Description
The default configuration of Jakarta Tomcat does not restrict access to the /admin context, which allows remote attackers to read arbitrary files by directly calling the administrative servlets to add a context for the root directory.
Remediation
References
Related Vulnerabilities
GeoServer Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2024-36401)
WordPress 4.2.x Multiple Vulnerabilities (4.2 - 4.2.28)
WordPress Plugin MailPoet Newsletters (Previous) 'swfupload.swf' Cross-Site Scripting (2.1.6)
Oracle Database Server CVE-2006-5334 Vulnerability (CVE-2006-5334)
WordPress Plugin WP Photo Album Plus Cross-Site Request Forgery (4.8.11)