# CVE-2026-34486 — single vulnerable Tomcat node.
# Only the receiver node is needed: the fail-open path lives in the receiver's
# messageReceived(), reachable by any inbound Tribes frame on port 4000.
services:
  tomcat:
    build:
      context: .
      dockerfile: Dockerfile
    image: cve-2026-34486-tomcat:11.0.20
    container_name: cve-2026-34486-tomcat
    ports:
      # Tribes receiver — the unauthenticated attack surface.
      - "127.0.0.1:4000:4000"
      # HTTP — optional channel for retrieving command output.
      - "127.0.0.1:8080:8080"
    healthcheck:
      # Stack is "up" once the Tribes receiver socket accepts connections.
      test: ["CMD-SHELL", "bash -c '</dev/tcp/127.0.0.1/4000' 2>/dev/null"]
      interval: 5s
      timeout: 3s
      retries: 20
      start_period: 30s
    restart: "no"