Hi Dev,
Regarding tomcat-embed, JAR’s were found under
configuration/org.eclipse.osgi/1218/0/.cp/lib/tomcat-embed-core-8.0.33.jar
and the user plugin is org.eclipse.cft.server.core.
I'd like to know if my Eclipse instance would be affected by the vulnerabilities recorded by
tomcat.apache.org
https://tomcat.apache.org/security-9.html
given that tomcat-embed could has the Tomcat Server vulnerabilities.
In negative case, is there any reasoning?
Thank you
David
From:
Mark Thomas <markt@xxxxxxxxxx>
Date: Thursday, 17 November 2022, 4:12
To: users@xxxxxxxxxxxxxxxxx <users@xxxxxxxxxxxxxxxxx>
Subject: Re: Tomcat-embed and Tomcat Vulnerabilities
[CAUTION: This Email is from outside the Organization. Unless you trust the sender, Don’t click links or open attachments as it may be a Phishing email, which can steal your Information
and compromise your Computer.]
On 16/11/2022 23:45, David Alejandro Christensen Arreola wrote:
> Hi Users,
>
> My question is about whether a vulnerability applies to my particular application. My application is using tomcat-embed.
>
> Being tomcat-embed derived from Tomcat server, could tomcat-embed has the vulnerabilities that Tomcat server has?
Yes.
> In affirmative case, is disclosure of vulnerability going to mention tomcat-embed or Tomcat Server only when applicable?
No. Vulnerabilities apply to all configurations unless the vulnerability
description explicitly states otherwise.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxxx