https://bz.apache.org/bugzilla/show_bug.cgi?id=62472
Bug ID: 62472
Summary: Tenable (Nessus) Security Scanner reports a 404 page
vulnerability when no ROOT web application is deployed
in Tomcat 9.0.5 and later
Product: Tomcat 9
Version: 9.0.5
Hardware: All
OS: All
Status: NEW
Severity: regression
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: dtgjyh...@yahoo.com
Target Milestone: -----
The vulnerability is Tomcat version disclosure via the 404 error page, see
https://www.tenable.com/plugins/nessus/12085 for details.
Steps to reproduce:
1. Delete everything from the webapps directory.
2. Start Tomcat.
3. Go to http://localhost:8080/test
Tomcat 9.0.4 and all earlier versions show a blank page, which is good because
there's no Tomcat version disclosure. Tomcat 9.0.5 and later show the standard
"HTTP Status 404 – Not Found" page, which contains the Tomcat version number.
If I have a web application deployed in ROOT, it's not a problem, because I can
create a custom 404 error page that doesn't include the Tomcat version number.
But if I don't have ROOT, it becomes impossible without creating a dummy web
application in ROOT that overrides the 404 error page, or modifying
conf/web.xml, which is not always possible or desirable.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
