Description

org/apache/catalina/core/DefaultInstanceManager.java in Apache Tomcat 7.x before 7.0.22 does not properly restrict ContainerServlets in the Manager application, which allows local users to gain privileges by using an untrusted web application to access the Manager application's functionality.

Remediation

References

http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/DefaultInstanceManager.java?r1=1176588&r2=1176587&pathrev=1176588

http://svn.apache.org/viewvc?view=revision&revision=1176588

http://tomcat.apache.org/security-7.html

http://www.securityfocus.com/bid/50603

Related Vulnerabilities

CVE-2022-24858 Vulnerability in npm package next-auth

CVE-2022-46687 Vulnerability in maven package io.jenkins.plugins:spring-config

CVE-2016-6797 Vulnerability in maven package tomcat:catalina

CVE-2021-29418 Vulnerability in npm package netmask

CVE-2021-32702 Vulnerability in npm package nextjs-auth0

Severity

Critical

Classification

CWE-264

Tags

Patch Vendor Advisory