Veracode Vulnerability DatabaseVERACODE:13537Restriction Bypass
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
JULI logging component is vulnerable to restriction bypass vulnerability.It uses the default security policy which does not restrict this configuration and allows an untrusted web application to add files or overwrite existing files where the Tomcat process has the necessary file permissions to do so.
References
lists.apple.com/archives/security-announce/2008/Oct/msg00001.html
lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
marc.info/?l=bugtraq&m=139344343412337&w=2
osvdb.org/39833
secunia.com/advisories/28274
secunia.com/advisories/28317
secunia.com/advisories/28915
secunia.com/advisories/29313
secunia.com/advisories/29711
secunia.com/advisories/30676
secunia.com/advisories/32120
secunia.com/advisories/32222
secunia.com/advisories/32266
secunia.com/advisories/37460
secunia.com/advisories/57126
security.gentoo.org/glsa/glsa-200804-10.xml
securityreason.com/securityalert/3485
support.apple.com/kb/HT3216
support.avaya.com/elmodocs2/security/ASA-2008-401.htm
svn.apache.org/viewvc/tomcat/trunk/conf/catalina.policy?r1=606594&r2=606593&pathrev=606594
svn.apache.org/viewvc?view=rev&revision=606594
tomcat.apache.org/security-5.html
tomcat.apache.org/security-6.html
www.debian.org/security/2008/dsa-1447
www.mandriva.com/security/advisories?name=MDVSA-2008:188
www.redhat.com/support/errata/RHSA-2008-0042.html
www.redhat.com/support/errata/RHSA-2008-0195.html
www.redhat.com/support/errata/RHSA-2008-0831.html
www.redhat.com/support/errata/RHSA-2008-0832.html
www.redhat.com/support/errata/RHSA-2008-0833.html
www.redhat.com/support/errata/RHSA-2008-0834.html
www.redhat.com/support/errata/RHSA-2008-0862.html
www.securityfocus.com/archive/1/485481/100/0/threaded
www.securityfocus.com/archive/1/507985/100/0/threaded
www.securityfocus.com/bid/27006
www.securityfocus.com/bid/31681
www.vmware.com/security/advisories/VMSA-2008-0010.html
www.vmware.com/security/advisories/VMSA-2009-0016.html
www.vupen.com/english/advisories/2008/0013
www.vupen.com/english/advisories/2008/1856/references
www.vupen.com/english/advisories/2008/2780
www.vupen.com/english/advisories/2008/2823
www.vupen.com/english/advisories/2009/3316
exchange.xforce.ibmcloud.com/vulnerabilities/39201
lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10417
www.redhat.com/archives/fedora-package-announce/2008-February/msg00315.html
www.redhat.com/archives/fedora-package-announce/2008-February/msg00460.html
Related
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N