CVE-2013-4444 (Medium) detected in tomcat-embed-core-7.0.37.jar, tomcat-embed-core-7.0.0.jar - autoclosed

[mend-for-jackfan.us.kg]

CVE-2013-4444 - Medium Severity Vulnerability

Vulnerable Libraries - tomcat-embed-core-7.0.37.jar, tomcat-embed-core-7.0.0.jar

tomcat-embed-core-7.0.37.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /dd-java-agent/instrumentation/jsp-2.3/jsp-2.3.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/7.0.37/13754cedeae4b94451b4563111fad71dab9ae619/tomcat-embed-core-7.0.37.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/7.0.37/13754cedeae4b94451b4563111fad71dab9ae619/tomcat-embed-core-7.0.37.jar

Dependency Hierarchy:

• ❌ tomcat-embed-core-7.0.37.jar (Vulnerable Library)

tomcat-embed-core-7.0.0.jar

Core Tomcat implementation

Path to dependency file: /dd-java-agent/instrumentation/java-concurrent/lambda-testing/lambda-testing.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/7.0.0/a5d50d1a993f78091f62d1b4afcd553fe7295ebb/tomcat-embed-core-7.0.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/7.0.0/a5d50d1a993f78091f62d1b4afcd553fe7295ebb/tomcat-embed-core-7.0.0.jar,/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/7.0.0/a5d50d1a993f78091f62d1b4afcd553fe7295ebb/tomcat-embed-core-7.0.0.jar

Dependency Hierarchy:

• ❌ tomcat-embed-core-7.0.0.jar (Vulnerable Library)

Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079

Found in base branch: master

Vulnerability Details

Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file.

Publish Date: 2014-09-12

URL: CVE-2013-4444

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4444

Release Date: 2014-09-12

Fix Resolution: 7.0.40

---

⛑️ Automatic Remediation is available for this issue