On Wed, Apr 10, 2024 at 2:14 PM Mark Thomas wrote: > ... and it might represent an information leakage vulnerability in your > > application. Be Careful. > > Shall we start the flame war now on whether exposing the current version > you are running represents a valid vulnerability or if hiding it is > just security by obscurity? Or do you want to save it for Bratislava? > > :) > > More seriously, your time is likely to be better spent (in my view) > keeping your Tomcat installations up to date with the latest releases > than it is ensuring that you hide the version number. >
The amusing thing (or irritating thing, depending on your point of view) is when a large organization uses a vulnerability scanner and a Tomcat instance gets flagged as a security risk because it reveals its version number in the 404 error page. (Yes, this is a real scenario.)