NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.
To learn about what's going on, see About the Archive Site.
NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.
To learn about what's going on, see About the Archive Site.
Hello all, A new CVE for Tomcat. While its severity is graded as "Low" please act on it by removing the examples web application that comes with a typical Tomcat installation (i.e: $TOMCAT_HOME/webapps/examples) if you haven't already done so. We encourage everyone to remove all unused web applications that come with a default Tomcat installation for this reason. CVE-2022-34305 Apache Tomcat - XSS in examples web application Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.1.0-M1 to 10.1.0-M16 Apache Tomcat 10.0.0-M1 to 10.0.22 Apache Tomcat 9.0.30 to 9.0.64 Apache Tomcat 8.5.50 to 8.5.81 Description: The Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability. Mitigation: Users of the affected versions should apply one of the following mitigations: - Remove the examples web application as documented in the Tomcat security guide - Upgrade to Apache Tomcat 10.1.0-M17 or later once released - Upgrade to Apache Tomcat 10.0.23 or later once released - Upgrade to Apache Tomcat 9.0.65 or later once released - Upgrade to Apache Tomcat 8.5.82 or later once released History: 2022-06-23 Original advisory References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html
thredds archives: