CVE-2014-7810

Опубликовано: 14 мая 2015

Источник: redhat

CVSS2: 5.8

Описание

The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.

It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections.

Затронутые пакеты

Платформа	Пакет	Состояние
Red Hat BPM Suite 6	jbossweb	Not affected
Red Hat Developer Toolset 2.1	devtoolset-2-tomcat	Not affected
Red Hat Enterprise Linux 5	tomcat5	Under investigation
Red Hat JBoss BRMS 6	jbossweb	Not affected
Red Hat JBoss Data Grid 6	jbossweb	Under investigation
Red Hat JBoss Data Virtualization 6	jbossweb	Not affected
Red Hat JBoss Enterprise Application Platform 6	jbossweb	Affected
Red Hat JBoss Enterprise Web Server 1	tomcat6	Affected
Red Hat JBoss Fuse Service Works 6	jbossweb	Not affected
Red Hat JBoss Operations Network 3	jbossweb	Under investigation

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

https://bugzilla.redhat.com/show_bug.cgi?id=1222573Tomcat/JbossWeb: security manager bypass via EL expressions

5.8 Medium

CVSS2

Связанные уязвимости

CVE-2014-7810

ubuntu

около 10 лет назад

CVE-2014-7810

nvd

около 10 лет назад

CVE-2014-7810

debian

около 10 лет назад

The Expression Language (EL) implementation in Apache Tomcat 6.x befor ...

SUSE-SU-2015:1281-1

suse-cvrf

около 10 лет назад

Security update for tomcat

GHSA-4c43-cwvx-9crh

github

около 3 лет назад

Improper Access Control in Apache Tomcat

5.8 Medium

CVSS2