CVE-2017-7674
First published: Thu Aug 10 2017(Updated: )
The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.
Credit: security@apache.org security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Tomcat | =7.0.41 | |
| Apache Tomcat | =7.0.42 | |
| Apache Tomcat | =7.0.43 | |
| Apache Tomcat | =7.0.44 | |
| Apache Tomcat | =7.0.45 | |
| Apache Tomcat | =7.0.46 | |
| Apache Tomcat | =7.0.47 | |
| Apache Tomcat | =7.0.48 | |
| Apache Tomcat | =7.0.49 | |
| Apache Tomcat | =7.0.50 | |
| Apache Tomcat | =7.0.52 | |
| Apache Tomcat | =7.0.53 | |
| Apache Tomcat | =7.0.54 | |
| Apache Tomcat | =7.0.55 | |
| Apache Tomcat | =7.0.56 | |
| Apache Tomcat | =7.0.57 | |
| Apache Tomcat | =7.0.58 | |
| Apache Tomcat | =7.0.59 | |
| Apache Tomcat | =7.0.60 | |
| Apache Tomcat | =7.0.61 | |
| Apache Tomcat | =7.0.62 | |
| Apache Tomcat | =7.0.63 | |
| Apache Tomcat | =7.0.64 | |
| Apache Tomcat | =7.0.65 | |
| Apache Tomcat | =7.0.66 | |
| Apache Tomcat | =7.0.67 | |
| Apache Tomcat | =7.0.68 | |
| Apache Tomcat | =7.0.69 | |
| Apache Tomcat | =7.0.70 | |
| Apache Tomcat | =7.0.71 | |
| Apache Tomcat | =7.0.72 | |
| Apache Tomcat | =7.0.73 | |
| Apache Tomcat | =7.0.74 | |
| Apache Tomcat | =7.0.75 | |
| Apache Tomcat | =7.0.76 | |
| Apache Tomcat | =7.0.77 | |
| Apache Tomcat | =7.0.78 | |
| Apache Tomcat | =8.0 | |
| Apache Tomcat | =8.0.0-rc1 | |
| Apache Tomcat | =8.0.0-rc10 | |
| Apache Tomcat | =8.0.0-rc3 | |
| Apache Tomcat | =8.0.0-rc5 | |
| Apache Tomcat | =8.0.1 | |
| Apache Tomcat | =8.0.2 | |
| Apache Tomcat | =8.0.3 | |
| Apache Tomcat | =8.0.4 | |
| Apache Tomcat | =8.0.5 | |
| Apache Tomcat | =8.0.6 | |
| Apache Tomcat | =8.0.7 | |
| Apache Tomcat | =8.0.8 | |
| Apache Tomcat | =8.0.9 | |
| Apache Tomcat | =8.0.10 | |
| Apache Tomcat | =8.0.11 | |
| Apache Tomcat | =8.0.12 | |
| Apache Tomcat | =8.0.13 | |
| Apache Tomcat | =8.0.14 | |
| Apache Tomcat | =8.0.15 | |
| Apache Tomcat | =8.0.16 | |
| Apache Tomcat | =8.0.17 | |
| Apache Tomcat | =8.0.18 | |
| Apache Tomcat | =8.0.19 | |
| Apache Tomcat | =8.0.20 | |
| Apache Tomcat | =8.0.21 | |
| Apache Tomcat | =8.0.22 | |
| Apache Tomcat | =8.0.23 | |
| Apache Tomcat | =8.0.24 | |
| Apache Tomcat | =8.0.25 | |
| Apache Tomcat | =8.0.26 | |
| Apache Tomcat | =8.0.27 | |
| Apache Tomcat | =8.0.28 | |
| Apache Tomcat | =8.0.29 | |
| Apache Tomcat | =8.0.30 | |
| Apache Tomcat | =8.0.31 | |
| Apache Tomcat | =8.0.32 | |
| Apache Tomcat | =8.0.33 | |
| Apache Tomcat | =8.0.34 | |
| Apache Tomcat | =8.0.35 | |
| Apache Tomcat | =8.0.36 | |
| Apache Tomcat | =8.0.37 | |
| Apache Tomcat | =8.0.38 | |
| Apache Tomcat | =8.0.39 | |
| Apache Tomcat | =8.0.40 | |
| Apache Tomcat | =8.0.41 | |
| Apache Tomcat | =8.0.42 | |
| Apache Tomcat | =8.0.43 | |
| Apache Tomcat | =8.0.44 | |
| Apache Tomcat | =8.5.0 | |
| Apache Tomcat | =8.5.1 | |
| Apache Tomcat | =8.5.2 | |
| Apache Tomcat | =8.5.3 | |
| Apache Tomcat | =8.5.4 | |
| Apache Tomcat | =8.5.5 | |
| Apache Tomcat | =8.5.6 | |
| Apache Tomcat | =8.5.7 | |
| Apache Tomcat | =8.5.8 | |
| Apache Tomcat | =8.5.9 | |
| Apache Tomcat | =8.5.10 | |
| Apache Tomcat | =8.5.11 | |
| Apache Tomcat | =8.5.12 | |
| Apache Tomcat | =8.5.13 | |
| Apache Tomcat | =8.5.14 | |
| Apache Tomcat | =8.5.15 | |
