5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
68.5%
The Expression Language (EL) implementation in Apache Tomcat 6.x before
6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider
the possibility of an accessible interface implemented by an inaccessible
class, which allows attackers to bypass a SecurityManager protection
mechanism via a web application that leverages use of incorrect privileges
during EL evaluation.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 12.04 | noarch | tomcat6 | < 6.0.35-1ubuntu3.6 | UNKNOWN |
ubuntu | 14.04 | noarch | tomcat6 | < 6.0.39-1ubuntu0.1 | UNKNOWN |
ubuntu | 16.04 | noarch | tomcat6 | < 6.0.45+dfsg-1 | UNKNOWN |
ubuntu | 14.04 | noarch | tomcat7 | < 7.0.52-1ubuntu0.3 | UNKNOWN |
ubuntu | 14.10 | noarch | tomcat7 | < 7.0.55-1ubuntu0.2 | UNKNOWN |
ubuntu | 15.04 | noarch | tomcat7 | < 7.0.56-2ubuntu0.1 | UNKNOWN |
ubuntu | 15.04 | noarch | tomcat8 | < 8.0.14-1+deb8u1build0.15.04.1 | UNKNOWN |
tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.44
tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.59
tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.17
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7810
launchpad.net/bugs/cve/CVE-2014-7810
nvd.nist.gov/vuln/detail/CVE-2014-7810
security-tracker.debian.org/tracker/CVE-2014-7810
ubuntu.com/security/notices/USN-2654-1
ubuntu.com/security/notices/USN-2655-1