PT-2015-3927 · Apache+4 · Apache Tomcat+4

Published

2015-01-16

Updated

2022-05-14

CVE-2014-7810

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 6.x through 6.0.43 Apache Tomcat versions 7.x through 7.0.57 Apache Tomcat versions 8.x through 8.0.15

Description The issue allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during Expression Language (EL) evaluation. Malicious web applications could use expression language to bypass the protections of a Security Manager as expressions were evaluated within a privileged code section.

Recommendations For Apache Tomcat versions 6.x through 6.0.43, update to version 6.0.44 or later. For Apache Tomcat versions 7.x through 7.0.57, update to version 7.0.58 or later. For Apache Tomcat versions 8.x through 8.0.15, update to version 8.0.16 or later.

Exploit

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284

Related Identifiers

CESA-2016_0492

CESA-2016_2046

CVE-2014-7810

DLA-232-1

DSA-3428-1

DSA-3447-1

DSA-3530-1

GHSA-4C43-CWVX-9CRH

RHSA-2015:1622

RHSA-2016:0492

RHSA-2016:2046

RHSA-2016_0492

RHSA-2016_2046

SUSE-SU-2015:1281-1

SUSE-SU-2015:1565-1

SUSE-SU-2015_1281-1

USN-2654-1

USN-2655-1

Affected Products

Apache Tomcat

Centos

Red Hat

Suse

Ubuntu

PT-2015-3927 · Apache+4 · Apache Tomcat+4

CVE-2014-7810

Weakness Enumeration

Related Identifiers

Affected Products

References · 138