| Apache Tomcat | =9.0.0-milestone1 | |
| Apache Tomcat | =9.0.0-milestone10 | |
| Apache Tomcat | =9.0.0-milestone11 | |
| Apache Tomcat | =9.0.0-milestone12 | |
| Apache Tomcat | =9.0.0-milestone13 | |
| Apache Tomcat | =9.0.0-milestone14 | |
| Apache Tomcat | =9.0.0-milestone15 | |
| Apache Tomcat | =9.0.0-milestone16 | |
| Apache Tomcat | =9.0.0-milestone17 | |
| Apache Tomcat | =9.0.0-milestone18 | |
| Apache Tomcat | =9.0.0-milestone19 | |
| Apache Tomcat | =9.0.0-milestone2 | |
| Apache Tomcat | =9.0.0-milestone20 | |
| Apache Tomcat | =9.0.0-milestone21 | |
| Apache Tomcat | =9.0.0-milestone3 | |
| Apache Tomcat | =9.0.0-milestone4 | |
| Apache Tomcat | =9.0.0-milestone5 | |
| Apache Tomcat | =9.0.0-milestone6 | |
| Apache Tomcat | =9.0.0-milestone7 | |
| Apache Tomcat | =9.0.0-milestone8 | |
| Apache Tomcat | =9.0.0-milestone9 | |
| Apache Tomcat | =9.0.0-m1 | |
| Apache Tomcat | =9.0.0-m10 | |
| Apache Tomcat | =9.0.0-m11 | |
| Apache Tomcat | =9.0.0-m12 | |
| Apache Tomcat | =9.0.0-m13 | |
| Apache Tomcat | =9.0.0-m14 | |
| Apache Tomcat | =9.0.0-m15 | |
| Apache Tomcat | =9.0.0-m16 | |
| Apache Tomcat | =9.0.0-m17 | |
| Apache Tomcat | =9.0.0-m18 | |
| Apache Tomcat | =9.0.0-m19 | |
| Apache Tomcat | =9.0.0-m2 | |
| Apache Tomcat | =9.0.0-m20 | |
| Apache Tomcat | =9.0.0-m21 | |
| Apache Tomcat | =9.0.0-m3 | |
| Apache Tomcat | =9.0.0-m4 | |
| Apache Tomcat | =9.0.0-m5 | |
| Apache Tomcat | =9.0.0-m6 | |
| Apache Tomcat | =9.0.0-m7 | |
| Apache Tomcat | =9.0.0-m8 | |
| Apache Tomcat | =9.0.0-m9 | |
| maven/org.apache.tomcat:tomcat | >=7.0.41<=7.0.78 | 7.0.79 |
| maven/org.apache.tomcat:tomcat | >=8.0.0.RC1<=8.0.44 | 8.0.45 |
| maven/org.apache.tomcat:tomcat | >=8.5.0<=8.5.15 | 8.5.16 |
| maven/org.apache.tomcat:tomcat | >=9.0.0.M1<=9.0.0.M21 | 9.0.0.M22 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.debian.org/security/2017/dsa-3974
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
- http://www.securityfocus.com/bid/100280
- https://access.redhat.com/errata/RHSA-2017:1801
- https://access.redhat.com/errata/RHSA-2017:1802
- https://access.redhat.com/errata/RHSA-2017:3081
- https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/22b4bb077502f847e2b9fcf00b96e81e734466ab459780ff73b60c0f@%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r15695e6203b026c9e9070ca9fa95fb17dd4cd88e5342a7dc5e1e7b85@%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r1c62634b7426bee5f553307063457b99c84af73b078ede4f2592b34e@%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r409efdf706c2077ae5c37018a87da725a3ca89570a9530342cdc53e4@%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html
- https://security.netapp.com/advisory/ntap-20180614-0003/
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03828en_us
- https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/22b4bb077502f847e2b9fcf00b96e81e734466ab459780ff73b60c0f%40%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r15695e6203b026c9e9070ca9fa95fb17dd4cd88e5342a7dc5e1e7b85%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r1c62634b7426bee5f553307063457b99c84af73b078ede4f2592b34e%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r409efdf706c2077ae5c37018a87da725a3ca89570a9530342cdc53e4%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2017-7674
