Tomcat version information disclosed when calling REST endpoints

XMLWordPrintable

    • 7
    • Severity 3 - Minor
    • 2

      Issue Summary

      When accessing the REST API endpoints as an unauthenticated user an error page is displayed and this page contains the version information for Tomcat. This is a security concern and should not be disclosed.

      Steps to Reproduce

      1. As an unauthenticated user access the following REST endpoint:
        • http(s)://<your-conflunece-url>/rest/menu/latest/admin

      Expected Results

      • Error is displayed but the Tomcat version information is hidden.

      Actual Results

      • Error is displayed as well as the Tomcat version details as per the screen-shot below:

      Workaround

      Alter the behavior of the error reporting by adding the following entry to your server.xml file:

      <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false"/>

      This will suppress the server information being displayed as part of the error report.

      Note

      By adding showReport="false" to the valve, Tomcat will only return the HTTP code as HTML.
      Ref: Apache Tomcat 8 Configuration Reference > The Valve Component > Error_Report_Valve

        1. image-2020-03-04-15-09-34-969.png
          image-2020-03-04-15-09-34-969.png
          39 kB

            Assignee:
            Jeffery Xie
            Reporter:
            Ferdinand van Zyl (Inactive)
            Votes:
            2 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated:
              Resolved: