Lucene search

GoogleOSV:GHSA-W65J-CMQC-37P2

HistoryMay 01, 2022 - 6:32 p.m.

JULI logging component in Apache Tomcat does not restrict certain permissions for web applications

2022-05-0118:32:22

Google

osv.dev

apache tomcat

juli logging

security vulnerability

web applications

file overwrite

AI Score

6.7

Confidence

Low

EPSS

0.004

Percentile

74.0%

JSON

The default catalina.policy in the JULI logging component in Apache Tomcat 5.5.9 through 5.5.25 and 6.0.0 through 6.0.15 does not restrict certain permissions for web applications, which allows attackers to modify logging configuration options and overwrite arbitrary files, as demonstrated by changing the (1) level, (2) directory, and (3) prefix attributes in the org.apache.juli.FileHandler handler.

References

lists.apple.com/archives/security-announce/2008/Oct/msg00001.html

lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html

marc.info/?l=bugtraq&m=139344343412337&w=2

security.gentoo.org/glsa/glsa-200804-10.xml

securityreason.com/securityalert/3485

support.apple.com/kb/HT3216

support.avaya.com/elmodocs2/security/ASA-2008-401.htm

svn.apache.org/viewvc?view=rev&revision=606594

tomcat.apache.org/security-5.html

tomcat.apache.org/security-6.html

www.debian.org/security/2008/dsa-1447

www.mandriva.com/security/advisories?name=MDVSA-2008:188

www.redhat.com/support/errata/RHSA-2008-0042.html

www.redhat.com/support/errata/RHSA-2008-0195.html

www.redhat.com/support/errata/RHSA-2008-0831.html

www.redhat.com/support/errata/RHSA-2008-0832.html

www.redhat.com/support/errata/RHSA-2008-0833.html

www.redhat.com/support/errata/RHSA-2008-0834.html

www.redhat.com/support/errata/RHSA-2008-0862.html

www.securityfocus.com/archive/1/485481/100/0/threaded

www.securityfocus.com/archive/1/507985/100/0/threaded

www.securityfocus.com/bid/27006

www.securityfocus.com/bid/31681

www.vmware.com/security/advisories/VMSA-2008-0010.html

www.vmware.com/security/advisories/VMSA-2009-0016.html

exchange.xforce.ibmcloud.com/vulnerabilities/39201

github.com/apache/tomcat/tree/main/java/org/apache/juli

lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E

nvd.nist.gov/vuln/detail/CVE-2007-5342

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10417

www.redhat.com/archives/fedora-package-announce/2008-February/msg00315.html

www.redhat.com/archives/fedora-package-announce/2008-February/msg00460.html