Multiple vulnerabilities in Apache Tomcat versions < 6.0.45, 7.0.65, 8.0.27, 8.0.30, 9.0.0 M2, 7.0.66, 7.0.68, 8.0.31.
Directory traversal allowing bypass of the SecurityManager
Directory enumeration through redirection handling
CSRF bypass in Manager and HostManager
Authorization bypass allowing authenticated users to access privileged information such as HTTP requests containing session-ids
Arbitrary remote code execution via persistent session object
Authorization bypass allowing read/write access to application data from an authenticated user
NIST CVE links:
6 has now been removed from the tree.
The setGlobalContext method in
org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x
before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider
whether ResourceLinkFactory.setGlobalContext callers are authorized, which
allows remote authenticated users to bypass intended SecurityManager
restrictions and read or write to arbitrary application data, or cause a
denial of service (application disruption), via a web application that sets
a crafted global context.
The session-persistence implementation in Apache Tomcat 6.x before 6.0.45,
7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles
session attributes, which allows remote authenticated users to bypass
intended SecurityManager restrictions and execute arbitrary code in a
privileged context via a web application that places a crafted object in a
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and
9.x before 9.0.0.M2 does not place
org.apache.catalina.manager.StatusManagerServlet on the
org/apache/catalina/core/RestrictedServlets.properties list, which allows
remote authenticated users to bypass intended SecurityManager restrictions
and read arbitrary HTTP requests, and consequently discover session ID
values, via a crafted web application.
9.x is unstable.
This issue was resolved and addressed in
GLSA 201705-09 at https://security.gentoo.org/glsa/201705-09
by GLSA coordinator Yury German (BlueKnight).