Tomcat /status Information Disclosure Network Vulnerability

Summary

Requesting the URI /status gives information about the currently running Tomcat. It also allows anybody to reset (ie: permanently delete) the current statistics.

Solution

If you don't use this feature, comment the appropriate section in your httpd.conf file. If you really need it, limit its access to the administrator's machine.

Severity

Classification

CVSS Base Score: 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:N

Related Vulnerabilities

CERN HTTPD access control bypass
Lil' HTTP Server Cross Site Scripting Vulnerability
IBM WebSphere Application Server (WAS) Multiple Vulnerabilities
iWeb Server URL Directory Traversal Vulnerability
Apache HTTP Server 'httpOnly' Cookie Information Disclosure Vulnerability

Tomcat /status information disclosure

Take action and discover your vulnerabilities