Tomcat Version Disclosure

Description

Exposing detailed information such as the Tomcat version number facilitates attackers in identifying vulnerabilities and planning their attacks more effectively.

Recommendation

To mitigate this issue:

• Open the server.xml file.
• Find the Host section and add the following line immediately after it: <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false" />
• Save the file and restart the application.

References

• OWASP: Fingerprint Web Server
• Apache Tomcat Documentation: ErrorReportValve
• Apache Tomcat
• CWE-16
• CWE-200
• CAPEC-118
• OWASP 2021-A5

Related Issues

• Apache Version Disclosure - Vulnerability
• Nginx Version Disclosure - Vulnerability
• Server Version Disclosure - Vulnerability
• ASP.NET Version Disclosure - Vulnerability

Tags:

Information Disclosure

Server Misconfiguration

Tomcat

Web Server