Tomcat version information disclosed when calling REST endpoints

XMLWordPrintable

    • 7
    • Severity 3 - Minor
    • 2

      Issue Summary

      When accessing the REST API endpoints as an unauthenticated user an error page is displayed and this page contains the version information for Tomcat. This is a security concern and should not be disclosed.

      Steps to Reproduce

      1. As an unauthenticated user access the following REST endpoint:
        • http(s)://<your-conflunece-url>/rest/menu/latest/admin

      Expected Results

      • Error is displayed but the Tomcat version information is hidden.

      Actual Results

      • Error is displayed as well as the Tomcat version details as per the screen-shot below:

      Workaround

      Alter the behavior of the error reporting by adding the following entry to your server.xml file:

      <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false"/>

      This will suppress the server information being displayed as part of the error report.

      Note

      By adding showReport="false" to the valve, Tomcat will only return the HTTP code as HTML.
      Ref: Apache Tomcat 8 Configuration Reference > The Valve Component > Error_Report_Valve

        1. image-2020-03-04-15-09-34-969.png
          image-2020-03-04-15-09-34-969.png
          39 kB

              Assignee:
              Jeffery Xie
              Reporter:
              Ferdinand van Zyl (Inactive)
              Votes:
              2 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: