Miggo Logo

CVE-2017-15706: Inconsistent documentation in Apache Tomcat

5.3

CVSS Score
3.0

Basic Information

EPSS Score
0.89643%
Published
5/14/2022
Updated
12/8/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.tomcat:tomcatmaven>= 9.0.0.M22, < 9.0.29.0.2
org.apache.tomcat:tomcatmaven>= 8.5.16, < 8.5.248.5.24
org.apache.tomcat:tomcatmaven>= 8.0.45, < 8.0.488.0.48
org.apache.tomcat:tomcatmaven>= 7.0.79, < 7.0.847.0.84

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability CVE-2017-15706 stems from incorrect documentation of the CGI Servlet's script search algorithm in Apache Tomcat, not from flaws in the code itself. The actual behavior of the CGI Servlet remained unchanged; only the documentation was erroneous. While functions like org.apache.catalina.servlets.CGIServlet methods (e.g., script resolution logic) are involved in the process, they were not inherently vulnerable. The risk arose from the mismatch between documented expectations and the implementation, leading to misconfigurations. Since no code changes were made to 'fix' the vulnerability (only documentation corrections), there are no specific functions in the codebase that can be identified as vulnerable with high confidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*s p*rt o* t** *ix *or *u* *****, t** *o*um*nt*tion *or *p**** Tom**t *.*.*.M** to *.*.*, *.*.** to *.*.**, *.*.** to *.*.** *n* *.*.** to *.*.** in*lu*** *n up**t** **s*ription o* t** s**r** *l*orit*m us** *y t** **I S*rvl*t to i**nti*y w*i** s*ript

Reasoning

T** vuln*r**ility *V*-****-***** st*ms *rom in*orr**t *o*um*nt*tion o* t** **I S*rvl*t's s*ript s**r** *l*orit*m in *p**** Tom**t, not *rom *l*ws in t** *o** its*l*. T** **tu*l ****vior o* t** **I S*rvl*t r*m*in** un***n***; only t** *o*um*nt*tion w*