GitHub Advisory DatabaseGHSA-W65J-CMQC-37P2JULI logging component in Apache Tomcat does not restrict certain permissions for web applications
6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.004 Low
EPSS
Percentile
75.2%
The default catalina.policy in the JULI logging component in Apache Tomcat 5.5.9 through 5.5.25 and 6.0.0 through 6.0.15 does not restrict certain permissions for web applications, which allows attackers to modify logging configuration options and overwrite arbitrary files, as demonstrated by changing the (1) level, (2) directory, and (3) prefix attributes in the org.apache.juli.FileHandler handler.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| org.apache.tomcat:tomcat-juli | le | 6.0.15 | |
| org.apache.tomcat:tomcat-juli | le | 5.5.25 |
References
lists.apple.com/archives/security-announce/2008/Oct/msg00001.html
lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
marc.info/?l=bugtraq&m=139344343412337&w=2
security.gentoo.org/glsa/glsa-200804-10.xml
securityreason.com/securityalert/3485
support.apple.com/kb/HT3216
support.avaya.com/elmodocs2/security/ASA-2008-401.htm
svn.apache.org/viewvc?view=rev&revision=606594
tomcat.apache.org/security-5.html
tomcat.apache.org/security-6.html
www.debian.org/security/2008/dsa-1447
www.mandriva.com/security/advisories?name=MDVSA-2008:188
www.redhat.com/support/errata/RHSA-2008-0042.html
www.redhat.com/support/errata/RHSA-2008-0195.html
www.redhat.com/support/errata/RHSA-2008-0831.html
www.redhat.com/support/errata/RHSA-2008-0832.html
www.redhat.com/support/errata/RHSA-2008-0833.html
www.redhat.com/support/errata/RHSA-2008-0834.html
www.redhat.com/support/errata/RHSA-2008-0862.html
www.securityfocus.com/archive/1/485481/100/0/threaded
www.securityfocus.com/archive/1/507985/100/0/threaded
www.securityfocus.com/bid/27006
www.securityfocus.com/bid/31681
www.vmware.com/security/advisories/VMSA-2008-0010.html
www.vmware.com/security/advisories/VMSA-2009-0016.html
exchange.xforce.ibmcloud.com/vulnerabilities/39201
github.com/advisories/GHSA-w65j-cmqc-37p2
lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2007-5342
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10417
www.redhat.com/archives/fedora-package-announce/2008-February/msg00315.html
www.redhat.com/archives/fedora-package-announce/2008-February/msg00460.html
Related
6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.004 Low
EPSS
Percentile
75.2%