CVE-2013-4590

Published: Feb 26, 2014Modified: Apr 29, 2026

4.3

Vector

AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability: 8.6 / Impact: 2.9

Source: NVD

Description

Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Affected (193)

Products: Apache: Tomcat · Debian: Debian Linux · Oracle: Solaris

1 product

1 product

1 product

Configuration A

9 vulnerable

Vulnerable Software	Affected Versions
Apache Tomcat	Version 8.0.0 rc1
Apache Tomcat	Version 8.0.0 rc2
Apache Tomcat	Version 8.0.0 rc3
Apache Tomcat	Version 8.0.0 rc4
Apache Tomcat	Version 8.0.0 rc5
Apache Tomcat	Version 8.0.0 rc6
Apache Tomcat	Version 8.0.0 rc7
Apache Tomcat	Version 8.0.0 rc8
Apache Tomcat	Version 8.0.0 rc9

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 7.0

Configuration C

136 vulnerable

Vulnerable Software	Affected Versions
Apache Tomcat	Up to 6.0.37
Apache Tomcat	Version 1.1.3
Apache Tomcat	Version 3.0
Apache Tomcat	Version 3.1.1
Apache Tomcat	Version 3.1
Apache Tomcat	Version 3.2.1
Apache Tomcat	Version 3.2.2
Apache Tomcat	Version 3.2.2 beta2
Apache Tomcat	Version 3.2.3
Apache Tomcat	Version 3.2.4
Apache Tomcat	Version 3.2
Apache Tomcat	Version 3.3.1
Apache Tomcat	Version 3.3.1a
Apache Tomcat	Version 3.3.2
Apache Tomcat	Version 3.3
Apache Tomcat	Version 4.0.0
Apache Tomcat	Version 4.0.1
Apache Tomcat	Version 4.0.2
Apache Tomcat	Version 4.0.3
Apache Tomcat	Version 4.0.4
Apache Tomcat	Version 4.0.5
Apache Tomcat	Version 4.0.6
Apache Tomcat	Version 4.1.0
Apache Tomcat	Version 4.1.10
Apache Tomcat	Version 4.1.12
Apache Tomcat	Version 4.1.15
Apache Tomcat	Version 4.1.1
Apache Tomcat	Version 4.1.24
Apache Tomcat	Version 4.1.28
Apache Tomcat	Version 4.1.29
Apache Tomcat	Version 4.1.2
Apache Tomcat	Version 4.1.31
Apache Tomcat	Version 4.1.36
Apache Tomcat	Version 4.1.3
Apache Tomcat	Version 4.1.3 beta
Apache Tomcat	Version 4.1.9 beta
Apache Tomcat	Version 4
Apache Tomcat	Version 5.0.0
Apache Tomcat	Version 5.0.10
Apache Tomcat	Version 5.0.11
Apache Tomcat	Version 5.0.12
Apache Tomcat	Version 5.0.13
Apache Tomcat	Version 5.0.14
Apache Tomcat	Version 5.0.15
Apache Tomcat	Version 5.0.16
Apache Tomcat	Version 5.0.17
Apache Tomcat	Version 5.0.18
Apache Tomcat	Version 5.0.19
Apache Tomcat	Version 5.0.1
Apache Tomcat	Version 5.0.21
Apache Tomcat	Version 5.0.22
Apache Tomcat	Version 5.0.23
Apache Tomcat	Version 5.0.24
Apache Tomcat	Version 5.0.25
Apache Tomcat	Version 5.0.26
Apache Tomcat	Version 5.0.27
Apache Tomcat	Version 5.0.28
Apache Tomcat	Version 5.0.29
Apache Tomcat	Version 5.0.2
Apache Tomcat	Version 5.0.30
Apache Tomcat	Version 5.0.3
Apache Tomcat	Version 5.0.4
Apache Tomcat	Version 5.0.5
Apache Tomcat	Version 5.0.6
Apache Tomcat	Version 5.0.7
Apache Tomcat	Version 5.0.8
Apache Tomcat	Version 5.0.9
Apache Tomcat	Version 5.5.0
Apache Tomcat	Version 5.5.10
Apache Tomcat	Version 5.5.11
Apache Tomcat	Version 5.5.12
Apache Tomcat	Version 5.5.13
Apache Tomcat	Version 5.5.14
Apache Tomcat	Version 5.5.15
Apache Tomcat	Version 5.5.16
Apache Tomcat	Version 5.5.17
Apache Tomcat	Version 5.5.18
Apache Tomcat	Version 5.5.19
Apache Tomcat	Version 5.5.1
Apache Tomcat	Version 5.5.20
Apache Tomcat	Version 5.5.21
Apache Tomcat	Version 5.5.22
Apache Tomcat	Version 5.5.23
Apache Tomcat	Version 5.5.24
Apache Tomcat	Version 5.5.25
Apache Tomcat	Version 5.5.26
Apache Tomcat	Version 5.5.27
Apache Tomcat	Version 5.5.28
Apache Tomcat	Version 5.5.29
Apache Tomcat	Version 5.5.2
Apache Tomcat	Version 5.5.30
Apache Tomcat	Version 5.5.31
Apache Tomcat	Version 5.5.32
Apache Tomcat	Version 5.5.33
Apache Tomcat	Version 5.5.34
Apache Tomcat	Version 5.5.35
Apache Tomcat	Version 5.5.3
Apache Tomcat	Version 5.5.4
Apache Tomcat	Version 5.5.5
Apache Tomcat	Version 5.5.6
Apache Tomcat	Version 5.5.7
Apache Tomcat	Version 5.5.8
Apache Tomcat	Version 5.5.9
Apache Tomcat	Version 5
Apache Tomcat	Version 6.0.0
Apache Tomcat	Version 6.0.0 alpha
Apache Tomcat	Version 6.0.10
Apache Tomcat	Version 6.0.11
Apache Tomcat	Version 6.0.12
Apache Tomcat	Version 6.0.13
Apache Tomcat	Version 6.0.14
Apache Tomcat	Version 6.0.15
Apache Tomcat	Version 6.0.16
Apache Tomcat	Version 6.0.17
Apache Tomcat	Version 6.0.18
Apache Tomcat	Version 6.0.19
Apache Tomcat	Version 6.0.1
Apache Tomcat	Version 6.0.1 alpha
Apache Tomcat	Version 6.0.20
Apache Tomcat	Version 6.0.24
Apache Tomcat	Version 6.0.26
Apache Tomcat	Version 6.0.27
Apache Tomcat	Version 6.0.28
Apache Tomcat	Version 6.0.29
Apache Tomcat	Version 6.0.2
Apache Tomcat	Version 6.0.2 alpha
Apache Tomcat	Version 6.0.2 beta
Apache Tomcat	Version 6.0.30
Apache Tomcat	Version 6.0.31
Apache Tomcat	Version 6.0.32
Apache Tomcat	Version 6.0.33
Apache Tomcat	Version 6.0.35
Apache Tomcat	Version 6.0.36
Apache Tomcat	Version 6.0.3
Apache Tomcat	Version 6.0
Apache Tomcat	Version 6

Configuration D

46 vulnerable

Vulnerable Software	Affected Versions
Apache Tomcat	Version 7.0.0
Apache Tomcat	Version 7.0.0 beta
Apache Tomcat	Version 7.0.10
Apache Tomcat	Version 7.0.11
Apache Tomcat	Version 7.0.12
Apache Tomcat	Version 7.0.13
Apache Tomcat	Version 7.0.14
Apache Tomcat	Version 7.0.15
Apache Tomcat	Version 7.0.16
Apache Tomcat	Version 7.0.17
Apache Tomcat	Version 7.0.18
Apache Tomcat	Version 7.0.19
Apache Tomcat	Version 7.0.1
Apache Tomcat	Version 7.0.20
Apache Tomcat	Version 7.0.21
Apache Tomcat	Version 7.0.22
Apache Tomcat	Version 7.0.23
Apache Tomcat	Version 7.0.24
Apache Tomcat	Version 7.0.25
Apache Tomcat	Version 7.0.26
Apache Tomcat	Version 7.0.27
Apache Tomcat	Version 7.0.28
Apache Tomcat	Version 7.0.29
Apache Tomcat	Version 7.0.2
Apache Tomcat	Version 7.0.2 beta
Apache Tomcat	Version 7.0.30
Apache Tomcat	Version 7.0.31
Apache Tomcat	Version 7.0.32
Apache Tomcat	Version 7.0.33
Apache Tomcat	Version 7.0.34
Apache Tomcat	Version 7.0.35
Apache Tomcat	Version 7.0.36
Apache Tomcat	Version 7.0.37
Apache Tomcat	Version 7.0.38
Apache Tomcat	Version 7.0.39
Apache Tomcat	Version 7.0.3
Apache Tomcat	Version 7.0.40
Apache Tomcat	Version 7.0.41
Apache Tomcat	Version 7.0.42
Apache Tomcat	Version 7.0.43
Apache Tomcat	Version 7.0.44
Apache Tomcat	Version 7.0.45
Apache Tomcat	Version 7.0.46
Apache Tomcat	Version 7.0.4
Apache Tomcat	Version 7.0.4 beta
Apache Tomcat	Version 7.0.50

Configuration E

1 vulnerable

Vulnerable Software	Affected Versions
Oracle Solaris	Version 11.2

Related CWEs

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (62)

http://advisories.mageia.org/MGASA-2014-0148.html

Source: secalert@redhat.com

Third Party Advisory

http://marc.info/?l=bugtraq&m=144498216801440&w=2

Source: secalert@redhat.com

Mailing List

http://secunia.com/advisories/59036

Source: secalert@redhat.com

Permissions RequiredThird Party Advisory

http://secunia.com/advisories/59722

Source: secalert@redhat.com

Permissions RequiredThird Party Advisory

http://secunia.com/advisories/59724

Source: secalert@redhat.com

Permissions RequiredThird Party Advisory

http://secunia.com/advisories/59873

Source: secalert@redhat.com

Permissions RequiredThird Party Advisory

http://svn.apache.org/viewvc?view=revision&revision=1549528

Source: secalert@redhat.com

Issue Tracking

http://svn.apache.org/viewvc?view=revision&revision=1549529

Source: secalert@redhat.com

Issue Tracking

http://svn.apache.org/viewvc?view=revision&revision=1558828

Source: secalert@redhat.com

Issue Tracking

http://tomcat.apache.org/security-6.html

Source: secalert@redhat.com

Vendor Advisory

http://tomcat.apache.org/security-7.html

Source: secalert@redhat.com

Vendor Advisory

http://tomcat.apache.org/security-8.html

Source: secalert@redhat.com

Vendor Advisory

http://www-01.ibm.com/support/docview.wss?uid=swg21667883

Source: secalert@redhat.com

Third Party Advisory

http://www-01.ibm.com/support/docview.wss?uid=swg21675886

Source: secalert@redhat.com

Third Party Advisory

http://www-01.ibm.com/support/docview.wss?uid=swg21677147

Source: secalert@redhat.com

Third Party Advisory

http://www-01.ibm.com/support/docview.wss?uid=swg21678231

Source: secalert@redhat.com

Third Party Advisory

http://www.debian.org/security/2016/dsa-3530

Source: secalert@redhat.com

Third Party Advisory

http://www.mandriva.com/security/advisories?name=MDVSA-2015:052

Source: secalert@redhat.com

Third Party Advisory

http://www.mandriva.com/security/advisories?name=MDVSA-2015:084

Source: secalert@redhat.com

Third Party Advisory

http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

Source: secalert@redhat.com

Third Party Advisory

http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

Source: secalert@redhat.com

http://www.securityfocus.com/bid/65768

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

http://www.vmware.com/security/advisories/VMSA-2014-0008.html

Source: secalert@redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1069911

Source: secalert@redhat.com

Issue Tracking

https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013

Source: secalert@redhat.com

https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

http://advisories.mageia.org/MGASA-2014-0148.html