- https://github.com/apache/tomcat/commit/52382ebfbce20a98b01cd9d37184a12703987a5a
- https://lists.apache.org/thread/bol4f8wyjfsbo135tw9gy49o5nf8qpth
- https://svn.apache.org/viewvc?view=revision&revision=1795816
- https://web.archive.org/web/20210116171055/http://www.securityfocus.com/bid/100280
- https://web.archive.org/web/20171115015045/http://www.securityfocus.com/bid/100280
- https://github.com/advisories/GHSA-73rx-3f9r-x949 (Advisory)
- https://svn.apache.org/viewvc?view=revision&revision=1795815
- https://svn.apache.org/viewvc?view=revision&revision=1795814
- https://tomcat.apache.org/security-7.html
- https://tomcat.apache.org/security-8.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1480619
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1480621
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1480620
- https://bugzilla.redhat.com/show_bug.cgi?id=1480618
- https://github.com/apache/tomcat/commit/9044c1672bbe4b2cf4c55028cc8b977cc62650e7
- https://github.com/apache/tomcat/commit/b94478d45b7e1fc06134a785571f78772fa30fed
- https://github.com/apache/tomcat80/commit/f52c242d92d4563dd1226dcc993ec37370ba9ce3
- https://security.netapp.com/advisory/ntap-20180614-0003
- collector/nvd-index
- collector/nvd-api
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/severity
- agent/weakness
- agent/author
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-7674
- agent/software-canonical-lookup
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-73rx-3f9r-x949
- agent/references
- agent/last-modified-date
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/apache
- canonical/apache tomcat
- version/apache tomcat/7.0.41
- version/apache tomcat/7.0.42
- version/apache tomcat/7.0.43
- version/apache tomcat/7.0.44
- version/apache tomcat/7.0.45
- version/apache tomcat/7.0.46
- version/apache tomcat/7.0.47
- version/apache tomcat/7.0.48
- version/apache tomcat/7.0.49
- version/apache tomcat/7.0.50
- version/apache tomcat/7.0.52
- version/apache tomcat/7.0.53
- version/apache tomcat/7.0.54
- version/apache tomcat/7.0.55
- version/apache tomcat/7.0.56
- version/apache tomcat/7.0.57
- version/apache tomcat/7.0.58
- version/apache tomcat/7.0.59
- version/apache tomcat/7.0.60
- version/apache tomcat/7.0.61
- version/apache tomcat/7.0.62
- version/apache tomcat/7.0.63
- version/apache tomcat/7.0.64
- version/apache tomcat/7.0.65
- version/apache tomcat/7.0.66
- version/apache tomcat/7.0.67
- version/apache tomcat/7.0.68
- version/apache tomcat/7.0.69
- version/apache tomcat/7.0.70
- version/apache tomcat/7.0.71
- version/apache tomcat/7.0.72
- version/apache tomcat/7.0.73
- version/apache tomcat/7.0.74
- version/apache tomcat/7.0.75
- version/apache tomcat/7.0.76
- version/apache tomcat/7.0.77
- version/apache tomcat/7.0.78
- version/apache tomcat/8.0
- version/apache tomcat/8.0.0-rc1
- version/apache tomcat/8.0.0-rc10
- version/apache tomcat/8.0.0-rc3
- version/apache tomcat/8.0.0-rc5
- version/apache tomcat/8.0.1
- version/apache tomcat/8.0.2
- version/apache tomcat/8.0.3
- version/apache tomcat/8.0.4
- version/apache tomcat/8.0.5
- version/apache tomcat/8.0.6
- version/apache tomcat/8.0.7
- version/apache tomcat/8.0.8
