FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

tomcat -- information disclosure vulnerability

Affected packages
5.5.0 < tomcat < 5.5.30
6.0.0 < tomcat < 6.0.27

Details

VuXML ID 3383e706-4fc3-11df-83fb-0015587e2cc1
Discovery 2010-04-22
Entry 2010-04-24

The Apache software foundation reports:

The "WWW-Authenticate" header for BASIC and DIGEST authentication includes a realm name. If a <realm-name> element is specified for the application in web.xml it will be used. However, a <realm-name> is not specified then Tomcat will generate one.

In some circumstances this can expose the local hostname or IP address of the machine running Tomcat.

References

CVE Name CVE-2010-1157
FreeBSD PR ports/146022
URL http://seclists.org/bugtraq/2010/Apr/200