Description
org/apache/catalina/core/DefaultInstanceManager.java in Apache Tomcat 7.x before 7.0.22 does not properly restrict ContainerServlets in the Manager application, which allows local users to gain privileges by using an untrusted web application to access the Manager application's functionality.
Remediation
References
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/DefaultInstanceManager.java?r1=1176588&r2=1176587&pathrev=1176588
http://svn.apache.org/viewvc?view=revision&revision=1176588
http://tomcat.apache.org/security-7.html
http://www.securityfocus.com/bid/50603
Related Vulnerabilities
CVE-2023-48240 Vulnerability in maven package org.xwiki.platform:xwiki-platform-diff-xml
CVE-2014-3652 Vulnerability in maven package org.keycloak:keycloak-services
CVE-2017-5653 Vulnerability in maven package org.apache.cxf:cxf-rt-rs-security-xml
CVE-2023-26049 Vulnerability in maven package org.eclipse.jetty:jetty-http
CVE-2023-47324 Vulnerability in maven package org.silverpeas.core:silverpeas-core