Description

The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.

Remediation

References

CVE-2014-7810

Related Vulnerabilities

Oracle Database Server CVE-2012-1751 Vulnerability (CVE-2012-1751)

PHP Interpretation Conflict Vulnerability (CVE-2025-1217)

WordPress Plugin Post Logo Cross-Site Scripting (1.1b)

WordPress Plugin Yoast SEO Cross-Site Scripting (20.2)

Atlassian Jira Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2017-18033)

Severity

Medium

Classification

CVE-2014-7810 CWE-284

Tags

Missing Update Known Vulnerabilities