The security issue is caused due to the access to the manager application servlets not being restricted from untrusted web applications. This can be exploited to use the functionality of the manager application from a published web application. Successful exploitation requires the "manager-script" privileges. The security issue is reported in versions prior to 7.0.22. Per $URL http://tomcat.apache.org/security-7.html This issue only affects environments running web applications that are not trusted (e.g. shared hosting environments). The Servlets that implement the functionality of the Manager application that ships with Apache Tomcat should only be available to Contexts (web applications) that are marked as privileged. However, this check was not being made. This allowed an untrusted web application to use the functionality of the Manager application. This could be used to obtain information on running web applications as well as deploying additional web applications.
Affects: 7.0.0-7.0.21 7.0.22 is in tree, closing as invalid =)
CVE-2011-3376 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3376): org/apache/catalina/core/DefaultInstanceManager.java in Apache Tomcat 7.x before 7.0.22 does not properly restrict ContainerServlets in the Manager application, which allows local users to gain privileges by using an untrusted web application to access the Manager application's functionality.