Description

The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.

Remediation

References

CVE-2014-7810

Related Vulnerabilities

Joomla! Core 1.5.x Multiple Vulnerabilities (1.5.0 - 1.5.9)

MediaWiki Other Vulnerability (CVE-2006-2895)

ownCloud Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2013-2086)

WordPress Plugin WP Mobile Detector Multiple Vulnerabilities (3.8)

phpMyFAQ Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2010-4558)

Severity

Medium

Classification

CVE-2014-7810 CWE-284

Tags

Missing Update Known Vulnerabilities