Apache Tomcat Default Servlet Error Handling Bug May Let Remote Users Bypass HTTP Method Restrictions on the Target Error Page
Severity Rating: Medium
- Apache Tomcat server versions 7.0.0 to 7.0.77, 8.0.0.RC1 to 8.0.43, 8.5.0 to 8.5.14, 9.0.0.M1 to 9.0.0.M20
A vulnerability has been reported in Apache Tomcat and it can be exploited by remote attackers to bypass security controls on the target system. The vulnerability exists because the default Servlet error page mechanism does not properly handle certain HTTP request methods for static error pages. As a result, a remote user may be able to bypass HTTP method restrictions and cause unexpected actions to occur for static error pages, potentially including the deletion or replacement of the target error page.
Users are advised to apply updates.
More information is available on:
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street