CVE-2002-1394 in Tomcat
Summary
by MITRE
Apache Tomcat 4.0.5 and earlier, when using both the invoker servlet and the default servlet, allows remote attackers to read source code for server files or bypass certain protections, a variant of CAN-2002-1148.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 09/06/2025
The vulnerability described in CVE-2002-1394 represents a critical security flaw in Apache Tomcat versions 4.0.5 and earlier that arises from the improper interaction between the invoker servlet and the default servlet. This vulnerability is classified as a variant of CAN-2002-1148, indicating a similar pattern of security weakness that has been previously documented. The flaw specifically manifests when both servlets are enabled and configured within the same Tomcat instance, creating a dangerous configuration that exposes the underlying server files to unauthorized access.
The technical root cause of this vulnerability lies in how the invoker servlet processes requests and how it interacts with the default servlet's file handling mechanisms. When both components are active, the invoker servlet can be exploited to bypass normal access controls and retrieve the source code of server files, effectively allowing attackers to obtain sensitive information about the application's implementation. This occurs because the invoker servlet's dynamic request handling can be manipulated to access resources that should normally be protected by the default servlet's security mechanisms. The vulnerability is particularly dangerous as it enables attackers to bypass authentication and authorization checks that would normally prevent access to server-side files and configurations.
The operational impact of this vulnerability is severe for any organization running affected Tomcat versions, as it provides attackers with the ability to extract source code, configuration files, and potentially sensitive data that could be used for further exploitation. The ability to read server files exposes not only application source code but also potentially sensitive information such as database connection strings, API keys, and other credentials that might be embedded in the source files. This information disclosure vulnerability can serve as a launching point for more sophisticated attacks, including privilege escalation, data theft, and system compromise. The vulnerability affects the fundamental security model of the application server by undermining the expected isolation between different servlet components.
Organizations should immediately upgrade to Apache Tomcat versions 4.1.0 or later, which contain the necessary patches to address this vulnerability. The recommended mitigation strategy involves disabling the invoker servlet if it is not actively required, as this eliminates the attack vector entirely. Additionally, administrators should implement proper access controls and ensure that only necessary servlets are enabled within their Tomcat configurations. This vulnerability aligns with CWE-200, which covers "Information Exposure," and represents a clear violation of the principle of least privilege. From an ATT&CK framework perspective, this vulnerability maps to techniques involving information discovery and credential access, as it enables adversaries to gather sensitive information about the target system and its components. Organizations should also conduct comprehensive security audits to identify any other potentially vulnerable configurations and ensure that their web application security practices align with industry best practices for protecting against similar information disclosure vulnerabilities.