JVN#16535199
Apache Tomcat Accept-Language Header Cross-Site Scripting Vulnerability
Overview
Apache Tomcat from the Apache Software Foundation contains a cross-site scripting vulnerability in the Accept-Language header handling.
Products Affected
- Apache Tomcat 4.0.0 - 4.0.6
- Apache Tomcat 4.1.0 - 4.1.34
- Apache Tomcat 5.0.0 - 5.0.30
- Apache Tomcat 5.5.0 - 5.5.20
- Apache Tomcat 6.0.0 - 6.0.5
Description
Apache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies.
Apache Tomcat contains a cross-site scripting vulnerability. It occurs when the value of the Accept-Language header sent from a client is non-standard.
The developer has confirmed that this vulnerability occurs when an outdated version of Flash is used.
Impact
An arbitrary script may be executed on the user's web browser.
Solution
Update the software
Apply the latest updates provided by the developer.
For more information, refer to the developer's website.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| FUJITSU LIMITED | Vulnerable | 2015/10/13 | |
| nec | Vulnerable | 2008/04/07 |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Masato Anzai, and Toshiharu Sugiyama of UBSecure, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE |
CVE-2007-1358 |
| JVN iPedia |
JVNDB-2007-000297 |
Update History
- 2015/10/21
- FUJITSU LIMITED update status