CVE-2024-52318 Apache Tomcat - XSS in generated JSPs
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0
Apache Tomcat 10.1.31
Apache Tomcat 9.0.96
Description:
The fix for improvement 69333 [0] caused pooled JSP tags not to be
released after use which in turn could cause output of some tags not to
escaped as expected. This unescaped output could lead to XSS.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.1 or later
- Upgrade to Apache Tomcat 10.1.33 or later
Note: 10.1.32 was not released
- Upgrade to Apache Tomcat 9.0.97 or later
Credit:
This vulnerability identified by the Tomcat security team
History:
2024-11-18 Original advisory
References:
[0] https://bz.apache.org/bugzilla/show_bug.cgi?id=69333
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
