CVE-2017-15706: Inconsistent documentation in Apache Tomcat
5.3
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.89643%
CWE
Published
5/14/2022
Updated
12/8/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.tomcat:tomcat | maven | >= 9.0.0.M22, < 9.0.2 | 9.0.2 |
org.apache.tomcat:tomcat | maven | >= 8.5.16, < 8.5.24 | 8.5.24 |
org.apache.tomcat:tomcat | maven | >= 8.0.45, < 8.0.48 | 8.0.48 |
org.apache.tomcat:tomcat | maven | >= 7.0.79, < 7.0.84 | 7.0.84 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability CVE-2017-15706 stems from incorrect documentation of the CGI Servlet's script search algorithm in Apache Tomcat, not from flaws in the code itself. The actual behavior of the CGI Servlet remained unchanged; only the documentation was erroneous. While functions like org.apache.catalina.servlets.CGIServlet
methods (e.g., script resolution logic) are involved in the process, they were not inherently vulnerable. The risk arose from the mismatch between documented expectations and the implementation, leading to misconfigurations. Since no code changes were made to 'fix' the vulnerability (only documentation corrections), there are no specific functions in the codebase that can be identified as vulnerable with high confidence.