Description

The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.

Remediation

References

CVE-2014-7810

Related Vulnerabilities

WordPress Plugin Events Made Easy Cross-Site Scripting (1.6.20)

MySQL CVE-2017-10283 Vulnerability (CVE-2017-10283)

WebLogic Use of a Broken or Risky Cryptographic Algorithm Vulnerability (CVE-2018-1000180)

Joomla Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-26030)

ClipBucket Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Vulnerability (CVE-2018-7664)

Severity

Medium

Classification

CVE-2014-7810 CWE-284

Tags

Missing Update Known Vulnerabilities