6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.007 Low
EPSS
Percentile
79.8%
CentOS Errata and Security Advisory CESA-2008:0042
Tomcat is a servlet container for Java Servlet and JavaServer Pages
technologies.
A directory traversal vulnerability existed in the Apache Tomcat webdav
servlet. In some configurations it allowed remote authenticated users to
read files accessible to the local tomcat process. (CVE-2007-5461)
The default security policy in the JULI logging component did not restrict
access permissions to files. This could be misused by untrusted web
applications to access and write arbitrary files in the context of the
tomcat process. (CVE-2007-5342)
Users of Tomcat should update to these errata packages, which contain
backported patches and are not vulnerable to these issues.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2008-March/076926.html
https://lists.centos.org/pipermail/centos-announce/2008-March/076927.html
Affected packages:
tomcat5
tomcat5-admin-webapps
tomcat5-common-lib
tomcat5-jasper
tomcat5-jasper-javadoc
tomcat5-jsp-2.0-api
tomcat5-jsp-2.0-api-javadoc
tomcat5-server-lib
tomcat5-servlet-2.4-api
tomcat5-servlet-2.4-api-javadoc
tomcat5-webapps
Upstream details at:
https://access.redhat.com/errata/RHSA-2008:0042