VIR Vulnerability Intelligence Relay

CVE-2017-7674

medium
Published 2017-08-11 · Modified 2024-03-11
CVSS v3
4.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVSS v2
4.3
VIR risk
4.3

Description

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

Predictions

Exploit likelihood
53%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2017-7674

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2017-7674.html

OS impact
OSVersionStatusFixed in
suse slesaffected
debian debianbookwormfixed0
debian debianbullseyefixed0
debian debianforkyfixed0
debian debiansidfixed0
debian debiantrixiefixed0

Package impact
EcosystemPackageVulnerableFixed
java Mavenorg.apache.tomcat:tomcat>=9.0.0.M1,<9.0.0.M229.0.0.M22
java Mavenorg.apache.tomcat:tomcat>=8.5.0,<8.5.168.5.16
java Mavenorg.apache.tomcat:tomcat>=8.0.0.RC1,<8.0.458.0.45
java Mavenorg.apache.tomcat:tomcat>=7.0.41,<7.0.797.0.79

Application impact
VendorProductVersionsFixed
apache apachetomcat7.0.41
apache apachetomcat7.0.42
apache apachetomcat7.0.43
apache apachetomcat7.0.44
apache apachetomcat7.0.45
apache apachetomcat7.0.46
apache apachetomcat7.0.47
apache apachetomcat7.0.48
apache apachetomcat7.0.49
apache apachetomcat7.0.50
apache apachetomcat7.0.52
apache apachetomcat7.0.53
apache apachetomcat7.0.54
apache apachetomcat7.0.55
apache apachetomcat7.0.56
apache apachetomcat7.0.57
apache apachetomcat7.0.58
apache apachetomcat7.0.59
apache apachetomcat7.0.60
apache apachetomcat7.0.61
apache apachetomcat7.0.62
apache apachetomcat7.0.63
apache apachetomcat7.0.64
apache apachetomcat7.0.65
apache apachetomcat7.0.66
apache apachetomcat7.0.67
apache apachetomcat7.0.68
apache apachetomcat7.0.69
apache apachetomcat7.0.70
apache apachetomcat7.0.71
apache apachetomcat7.0.72
apache apachetomcat7.0.73
apache apachetomcat7.0.74
apache apachetomcat7.0.75
apache apachetomcat7.0.76
apache apachetomcat7.0.77
apache apachetomcat7.0.78
apache apachetomcat8.0
apache apachetomcat8.0.0
apache apachetomcat8.0.1
apache apachetomcat8.0.2
apache apachetomcat8.0.3
apache apachetomcat8.0.4
apache apachetomcat8.0.5
apache apachetomcat8.0.6
apache apachetomcat8.0.7
apache apachetomcat8.0.8
apache apachetomcat8.0.9
apache apachetomcat8.0.10
apache apachetomcat8.0.11
apache apachetomcat8.0.12
apache apachetomcat8.0.13
apache apachetomcat8.0.14
apache apachetomcat8.0.15
apache apachetomcat8.0.16
apache apachetomcat8.0.17
apache apachetomcat8.0.18
apache apachetomcat8.0.19
apache apachetomcat8.0.20
apache apachetomcat8.0.21
apache apachetomcat8.0.22
apache apachetomcat8.0.23
apache apachetomcat8.0.24
apache apachetomcat8.0.25
apache apachetomcat8.0.26
apache apachetomcat8.0.27
apache apachetomcat8.0.28
apache apachetomcat8.0.29
apache apachetomcat8.0.30
apache apachetomcat8.0.31
apache apachetomcat8.0.32
apache apachetomcat8.0.33
apache apachetomcat8.0.34
apache apachetomcat8.0.35
apache apachetomcat8.0.36
apache apachetomcat8.0.37
apache apachetomcat8.0.38
apache apachetomcat8.0.39
apache apachetomcat8.0.40
apache apachetomcat8.0.41
apache apachetomcat8.0.42
apache apachetomcat8.0.43
apache apachetomcat8.0.44
apache apachetomcat8.5.0
apache apachetomcat8.5.1
apache apachetomcat8.5.2
apache apachetomcat8.5.3
apache apachetomcat8.5.4
apache apachetomcat8.5.5
apache apachetomcat8.5.6
apache apachetomcat8.5.7
apache apachetomcat8.5.8
apache apachetomcat8.5.9
apache apachetomcat8.5.10
apache apachetomcat8.5.11
apache apachetomcat8.5.12
apache apachetomcat8.5.13
apache apachetomcat8.5.14
apache apachetomcat8.5.15
apache apachetomcat9.0.0

References

CWEs

CWE-345

Verify integrity in audit chain (admin only). AS-IS.