- version/apache tomcat/8.0.9
- version/apache tomcat/8.0.10
- version/apache tomcat/8.0.11
- version/apache tomcat/8.0.12
- version/apache tomcat/8.0.13
- version/apache tomcat/8.0.14
- version/apache tomcat/8.0.15
- version/apache tomcat/8.0.16
- version/apache tomcat/8.0.17
- version/apache tomcat/8.0.18
- version/apache tomcat/8.0.19
- version/apache tomcat/8.0.20
- version/apache tomcat/8.0.21
- version/apache tomcat/8.0.22
- version/apache tomcat/8.0.23
- version/apache tomcat/8.0.24
- version/apache tomcat/8.0.25
- version/apache tomcat/8.0.26
- version/apache tomcat/8.0.27
- version/apache tomcat/8.0.28
- version/apache tomcat/8.0.29
- version/apache tomcat/8.0.30
- version/apache tomcat/8.0.31
- version/apache tomcat/8.0.32
- version/apache tomcat/8.0.33
- version/apache tomcat/8.0.34
- version/apache tomcat/8.0.35
- version/apache tomcat/8.0.36
- version/apache tomcat/8.0.37
- version/apache tomcat/8.0.38
- version/apache tomcat/8.0.39
- version/apache tomcat/8.0.40
- version/apache tomcat/8.0.41
- version/apache tomcat/8.0.42
- version/apache tomcat/8.0.43
- version/apache tomcat/8.0.44
- version/apache tomcat/8.5.0
- version/apache tomcat/8.5.1
- version/apache tomcat/8.5.2
- version/apache tomcat/8.5.3
- version/apache tomcat/8.5.4
- version/apache tomcat/8.5.5
- version/apache tomcat/8.5.6
- version/apache tomcat/8.5.7
- version/apache tomcat/8.5.8
- version/apache tomcat/8.5.9
- version/apache tomcat/8.5.10
- version/apache tomcat/8.5.11
- version/apache tomcat/8.5.12
- version/apache tomcat/8.5.13
- version/apache tomcat/8.5.14
- version/apache tomcat/8.5.15
- version/apache tomcat/9.0.0-m1
- version/apache tomcat/9.0.0-m10
- version/apache tomcat/9.0.0-m11
- version/apache tomcat/9.0.0-m12
- version/apache tomcat/9.0.0-m13
- version/apache tomcat/9.0.0-m14
- version/apache tomcat/9.0.0-m15
- version/apache tomcat/9.0.0-m16
- version/apache tomcat/9.0.0-m17
- version/apache tomcat/9.0.0-m18
- version/apache tomcat/9.0.0-m19
- version/apache tomcat/9.0.0-m2
- version/apache tomcat/9.0.0-m20
- version/apache tomcat/9.0.0-m21
- version/apache tomcat/9.0.0-m3
- version/apache tomcat/9.0.0-m4
- version/apache tomcat/9.0.0-m5
- version/apache tomcat/9.0.0-m6
- version/apache tomcat/9.0.0-m7
- version/apache tomcat/9.0.0-m8
- version/apache tomcat/9.0.0-m9
- version/apache tomcat/9.0.0-milestone1
- version/apache tomcat/9.0.0-milestone10
- version/apache tomcat/9.0.0-milestone11
- version/apache tomcat/9.0.0-milestone12
- version/apache tomcat/9.0.0-milestone13
- version/apache tomcat/9.0.0-milestone14
- version/apache tomcat/9.0.0-milestone15
- version/apache tomcat/9.0.0-milestone16
- version/apache tomcat/9.0.0-milestone17
- version/apache tomcat/9.0.0-milestone18
- version/apache tomcat/9.0.0-milestone19
- version/apache tomcat/9.0.0-milestone2
- version/apache tomcat/9.0.0-milestone20
- version/apache tomcat/9.0.0-milestone21
- version/apache tomcat/9.0.0-milestone3
- version/apache tomcat/9.0.0-milestone4
- version/apache tomcat/9.0.0-milestone5
- version/apache tomcat/9.0.0-milestone6
- version/apache tomcat/9.0.0-milestone7
- version/apache tomcat/9.0.0-milestone8
- version/apache tomcat/9.0.0-milestone9
- package-manager/redhat
- package-manager/maven