Details
-
Bug
-
Resolution: Fixed
-
Low
-
7.16.0
-
7
-
Severity 3 - Minor
-
2
-
Description
Issue Summary
When accessing the REST API endpoints as an unauthenticated user an error page is displayed and this page contains the version information for Tomcat. This is a security concern and should not be disclosed.
Steps to Reproduce
- As an unauthenticated user access the following REST endpoint:
- http(s)://<your-conflunece-url>/rest/menu/latest/admin
Expected Results
- Error is displayed but the Tomcat version information is hidden.
Actual Results
- Error is displayed as well as the Tomcat version details as per the screen-shot below:
Workaround
Alter the behavior of the error reporting by adding the following entry to your server.xml file:
<Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false"/>
This will suppress the server information being displayed as part of the error report.
Note
By adding showReport="false" to the valve, Tomcat will only return the HTTP code as HTML.
Ref: Apache Tomcat 8 Configuration Reference > The Valve Component > Error_Report_Valve
Attachments
Issue Links
- relates to
-
JRASERVER-73263 Tomcat should not disclose its own version to unauthenticated users
- Gathering Impact
- follows
-
VULN-680771 Loading...
- links to