CVE-2002-1394 — tomcat4 - source disclosure

Description

Apache Tomcat 4.0.5 and earlier, when using both the invoker servlet and the default servlet, allows remote attackers to read source code for server files or bypass certain protections, a variant of CAN-2002-1148.

How to fix CVE-2002-1394

To remediate CVE-2002-1394, upgrade the affected package to a fixed version below.

Debian/tomcat4—upgrade to 4.0.3-3woody2 or later
Maven/org.apache.tomcat:tomcat—upgrade to 4.0.6 or later

Is CVE-2002-1394 being exploited?

Moderate — EPSS is 5.4%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 4.0.3-3woody2
from 0, < 4.0.6

References (12)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2002-1394
WEBissues.apache.org/bugzilla/show_bug.cgi?id=13365
WEBmarc.info/?l=bugtraq&m=103470282514938&w=2
WEBmarc.info/?l=tomcat-dev&m=103417249325526&w=2
WEB