CVE-2002-2006 — Apache Tomcat Default Installation Reveals Sensitive Information

Description

The default installation of Apache Tomcat 4.0 through 4.1 and 3.0 through 3.3.1 allows remote attackers to obtain the installation path and other sensitive system information via the (1) SnoopServlet or (2) TroubleShooter example servlets.

How to fix CVE-2002-2006

To remediate CVE-2002-2006, upgrade the affected package to a fixed version below.

Maven/org.apache.tomcat:tomcat—upgrade to 4.1.0 or later

Is CVE-2002-2006 being exploited?

Moderate — EPSS is 29.9%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

>= 4.0.0, < 4.1.0

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2002-2006
WEBlists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E
WEBlists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E
WEB