Lucene search

[email protected]CVE-2007-5342

HistoryDec 27, 2007 - 10:46 p.m.

CVE-2007-5342

2007-12-2722:46:00

CWE-264

[email protected]

web.nvd.nist.gov

cve-2007-5342

apache tomcat

juli logging component

security vulnerability

web applications

file overwrite

nvd

cve

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

7.4 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

75.2%

JSON

The default catalina.policy in the JULI logging component in Apache Tomcat 5.5.9 through 5.5.25 and 6.0.0 through 6.0.15 does not restrict certain permissions for web applications, which allows attackers to modify logging configuration options and overwrite arbitrary files, as demonstrated by changing the (1) level, (2) directory, and (3) prefix attributes in the org.apache.juli.FileHandler handler.

Affected configurations

NVD

Node

apachetomcatMatch5.5.9

apachetomcatMatch5.5.10

apachetomcatMatch5.5.11

apachetomcatMatch5.5.12

apachetomcatMatch5.5.13

apachetomcatMatch5.5.14

apachetomcatMatch5.5.15

apachetomcatMatch5.5.16

apachetomcatMatch5.5.17

apachetomcatMatch5.5.18

apachetomcatMatch5.5.19

apachetomcatMatch5.5.20

apachetomcatMatch5.5.21

apachetomcatMatch5.5.22

apachetomcatMatch5.5.23

apachetomcatMatch5.5.24

apachetomcatMatch5.5.25

apachetomcatMatch6.0

apachetomcatMatch6.0.1

apachetomcatMatch6.0.2

apachetomcatMatch6.0.3

apachetomcatMatch6.0.4

apachetomcatMatch6.0.5

apachetomcatMatch6.0.6

apachetomcatMatch6.0.7

apachetomcatMatch6.0.8

apachetomcatMatch6.0.9

apachetomcatMatch6.0.10

apachetomcatMatch6.0.11

apachetomcatMatch6.0.12

apachetomcatMatch6.0.13

apachetomcatMatch6.0.14

apachetomcatMatch6.0.15

CPENameOperatorVersion
apache:tomcatapache tomcateq5.5.9
apache:tomcatapache tomcateq5.5.10
apache:tomcatapache tomcateq5.5.11
apache:tomcatapache tomcateq5.5.12
apache:tomcatapache tomcateq5.5.13
apache:tomcatapache tomcateq5.5.14
apache:tomcatapache tomcateq5.5.15
apache:tomcatapache tomcateq5.5.16
apache:tomcatapache tomcateq5.5.17
apache:tomcatapache tomcateq5.5.18

CPE	Name	Operator	Version
apache:tomcat	apache tomcat	eq	5.5.9
apache:tomcat	apache tomcat	eq	5.5.10
apache:tomcat	apache tomcat	eq	5.5.11
apache:tomcat	apache tomcat	eq	5.5.12
apache:tomcat	apache tomcat	eq	5.5.13
apache:tomcat	apache tomcat	eq	5.5.14
apache:tomcat	apache tomcat	eq	5.5.15
apache:tomcat	apache tomcat	eq	5.5.16
apache:tomcat	apache tomcat	eq	5.5.17
apache:tomcat	apache tomcat	eq	5.5.18

Rows per page:

1-10 of 331

References

lists.apple.com/archives/security-announce/2008/Oct/msg00001.html

lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html

marc.info/?l=bugtraq&m=139344343412337&w=2

osvdb.org/39833

secunia.com/advisories/28274

secunia.com/advisories/28317

secunia.com/advisories/28915

secunia.com/advisories/29313

secunia.com/advisories/29711

secunia.com/advisories/30676

secunia.com/advisories/32120

secunia.com/advisories/32222

secunia.com/advisories/32266

secunia.com/advisories/37460

secunia.com/advisories/57126

security.gentoo.org/glsa/glsa-200804-10.xml

securityreason.com/securityalert/3485

support.apple.com/kb/HT3216

support.avaya.com/elmodocs2/security/ASA-2008-401.htm

svn.apache.org/viewvc?view=rev&revision=606594

tomcat.apache.org/security-5.html

tomcat.apache.org/security-6.html

www.debian.org/security/2008/dsa-1447

www.mandriva.com/security/advisories?name=MDVSA-2008:188

www.redhat.com/support/errata/RHSA-2008-0042.html

www.redhat.com/support/errata/RHSA-2008-0195.html

www.redhat.com/support/errata/RHSA-2008-0831.html

www.redhat.com/support/errata/RHSA-2008-0832.html

www.redhat.com/support/errata/RHSA-2008-0833.html

www.redhat.com/support/errata/RHSA-2008-0834.html

www.redhat.com/support/errata/RHSA-2008-0862.html

www.securityfocus.com/archive/1/485481/100/0/threaded

www.securityfocus.com/archive/1/507985/100/0/threaded

www.securityfocus.com/bid/27006

www.securityfocus.com/bid/31681

www.vmware.com/security/advisories/VMSA-2008-0010.html

www.vmware.com/security/advisories/VMSA-2009-0016.html

www.vupen.com/english/advisories/2008/0013

www.vupen.com/english/advisories/2008/1856/references

www.vupen.com/english/advisories/2008/2780

www.vupen.com/english/advisories/2008/2823

www.vupen.com/english/advisories/2009/3316

exchange.xforce.ibmcloud.com/vulnerabilities/39201

lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10417

www.redhat.com/archives/fedora-package-announce/2008-February/msg00315.html

www.redhat.com/archives/fedora-package-announce/2008-February/msg00460.html

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

7.4 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

75.2%

JSON

Related for CVE-2007-5342

nvd1 veracode1 securityvulns2 prion1 ubuntucve1 osv2 seebug1 github1 cvelist1 openvas21 redhat4 nessus24 centos1 oraclelinux1 gentoo1 tomcat2 debian1 fedora3 vmware4