6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.005 Low
EPSS
Percentile
75.5%
The default catalina.policy in the JULI logging component in Apache Tomcat
5.5.9 through 5.5.25 and 6.0.0 through 6.0.15 does not restrict certain
permissions for web applications, which allows attackers to modify logging
configuration options and overwrite arbitrary files, as demonstrated by
changing the (1) level, (2) directory, and (3) prefix attributes in the
org.apache.juli.FileHandler handler.
Author | Note |
---|---|
jdstrand | debian says vulnerable code not listed in tomcat5 |