CVE-2017-12616

NameCVE-2017-12616
DescriptionWhen using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1108-1, DLA-1400-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat7 (PTS)jessie7.0.56-3+deb8u11vulnerable
jessie (security)7.0.56-3+really7.0.91-1fixed
stretch7.0.75-1fixed
buster, sid7.0.78-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat7source(unstable)7.0.72-3medium
tomcat7sourcejessie7.0.56-3+really7.0.88-1mediumDLA-1400-1
tomcat7sourcewheezy7.0.28-4+deb7u15mediumDLA-1108-1

Notes

Since 7.0.72-3, src:tomcat7 only builds the Servlet API
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
https://svn.apache.org/r1804729

Search for package or bug name: Reporting problems