High severity7.5NVD Advisory· Published Jun 6, 2017· Updated May 13, 2026

CVE-2017-5664

Description

The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.tomcat:tomcatMaven	>= 9.0.0.M1, < 9.0.0.M21	9.0.0.M21
org.apache.tomcat:tomcatMaven	>= 8.5.0, < 8.5.15	8.5.15
org.apache.tomcat:tomcatMaven	>= 8.0.0, < 8.0.44	8.0.44
org.apache.tomcat:tomcatMaven	>= 7.0.0, < 7.0.78	7.0.78

Affected products

162

Apache/Tomcat161 versions
cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*+ 160 more
- cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.31:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.36:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.38:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.51:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.58:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.5:beta:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.60:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.66:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.68:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.69:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.70:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.71:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.72:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.73:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.74:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.75:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.76:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.77:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.21:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.22:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.23:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.25:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.26:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.27:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.28:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.29:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.30:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.31:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.32:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.33:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.34:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.35:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.36:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.37:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.38:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.39:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.40:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.41:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.42:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.43:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.5.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.5.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.5.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.5.13:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.5.14:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.5.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*
Apache Software Foundation/Apache Tomcatv5
Range: 9.0.0.M1 to 9.0.0.M20

Patches

58b32048ce25

Ensure that when the Default or WebDAV servlets process an error dispatch that the error resource is processed via the doGet() method irrespective of the method used for the original request that triggered the error.

https://github.com/apache/tomcatMark ThomasMay 2, 2017via ghsa

commit

3 files changed · +24 −0

java/org/apache/catalina/servlets/DefaultServlet.java+12 −0 modified

@@ -423,6 +423,18 @@ protected String getPathPrefix(final HttpServletRequest request) {
     }
 
 
+    @Override
+    protected void service(HttpServletRequest req, HttpServletResponse resp)
+            throws ServletException, IOException {
+
+        if (req.getDispatcherType() == DispatcherType.ERROR) {
+            doGet(req, resp);
+        } else {
+            super.service(req, resp);
+        }
+    }
+
+
     /**
      * Process a GET request for the specified resource.
      *

java/org/apache/catalina/servlets/WebdavServlet.java+6 −0 modified

@@ -40,6 +40,7 @@
 import javax.naming.NamingEnumeration;
 import javax.naming.NamingException;
 import javax.naming.directory.DirContext;
+import javax.servlet.DispatcherType;
 import javax.servlet.RequestDispatcher;
 import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
@@ -354,6 +355,11 @@ protected void service(HttpServletRequest req, HttpServletResponse resp)
             return;
         }
 
+        if (req.getDispatcherType() == DispatcherType.ERROR) {
+            doGet(req, resp);
+            return;
+        }
+
         final String method = req.getMethod();
 
         if (debug > 0) {

webapps/docs/changelog.xml+6 −0 modified

@@ -140,6 +140,12 @@
         <bug>60911</bug>: Ensure NPE will not be thrown when looking for SSL
         session ID. Based on a patch by Didier Gutacker. (violetagg)
       </fix>
+      <fix>
+        Ensure that when the Default or WebDAV servlets process an error
+        dispatch that the error resource is processed via the
+        <code>doGet()</code> method irrespective of the method used for the
+        original request that triggered the error. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">

25d3c0d93190

https://github.com/apache/tomcat80Mark ThomasMay 2, 2017via ghsa

commit

3 files changed · +24 −0

java/org/apache/catalina/servlets/DefaultServlet.java+12 −0 modified

@@ -380,6 +380,18 @@ protected String getPathPrefix(final HttpServletRequest request) {
     }
 
 
+    @Override
+    protected void service(HttpServletRequest req, HttpServletResponse resp)
+            throws ServletException, IOException {
+
+        if (req.getDispatcherType() == DispatcherType.ERROR) {
+            doGet(req, resp);
+        } else {
+            super.service(req, resp);
+        }
+    }
+
+
     /**
      * Process a GET request for the specified resource.
      *

java/org/apache/catalina/servlets/WebdavServlet.java+6 −0 modified

@@ -30,6 +30,7 @@
 import java.util.TimeZone;
 import java.util.Vector;
 
+import javax.servlet.DispatcherType;
 import javax.servlet.RequestDispatcher;
 import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
@@ -312,6 +313,11 @@ protected void service(HttpServletRequest req, HttpServletResponse resp)
             return;
         }
 
