VYPR
← All advisories
Medium severity4.3NVD Advisory· Published Aug 11, 2017· Updated May 13, 2026

CVE-2017-7674

CVE-2017-7674

Description

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.tomcat:tomcatMaven
>= 9.0.0.M1, < 9.0.0.M229.0.0.M22
org.apache.tomcat:tomcatMaven
>= 8.5.0, < 8.5.168.5.16
org.apache.tomcat:tomcatMaven
>= 8.0.0.RC1, < 8.0.458.0.45
org.apache.tomcat:tomcatMaven
>= 7.0.41, < 7.0.797.0.79

Affected products

124
  • Apache/Tomcat123 versions
    cpe:2.3:a:apache:tomcat:7.0.60:*:*:*:*:*:*:*+ 122 more
    • cpe:2.3:a:apache:tomcat:7.0.60:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.66:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.0:rc3:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.58:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.68:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.69:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.70:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.71:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.72:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.73:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.74:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.75:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.76:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.77:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.78:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.4:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.5:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.6:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.7:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.8:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.9:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.10:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.11:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.12:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.13:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.14:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.15:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.12:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.13:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.14:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.15:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.16:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.17:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.18:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.19:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.20:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.21:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.22:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.23:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.24:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.25:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.26:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.27:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.28:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.29:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.30:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.31:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.32:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.33:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.34:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.35:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.36:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.37:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.38:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.39:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.40:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.41:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.42:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.43:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.44:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*
  • Apache Software Foundation/Apache Tomcatv5
    Range: 9.0.0.M1 to 9.0.0.M21

Patches

4
52382ebfbce2

BZ61101: CORS filter should set Vary header in response. Submitted by Rick Riemer.

https://github.com/apache/tomcatRemy MaucheratMay 22, 2017via ghsa
commit
2 files changed · +19 0
  • java/org/apache/catalina/filters/CorsFilter.java+11 0 modified
    @@ -297,6 +297,10 @@ protected void handleSimpleCORS(final HttpServletRequest request,
                     exposedHeadersString);
         }
 
+        // Indicate the response depends on the origin
+        response.addHeader(CorsFilter.REQUEST_HEADER_VARY,
+                CorsFilter.REQUEST_HEADER_ORIGIN);
+
         // Forward the request down the filter chain.
         filterChain.doFilter(request, response);
     }
@@ -998,6 +1002,13 @@ public Collection<String> getAllowedHttpHeaders() {
             "Access-Control-Allow-Headers";
 
     // -------------------------------------------------- CORS Request Headers
+
+    /**
+     * The Vary header indicates allows disabling proxy caching by indicating
+     * the the response depends on the origin.
+     */
+    public static final String REQUEST_HEADER_VARY = "Vary";
+
     /**
      * The Origin header indicates where the cross-origin request or preflight
      * request originates from.
  • webapps/docs/changelog.xml+8 0 modified
    @@ -58,6 +58,14 @@
   issues do not "pop up" wrt. others).
 -->
 <section name="Tomcat 7.0.79 (violetagg)">
+  <subsection name="Catalina">
+    <changelog>
+      <fix>
+        <bug>61101</bug>: CORS filter should set Vary header in response.
+        Submitted by Rick Riemer. (remm)
+      </fix>
+    </changelog>
+  </subsection>
   <subsection name="Coyote">
     <changelog>
       <fix>
f52c242d92d4

BZ61101: CORS filter should set Vary header in response. Submitted by Rick Riemer.

https://github.com/apache/tomcat80Remy MaucheratMay 22, 2017via ghsa
commit
2 files changed · +19 0
  • java/org/apache/catalina/filters/CorsFilter.java+11 0 modified
    @@ -297,6 +297,10 @@ protected void handleSimpleCORS(final HttpServletRequest request,
                     exposedHeadersString);
         }
 
+        // Indicate the response depends on the origin
+        response.addHeader(CorsFilter.REQUEST_HEADER_VARY,
+                CorsFilter.REQUEST_HEADER_ORIGIN);
+
         // Forward the request down the filter chain.
         filterChain.doFilter(request, response);
     }
@@ -998,6 +1002,13 @@ public Collection<String> getAllowedHttpHeaders() {
             "Access-Control-Allow-Headers";
 
