-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2013-4590 Information disclosure via XXE when running untrusted web applications Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 to 8.0.0-RC5 - - Apache Tomcat 7.0.0 to 7.0.47 - - Apache Tomcat 6.0.0 to 6.0.37 Description: Application provided XML files such as web.xml, context.xml, *.tld, *.tagx and *.jspx allowed XXE which could be used to expose Tomcat internals to an attacker. This vulnerability only occurs when Tomcat is running web applications from untrusted sources such as in a shared hosting environment. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 8.0.0-RC10 or later (8.0.0-RC6 to 8.0.0-RC9 contain the fix but were not released) - - Upgrade to Apache Tomcat 7.0.50 or later (7.0.48 to 7.0.49 contain the fix but were not released) - - Upgrade to Apache Tomcat 6.0.39 or later (6.0.38 contains the fix but was not released) Credit: This issue was identified by the Apache Tomcat security team. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTDHxJAAoJEBDAHFovYFnnyWAQAIoducHGYKhqCCq7SbbkeUxC 2y8HxdYKo0T/AfolZoTlFInPnVDG8cvoPjEKO7MVzmWJaXjH4lOPYWAzss/N5//M SCczevb1CSmw+m6d6TWs5YeJSGdJdEZuGjIo4GBTLYymUGPB88JdbeeIDvsVeWIx agPaXN80aNady+uPbbpPh3mLIRchi00Ui7vI+0eWMVzcOED1MsvNiPyaGk7eHIhQ nAoiG1QqY68yps1i9lTL1y5jaTklhf6Rh0BKRHA5oLBC2XH6vzKfVw4DVbYTDIve N74s4BssSCMgKDzIGG1zwvU6EdLrHW+NVmfKDey+D0j6THT3rTPiQC4QVjZfVY0u YLuLkX/kobjV2ESgXj7EBTzxuOB/F+bweZ4PfdSV723ggQclwotzLQvEfKkcc4WY taYl4D33gL55QvCsKCCDYbCZklZxOyQ34mly70064tOEFE/nuSq5hIS887Jh0WW2 5pDweW2GZxjXMPAs3sFpmx2UW8VEepxYOhVla/9O+AseHePlyjihEekpB+83Gotk YAFCpCrkXLX9i2B/LW65DYJYUycW+s6j1kQzGyJmsF0ff45airKhrcHvBLtPGm4B dhY5hLhaQh//eJvJlNoAq2QfDEiPEqR5Ks91mhkp+4JBP1ubMyGbQo/Di0jShoJR dwR7dpwk2mIO/l6BnAv6 =hR9C -----END PGP SIGNATURE-----