+        if (req.getDispatcherType() == DispatcherType.ERROR) {
+            doGet(req, resp);
+            return;
+        }
+
         final String method = req.getMethod();
 
         if (debug > 0) {

webapps/docs/changelog.xml+6 −0 modified

@@ -78,6 +78,12 @@
         determining if the current request is for custom error page or not.
         (markt)
       </fix>
+      <fix>
+        Ensure that when the Default or WebDAV servlets process an error
+        dispatch that the error resource is processed via the
+        <code>doGet()</code> method irrespective of the method used for the
+        original request that triggered the error. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">

29893e66111d

https://github.com/apache/tomcatMark ThomasMay 2, 2017via ghsa

commit

3 files changed · +24 −0

java/org/apache/catalina/servlets/DefaultServlet.java+12 −0 modified

@@ -407,6 +407,18 @@ protected String getPathPrefix(final HttpServletRequest request) {
     }
 
 
+    @Override
+    protected void service(HttpServletRequest req, HttpServletResponse resp)
+            throws ServletException, IOException {
+
+        if (req.getDispatcherType() == DispatcherType.ERROR) {
+            doGet(req, resp);
+        } else {
+            super.service(req, resp);
+        }
+    }
+
+
     /**
      * Process a GET request for the specified resource.
      *

java/org/apache/catalina/servlets/WebdavServlet.java+6 −0 modified

@@ -30,6 +30,7 @@
 import java.util.TimeZone;
 import java.util.Vector;
 
+import javax.servlet.DispatcherType;
 import javax.servlet.RequestDispatcher;
 import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
@@ -315,6 +316,11 @@ protected void service(HttpServletRequest req, HttpServletResponse resp)
             return;
         }
 
+        if (req.getDispatcherType() == DispatcherType.ERROR) {
+            doGet(req, resp);
+            return;
+        }
+
         final String method = req.getMethod();
 
         if (debug > 0) {

webapps/docs/changelog.xml+6 −0 modified

@@ -83,6 +83,12 @@
         determining if the current request is for custom error page or not.
         (markt)
       </fix>
+      <fix>
+        Ensure that when the Default or WebDAV servlets process an error
+        dispatch that the error resource is processed via the
+        <code>doGet()</code> method irrespective of the method used for the
+        original request that triggered the error. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">

7d93527254d9

https://github.com/apache/tomcatMark ThomasMay 2, 2017via ghsa

commit

3 files changed · +24 −0

java/org/apache/catalina/servlets/DefaultServlet.java+12 −0 modified

@@ -400,6 +400,18 @@ protected String getPathPrefix(final HttpServletRequest request) {
     }
 
 
+    @Override
+    protected void service(HttpServletRequest req, HttpServletResponse resp)
+            throws ServletException, IOException {
+
+        if (req.getDispatcherType() == DispatcherType.ERROR) {
+            doGet(req, resp);
+        } else {
+            super.service(req, resp);
+        }
+    }
+
+
     /**
      * Process a GET request for the specified resource.
      *

java/org/apache/catalina/servlets/WebdavServlet.java+6 −0 modified

@@ -30,6 +30,7 @@
 import java.util.TimeZone;
 import java.util.Vector;
 
+import javax.servlet.DispatcherType;
 import javax.servlet.RequestDispatcher;
 import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
@@ -315,6 +316,11 @@ protected void service(HttpServletRequest req, HttpServletResponse resp)
             return;
         }
 
+        if (req.getDispatcherType() == DispatcherType.ERROR) {
+            doGet(req, resp);
+            return;
+        }
+
         final String method = req.getMethod();
 
         if (debug > 0) {

webapps/docs/changelog.xml+6 −0 modified

@@ -88,6 +88,12 @@
         determining if the current request is for custom error page or not.
         (markt)
       </fix>
+      <fix>
+        Ensure that when the Default or WebDAV servlets process an error
+        dispatch that the error resource is processed via the
+        <code>doGet()</code> method irrespective of the method used for the
+        original request that triggered the error. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">

3bfe9fb88659

Use a more reliable mechanism for the DefaultServlet when determining if the current request is for custom error page or not.

https://github.com/apache/tomcatMark ThomasMay 2, 2017via ghsa

commit

2 files changed · +13 −7

java/org/apache/catalina/servlets/DefaultServlet.java+8 −7 modified

@@ -245,7 +245,7 @@ public class DefaultServlet
         urlEncoder.addSafeCharacter('.');
         urlEncoder.addSafeCharacter('*');
         urlEncoder.addSafeCharacter('/');
-        
+
         if (Globals.IS_SECURITY_ENABLED) {
             factory = DocumentBuilderFactory.newInstance();
             factory.setNamespaceAware(true);
@@ -860,8 +860,7 @@ protected void serveResource(HttpServletRequest request,
             }
         }
 
-        boolean isError =
-            response.getStatus() >= HttpServletResponse.SC_BAD_REQUEST;
+        boolean isError = DispatcherType.ERROR == request.getDispatcherType();
 
         // Check if the conditions specified in the optional If headers are
         // satisfied.
@@ -1326,7 +1325,7 @@ protected InputStream render(String contextPath, CacheEntry cacheEntry)
 
     }
 
-    
+
     /**
      * Return an InputStream to an HTML representation of the contents
      * of this directory.
@@ -1767,15 +1766,15 @@ protected Source findXsltInputStream(DirContext directory)
 
 
     private File validateGlobalXsltFile() {
-        
+
         File result = null;
         String base = System.getProperty(Globals.CATALINA_BASE_PROP);
-        
+
         if (base != null) {
             File baseConf = new File(base, "conf");
             result = validateGlobalXsltFile(baseConf);
         }
-        
+
         if (result == null) {
             String home = System.getProperty(Globals.CATALINA_HOME_PROP);
             if (home != null && !home.equals(base)) {
@@ -2364,6 +2363,8 @@ protected static class Range {
 
         /**
          * Validate range.
+         *
+         * @return true if the range is valid, otherwise false
          */
         public boolean validate() {
             if (end >= length)

webapps/docs/changelog.xml+5 −0 modified

@@ -74,6 +74,11 @@
         ensure that that correct encoding (path differs from query string) is
         applied and that the encoding is applied consistently. (markt)
       </fix>
+      <fix>
+        Use a more reliable mechanism for the <code>DefaultServlet</code> when
+        determining if the current request is for custom error page or not.
+        (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">

e070a31ec81b

Use a more reliable mechanism for the DefaultServlet when determining if the current request is for custom error page or not.

https://github.com/apache/tomcat80Mark ThomasMay 2, 2017via ghsa

commit

2 files changed · +6 −1

java/org/apache/catalina/servlets/DefaultServlet.java+1 −1 modified

@@ -760,7 +760,7 @@ protected void serveResource(HttpServletRequest request,
             return;
         }
 
-        boolean isError = response.getStatus() >= HttpServletResponse.SC_BAD_REQUEST;
+        boolean isError = DispatcherType.ERROR == request.getDispatcherType();
 
         boolean included = false;
         // Check if the conditions specified in the optional If headers are

webapps/docs/changelog.xml+5 −0 modified

@@ -73,6 +73,11 @@
         ensure that that correct encoding (path differs from query string) is
         applied and that the encoding is applied consistently. (markt)
       </fix>
+      <fix>
+        Use a more reliable mechanism for the <code>DefaultServlet</code> when
+        determining if the current request is for custom error page or not.
+        (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">

3242efea525d

Use a more reliable mechanism for the DefaultServlet when determining if the current request is for custom error page or not.

https://github.com/apache/tomcatMark ThomasMay 2, 2017via ghsa

commit

2 files changed · +6 −1

java/org/apache/catalina/servlets/DefaultServlet.java+1 −1 modified

@@ -794,7 +794,7 @@ protected void serveResource(HttpServletRequest request,
             return;
         }
 
-        boolean isError = response.getStatus() >= HttpServletResponse.SC_BAD_REQUEST;
+        boolean isError = DispatcherType.ERROR == request.getDispatcherType();
 
         boolean included = false;
         // Check if the conditions specified in the optional If headers are

webapps/docs/changelog.xml+5 −0 modified

@@ -78,6 +78,11 @@
         the number of places the associated <code>Charset</code> needs to be
         looked up. (markt)
       </scode>
+      <fix>
+        Use a more reliable mechanism for the <code>DefaultServlet</code> when
+        determining if the current request is for custom error page or not.
+        (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">

4545dcce444a

Use a more reliable mechanism for the DefaultServlet when determining if the current request is for custom error page or not.

https://github.com/apache/tomcatMark ThomasMay 2, 2017via ghsa

commit

2 files changed · +6 −1

java/org/apache/catalina/servlets/DefaultServlet.java+1 −1 modified

@@ -787,7 +787,7 @@ protected void serveResource(HttpServletRequest request,
             return;
         }
 
-        boolean isError = response.getStatus() >= HttpServletResponse.SC_BAD_REQUEST;
+        boolean isError = DispatcherType.ERROR == request.getDispatcherType();
 
         boolean included = false;
         // Check if the conditions specified in the optional If headers are

webapps/docs/changelog.xml+5 −0 modified

@@ -83,6 +83,11 @@
         the number of places the associated <code>Charset</code> needs to be
         looked up. (markt)
       </scode>
+      <fix>
+        Use a more reliable mechanism for the <code>DefaultServlet</code> when
+        determining if the current request is for custom error page or not.
+        (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.009
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000