Skip Ribbon Commands
Skip to main content
Computer Emergency Response Team of Mauritius (CERT-MU)


Apache Tomcat Default Servlet Error Handling Bug May Let Remote Users Bypass HTTP Method Restrictions on the Target Error Page
Severity Rating: Medium
Systems Affected:
  • Apache Tomcat server versions 7.0.0 to 7.0.77, 8.0.0.RC1 to 8.0.43, 8.5.0 to 8.5.14, 9.0.0.M1 to 9.0.0.M20
A vulnerability has been reported in Apache Tomcat and it can be exploited by remote attackers to bypass security controls on the target system. The vulnerability exists because the default Servlet error page mechanism does not properly handle certain HTTP request methods for static error pages. As a result, a remote user may be able to bypass HTTP method restrictions and cause unexpected actions to occur for static error pages, potentially including the deletion or replacement of the target error page.
Users are advised to apply updates.
More information is available on:
Vendor Information
Apache Tomcat
Security Tracker
Tomcat Apache
Contact Information
Postal address
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street
Port Louis