5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
Apache Tomcat Jasper 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 allows the bypass a SecurityManager protection mechanism by using a web application that uses the incorrect privileges during an EL evaluation. This is caused because it does not take into account the possibility of an accessible interface implemented by an inaccessible class.
marc.info/?l=bugtraq&m=145974991225029&w=2
rhn.redhat.com/errata/RHSA-2015-1621.html
rhn.redhat.com/errata/RHSA-2015-1622.html
rhn.redhat.com/errata/RHSA-2016-0492.html
rhn.redhat.com/errata/RHSA-2016-2046.html
svn.apache.org/viewvc?view=revision&revision=1644018
svn.apache.org/viewvc?view=revision&revision=1645642
tomcat.apache.org/security-6.html
tomcat.apache.org/security-7.html
tomcat.apache.org/security-8.html
www.debian.org/security/2015/dsa-3428
www.debian.org/security/2016/dsa-3447
www.debian.org/security/2016/dsa-3530
www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
www.securityfocus.com/bid/74665
www.securitytracker.com/id/1032330
www.ubuntu.com/usn/USN-2654-1
www.ubuntu.com/usn/USN-2655-1
access.redhat.com/security/updates/classification/#moderate
bugzilla.redhat.com/show_bug.cgi?id=1301646
h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964
lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E
rhn.redhat.com/errata/RHSA-2016-0492.html
tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.44