Apache Tomcat servlet/JSP container default files



A fresh Apache Tomcat installation typically includes a number of default files, example JSPs and example Servlets that can be visible via the server's web interface.  These files can help an attacker to guess the exact version of Apache Tomcat that you are running, and may provide other useful information.


The impact of this vulnerability depends on your server and your security practices:

  • The information revealed by these file may be helpful to a hacker attempting to compromise your system.  In addition, the presence of these files may give the hint the web server was set up by someone who is not security conscious, and therefore may contain other vulnerabilities.
  • On the other hand, if your installed version of Tomcat that doesn't have known security issues, then allowing potential attackers to determine the version does not present any risks.


We recommend that you remove any default pages and example JSPs and servlets.  For more information, refer to OWASP: Securing Tomcat.

Have more questions? Submit a request


Powered by Zendesk