Description
The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.
Remediation
References
http://svn.apache.org/viewvc?view=revision&revision=1725931
http://svn.apache.org/viewvc?view=revision&revision=1725929
http://tomcat.apache.org/security-8.html
http://tomcat.apache.org/security-9.html
http://tomcat.apache.org/security-7.html
http://seclists.org/bugtraq/2016/Feb/147
http://svn.apache.org/viewvc?view=revision&revision=1725926
http://www.debian.org/security/2016/dsa-3530
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442
http://www.debian.org/security/2016/dsa-3609
http://www.ubuntu.com/usn/USN-3024-1
http://www.debian.org/security/2016/dsa-3552
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755
http://www.securityfocus.com/bid/83326
https://access.redhat.com/errata/RHSA-2016:1087
http://rhn.redhat.com/errata/RHSA-2016-1089.html
https://access.redhat.com/errata/RHSA-2016:1088
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179356.html
https://bto.bluecoat.com/security-advisory/sa118
http://www.securitytracker.com/id/1035069
https://security.gentoo.org/glsa/201705-09
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://rhn.redhat.com/errata/RHSA-2016-2808.html
http://rhn.redhat.com/errata/RHSA-2016-2807.html
http://rhn.redhat.com/errata/RHSA-2016-2599.html
https://security.netapp.com/advisory/ntap-20180531-0001/
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
Related Vulnerabilities
CVE-2013-2134 Vulnerability in maven package org.apache.struts:struts2-core
CVE-2021-23266 Vulnerability in maven package org.craftercms:crafter-engine
CVE-2017-1000391 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2019-8331 Vulnerability in maven package org.webjars:bootstrap
CVE-2022-36883 Vulnerability in maven package org.jenkins-ci.plugins:git