Description

The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.

Remediation

References

http://svn.apache.org/viewvc?view=revision&revision=1644018

http://svn.apache.org/viewvc?view=revision&revision=1645642

http://tomcat.apache.org/security-6.html

http://tomcat.apache.org/security-8.html

http://tomcat.apache.org/security-7.html

http://www.debian.org/security/2016/dsa-3530

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964

http://marc.info/?l=bugtraq&m=145974991225029&w=2

http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html

http://rhn.redhat.com/errata/RHSA-2016-2046.html

http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html

http://www.securityfocus.com/bid/74665

http://rhn.redhat.com/errata/RHSA-2016-0492.html

http://www.debian.org/security/2015/dsa-3428

http://www.debian.org/security/2016/dsa-3447

http://rhn.redhat.com/errata/RHSA-2015-1622.html

http://rhn.redhat.com/errata/RHSA-2015-1621.html

http://www.ubuntu.com/usn/USN-2655-1

http://www.securitytracker.com/id/1032330

http://www.ubuntu.com/usn/USN-2654-1

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E

Related Vulnerabilities

CVE-2022-24785 Vulnerability in maven package org.webjars.bowergithub.moment:moment

CVE-2023-42794 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

CVE-2022-21671 Vulnerability in npm package @replit/crosis

CVE-2022-22885 Vulnerability in maven package cn.hutool:hutool-http

CVE-2011-4969 Vulnerability in maven package org.webjars:jquery

Severity

Critical

Classification

CWE-284

Tags

Patch Vendor Advisory Third Party Advisory