Description

The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.

Remediation

References

http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179356.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html

http://rhn.redhat.com/errata/RHSA-2016-1089.html

http://rhn.redhat.com/errata/RHSA-2016-2599.html

http://rhn.redhat.com/errata/RHSA-2016-2807.html

http://rhn.redhat.com/errata/RHSA-2016-2808.html

http://seclists.org/bugtraq/2016/Feb/147

http://svn.apache.org/viewvc?view=revision&revision=1725926

http://svn.apache.org/viewvc?view=revision&revision=1725929

http://svn.apache.org/viewvc?view=revision&revision=1725931

http://tomcat.apache.org/security-7.html

http://tomcat.apache.org/security-8.html

http://tomcat.apache.org/security-9.html

http://www.debian.org/security/2016/dsa-3530

http://www.debian.org/security/2016/dsa-3552

http://www.debian.org/security/2016/dsa-3609

http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

http://www.securityfocus.com/bid/83326

http://www.securitytracker.com/id/1035069

http://www.ubuntu.com/usn/USN-3024-1

https://access.redhat.com/errata/RHSA-2016:1087

https://access.redhat.com/errata/RHSA-2016:1088

https://bto.bluecoat.com/security-advisory/sa118

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755

https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

https://security.gentoo.org/glsa/201705-09

https://security.netapp.com/advisory/ntap-20180531-0001/

Related Vulnerabilities

CVE-2012-5055 Vulnerability in maven package org.springframework.security:spring-security-core

CVE-2023-40573 Vulnerability in maven package org.xwiki.platform:xwiki-platform-scheduler-api

CVE-2018-1000144 Vulnerability in maven package org.jenkins-ci.plugins:cucumber-living-documentation

CVE-2017-7661 Vulnerability in maven package org.apache.cxf.fediz:fediz-spring2

CVE-2020-6426 Vulnerability in npm package electron

Severity

High

Classification

CWE-264 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Tags

Vendor Advisory