Description

org/apache/catalina/core/DefaultInstanceManager.java in Apache Tomcat 7.x before 7.0.22 does not properly restrict ContainerServlets in the Manager application, which allows local users to gain privileges by using an untrusted web application to access the Manager application's functionality.

Remediation

References

http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/DefaultInstanceManager.java?r1=1176588&r2=1176587&pathrev=1176588

http://svn.apache.org/viewvc?view=revision&revision=1176588

http://tomcat.apache.org/security-7.html

http://www.securityfocus.com/bid/50603

Related Vulnerabilities

CVE-2019-10086 Vulnerability in maven package commons-beanutils:commons-beanutils

CVE-2023-46604 Vulnerability in maven package org.apache.activemq:activemq-openwire-legacy

CVE-2020-11023 Vulnerability in maven package org.webjars.bowergithub.jquery:jquery

CVE-2023-34467 Vulnerability in maven package org.xwiki.platform:xwiki-platform-livetable-ui

CVE-2022-21700 Vulnerability in maven package io.micronaut:micronaut-http

Severity

Critical

Classification

CWE-264

Tags

Patch Vendor Advisory