Description

Apache Tomcat default installation contains the "/examples" directory which has many example servlets and JSPs. Some of these examples are a security risk and should not be deployed on a production server.
The Sessions Example servlet (installed at /examples/servlets/servlet/SessionExample) allows session manipulation. Because the session is global this servlet poses a big security risk as an attacker can potentitally become an administrator by manipulating its session.

Remediation

Disable public access to the examples directory.

References

Tomcat Servlet Examples threats

Related Vulnerabilities

PostgreSQL CVE-2021-3677 Vulnerability (CVE-2021-3677)

Jboss EAP Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-5629)

Joomla Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2019-6263)

GlassFish CVE-2011-0807 Vulnerability (CVE-2011-0807)

Dotclear Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2018-5690)

Severity

Medium

Classification

CWE-264 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

Tags

Configuration Information Disclosure Known Vulnerabilities