Bug 237084 (CVE-2006-3835)
Summary: | CVE-2006-3835 tomcat directory listing issue | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Mark J. Cox <mjc> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | Keywords: | Security |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-05-08 18:05:05 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 237086, 237090, 238402, 390331, 390341, 390351, 390361, 414311, 430730, 430731, 449337, 470236, 470237 | ||
Bug Blocks: | 444136 |
Description
Mark J. Cox
2007-04-19 12:09:31 UTC
Note that there's no actual fix in Tomcat 5.5.17 (as the problem is not Tomcat related, but is caused by mod_jk). It is simply that in that release directory listing is disabled by default, while in previous versions it is enabled by default which mitigates this issue. Therefore the severity of this issue for a given Tomcat package will depend on how Tomcat is packaged and the defaults used. Advisory text: "Directory listings were enabled by default in Tomcat. This could lead to a minor information leak if sensitive information is stored unprotected under the document root and the administrator did not disable directory listings (CVE-2007-0450)" This issue has been addressed in following products: Red Hat Certificate System 7.3 Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html Please see https://access.redhat.com/security/cve/CVE-2006-3835 for a list of other products that contain this fix. |