CVE-2017-7674
tomcat8 - security update
4.3
MEDIUM
CVSS 3.1
EPSS 5.9%
Description
The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.
How to fix CVE-2017-7674
To remediate CVE-2017-7674, upgrade the affected package to a fixed version below.
- Debian/tomcat8—upgrade to 8.0.14-1+deb8u11 or later
- —upgrade to 9.0.0.M22 or later
Is CVE-2017-7674 being exploited?
Moderate — EPSS is 5.9%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (2)
- from 0, < 8.0.14-1+deb8u11
- >= 9.0.0.M1, < 9.0.0.M22
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |