Description

org/apache/catalina/core/DefaultInstanceManager.java in Apache Tomcat 7.x before 7.0.22 does not properly restrict ContainerServlets in the Manager application, which allows local users to gain privileges by using an untrusted web application to access the Manager application's functionality.

Remediation

References

http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/DefaultInstanceManager.java?r1=1176588&r2=1176587&pathrev=1176588

http://svn.apache.org/viewvc?view=revision&revision=1176588

http://tomcat.apache.org/security-7.html

http://www.securityfocus.com/bid/50603

Related Vulnerabilities

CVE-2014-1904 Vulnerability in maven package org.springframework:spring-webmvc

CVE-2018-1999024 Vulnerability in maven package org.webjars.npm:mathjax

CVE-2023-3635 Vulnerability in maven package com.squareup.okio:okio

CVE-2020-28469 Vulnerability in npm package glob-parent

CVE-2018-18893 Vulnerability in maven package com.hubspot.jinjava:jinjava

Severity

Critical

Classification

CWE-264

Tags

Patch Vendor Advisory