CVE-2008-0002 — Apache Tomcat Sensitive Information Disclosure

Description

Apache Tomcat 6.0.0 through 6.0.15 processes parameters in the context of the wrong request when an exception occurs during parameter processing, which might allow remote attackers to obtain sensitive information, as demonstrated by disconnecting during this processing in order to trigger the exception.

How to fix CVE-2008-0002

To remediate CVE-2008-0002, upgrade the affected package to a fixed version below.

Maven/org.apache.tomcat:tomcat—upgrade to 6.0.16 or later

Is CVE-2008-0002 being exploited?

Low — EPSS is 4.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 6.0.0, < 6.0.16

References (22)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2008-0002
PATCHgithub.com/apache/tomcat
WEBlists.apple.com/archives/security-announce/2008/Oct/msg00001.html
WEBlists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
WEB