DSA-3974-1 tomcat8 -- tomcat8ID: oval:org.secpod.oval:def:70590 | Date: (C)2021-04-01 (M)2023-12-14 |
Class: PATCH | Family: unix |
Two issues were discovered in the Tomcat servlet and JSP engine. CVE-2017-7674 Rick Riemer discovered that the Cross-Origin Resource Sharing filter did not add a Vary header indicating possible different responses, which could lead to cache poisoning. CVE-2017-7675 Markus D#xF6;rschmidt found that the HTTP/2 implementation bypassed some security checks, thus allowing an attacker to conduct directory traversal attacks by using specially crafted URLs.