CVE-2013-4590
UnknownEPSS 9.49%
Last modified
CVE-2013-4590 is a vulnerability of currently unknown severity. Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.. EPSS estimates a 9.49% chance of exploitation in the next 30 days.
Description
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Apache | Tomcat | 8.0.0 | Rc1 |
| Debian | Debian Linux | 7.0 | — |
| Apache | Tomcat | <= 6.0.37 | — |
| Apache | Tomcat | 1.1.3 | — |
| Apache | Tomcat | 3.0 | — |
| Apache | Tomcat | 3.1 | — |
| Apache | Tomcat | 3.1.1 | — |
| Apache | Tomcat | 3.2 | — |
| Apache | Tomcat | 3.2.1 | — |
| Apache | Tomcat | 3.2.2 | — |
| Apache | Tomcat | 3.2.3 | — |
| Apache | Tomcat | 3.2.4 | — |
| Apache | Tomcat | 3.3 | — |
| Apache | Tomcat | 3.3.1 | — |
| Apache | Tomcat | 3.3.1a | — |
| Apache | Tomcat | 3.3.2 | — |
| Apache | Tomcat | 4 | — |
| Apache | Tomcat | 4.0.0 | — |
| Apache | Tomcat | 4.0.1 | — |
| Apache | Tomcat | 4.0.2 | — |
| Apache | Tomcat | 4.0.3 | — |
| Apache | Tomcat | 4.0.4 | — |
| Apache | Tomcat | 4.0.5 | — |
| Apache | Tomcat | 4.0.6 | — |
| Apache | Tomcat | 4.1.0 | — |
| Apache | Tomcat | 4.1.1 | — |
| Apache | Tomcat | 4.1.2 | — |
| Apache | Tomcat | 4.1.3 | — |
| Apache | Tomcat | 4.1.9 | Beta |
| Apache | Tomcat | 4.1.10 | — |
| Apache | Tomcat | 4.1.12 | — |
| Apache | Tomcat | 4.1.15 | — |
| Apache | Tomcat | 4.1.24 | — |
| Apache | Tomcat | 4.1.28 | — |
| Apache | Tomcat | 4.1.29 | — |
| Apache | Tomcat | 4.1.31 | — |
| Apache | Tomcat | 4.1.36 | — |
| Apache | Tomcat | 5 | — |
| Apache | Tomcat | 5.0.0 | — |
| Apache | Tomcat | 5.0.1 | — |
| Apache | Tomcat | 5.0.2 | — |
| Apache | Tomcat | 5.0.3 | — |
| Apache | Tomcat | 5.0.4 | — |
| Apache | Tomcat | 5.0.5 | — |
| Apache | Tomcat | 5.0.6 | — |
| Apache | Tomcat | 5.0.7 | — |
| Apache | Tomcat | 5.0.8 | — |
| Apache | Tomcat | 5.0.9 | — |
| Apache | Tomcat | 5.0.10 | — |
| Apache | Tomcat | 5.0.11 | — |
Showing 50 of 176 affected configurations. See NVD for the full list.
References
- http://advisories.mageia.org/MGASA-2014-0148.htmlThird Party Advisory
- http://secunia.com/advisories/59036Permissions Required, Third Party Advisory
- http://secunia.com/advisories/59722Permissions Required, Third Party Advisory
- http://secunia.com/advisories/59724Permissions Required, Third Party Advisory
- http://secunia.com/advisories/59873Permissions Required, Third Party Advisory
- http://tomcat.apache.org/security-6.htmlVendor Advisory
- http://tomcat.apache.org/security-7.htmlVendor Advisory
- http://tomcat.apache.org/security-8.htmlVendor Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg21667883Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg21675886Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg21677147Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg21678231Third Party Advisory
- http://www.debian.org/security/2016/dsa-3530Third Party Advisory
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:052Third Party Advisory
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:084Third Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.htmlThird Party Advisory
- http://www.securityfocus.com/bid/65768Third Party Advisory, VDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=1069911Issue Tracking
- http://advisories.mageia.org/MGASA-2014-0148.htmlThird Party Advisory
- http://secunia.com/advisories/59036Permissions Required, Third Party Advisory
- http://secunia.com/advisories/59722Permissions Required, Third Party Advisory
- http://secunia.com/advisories/59724Permissions Required, Third Party Advisory
- http://secunia.com/advisories/59873Permissions Required, Third Party Advisory
- http://tomcat.apache.org/security-6.htmlVendor Advisory
- http://tomcat.apache.org/security-7.htmlVendor Advisory
- http://tomcat.apache.org/security-8.htmlVendor Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg21667883Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg21675886Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg21677147Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg21678231Third Party Advisory
- http://www.debian.org/security/2016/dsa-3530Third Party Advisory
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:052Third Party Advisory
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:084Third Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.htmlThird Party Advisory
- http://www.securityfocus.com/bid/65768Third Party Advisory, VDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=1069911Issue Tracking
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2013-4590?
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
How severe is CVE-2013-4590?
Severity scoring for CVE-2013-4590 is pending analysis. The EPSS model estimates a 9.49% probability of exploitation in the next 30 days.
How do I fix CVE-2013-4590?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2013-4590?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST