Overview
There is an insecure default configuration in Apache Tomcat web server that places several sample applications in the webroot. Remote users may be able to use these applications to gain sensitive information about the server's configuration.
Description
There are several sample applications that ship with Apache Tomcat, and are installed in the webroot by default. If these applications are left in the webroot of a production machine, remote users may be able to gain sensitive information about the server's configuration. |
Impact
A remote user may be able to gain sensitive information about the server's configuration. |
Solution
The CERT/CC is currently unaware of a practical solution to this problem. |
Remove the sample files prior to placing the server into production. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Thanks to ProCheckUp for reporting this vulnerability.
This document was written by Jason A Rafail.
Other Information
| CVE IDs: | None |
| Severity Metric: | 3.00 |
| Date Public: | 2002-05-29 |
| Date First Published: | 2002-06-11 |
| Date Last Updated: | 2002-06-11 20:32 UTC |
| Document Revision: | 7 |