"Web pages that display the Accept-Language header value sent by the client are susceptible to a cross-site scripting attack if they assume the Accept-Language header value conforms to RFC 2616. Under normal circumstances this would not be possible to exploit, however older versions of Flash player were known to allow carefully crafted malicious Flash files to make requests with such custom headers. Tomcat now ignores invalid values for Accept-Language headers that do not conform to RFC 2616." Therefore impact=low "This flaw is actually an issue in the container getLocale() method and not in Struts itself. Tomcat has already been patched to ignore invalid values in the header, which blocks this flaw. The fix is included in version 6.0.6 and later. The flaw will also be included in 5.5.21 and 4.1.35 once released (see references below for the commits) http://marc.theaimsgroup.com/?t=116546006600003&r=1&w=2 http://marc.theaimsgroup.com/?l=tomcat-dev&m=116554293928041&w=2 http://marc.theaimsgroup.com/?l=tomcat-dev&m=116554309925687&w=2 http://marc.theaimsgroup.com/?l=tomcat-dev&m=116554395917675&w=2 "
Already applied patches: ------------------------ http://marc.info/?l=tomcat-dev&m=116554395917675&w=2 http://marc.info/?l=tomcat-dev&m=116554309925687&w=2 http://marc.info/?l=tomcat-dev&m=116554293928041&w=2 Patches that can be applied: http://marc.info/?l=tomcat-dev&m=116545994900298&w=2 1st chunk is already in the code, the other parts can be applied.
tomcat5-5.5.25-1jpp.1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
tomcat5-5.5.25-1jpp.1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Certificate System 7.3 Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html