     // -------------------------------------------------- CORS Request Headers
+
+    /**
+     * The Vary header indicates allows disabling proxy caching by indicating
+     * the the response depends on the origin.
+     */
+    public static final String REQUEST_HEADER_VARY = "Vary";
+
     /**
      * The Origin header indicates where the cross-origin request or preflight
      * request originates from.
  • webapps/docs/changelog.xml+8 0 modified
    @@ -45,6 +45,14 @@
   issues do not "pop up" wrt. others).
 -->
 <section name="Tomcat 8.0.45 (violetagg)" rtext="In development">
+  <subsection name="Catalina">
+    <changelog>
+      <fix>
+        <bug>61101</bug>: CORS filter should set Vary header in response.
+        Submitted by Rick Riemer. (remm)
+      </fix>
+    </changelog>
+  </subsection>
   <subsection name="Coyote">
     <changelog>
       <fix>
9044c1672bbe

BZ61101: CORS filter should set Vary header in response. Submitted by Rick Riemer.

https://github.com/apache/tomcatRemy MaucheratMay 22, 2017via ghsa
commit
2 files changed · +15 0
  • java/org/apache/catalina/filters/CorsFilter.java+11 0 modified
    @@ -286,6 +286,10 @@ protected void handleSimpleCORS(final HttpServletRequest request,
                     exposedHeadersString);
         }
 
+        // Indicate the response depends on the origin
+        response.addHeader(CorsFilter.REQUEST_HEADER_VARY,
+                CorsFilter.REQUEST_HEADER_ORIGIN);
+
         // Forward the request down the filter chain.
         filterChain.doFilter(request, response);
     }
@@ -981,6 +985,13 @@ public Collection<String> getAllowedHttpHeaders() {
             "Access-Control-Allow-Headers";
 
     // -------------------------------------------------- CORS Request Headers
+
+    /**
+     * The Vary header indicates allows disabling proxy caching by indicating
+     * the the response depends on the origin.
+     */
+    public static final String REQUEST_HEADER_VARY = "Vary";
+
     /**
      * The Origin header indicates where the cross-origin request or preflight
      * request originates from.
  • webapps/docs/changelog.xml+4 0 modified
    @@ -57,6 +57,10 @@
         <code>o.a.c.connector.CoyoteAdapter#parseSessionCookiesId</code>.
         Patch provided by John Andrew (XUZHOUWANG) via Github. (violetagg)
       </fix>
+      <fix>
+        <bug>61101</bug>: CORS filter should set Vary header in response.
+        Submitted by Rick Riemer. (remm)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">
b94478d45b7e

BZ61101: CORS filter should set Vary header in response. Submitted by Rick Riemer.

https://github.com/apache/tomcatRemy MaucheratMay 22, 2017via ghsa
commit
2 files changed · +15 0
  • java/org/apache/catalina/filters/CorsFilter.java+11 0 modified
    @@ -277,6 +277,10 @@ protected void handleSimpleCORS(final HttpServletRequest request,
                     exposedHeadersString);
         }
 
+        // Indicate the response depends on the origin
+        response.addHeader(CorsFilter.REQUEST_HEADER_VARY,
+                CorsFilter.REQUEST_HEADER_ORIGIN);
+
         // Forward the request down the filter chain.
         filterChain.doFilter(request, response);
     }
@@ -966,6 +970,13 @@ public Collection<String> getAllowedHttpHeaders() {
             "Access-Control-Allow-Headers";
 
     // -------------------------------------------------- CORS Request Headers
+
+    /**
+     * The Vary header indicates allows disabling proxy caching by indicating
+     * the the response depends on the origin.
+     */
+    public static final String REQUEST_HEADER_VARY = "Vary";
+
     /**
      * The Origin header indicates where the cross-origin request or preflight
      * request originates from.
  • webapps/docs/changelog.xml+4 0 modified
    @@ -57,6 +57,10 @@
         <code>o.a.c.connector.CoyoteAdapter#parseSessionCookiesId</code>.
         Patch provided by John Andrew (XUZHOUWANG) via Github. (violetagg)
       </fix>
+      <fix>
+        <bug>61101</bug>: CORS filter should set Vary header in response.
+        Submitted by Rick Riemer. (remm)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

60

News mentions

0

No linked articles in our index yet.