0 Updatemilestone4
ApacheTomcat Version9.0.0 Updatemilestone5
ApacheTomcat Version9.0.0 Updatemilestone6
ApacheTomcat Version9.0.0 Updatemilestone7
ApacheTomcat Version9.0.0 Updatemilestone8
ApacheTomcat Version9.0.0 Updatemilestone9
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 4.09% 0.881
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 4.3 2.8 1.4
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-345 Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

http://www.securityfocus.com/bid/100280
Third Party Advisory
VDB Entry