Arbitrary File Access

Affecting org.apache.tomcat:tomcat-catalina artifact, versions [7,7.0.17)

Do your applications use this vulnerable package? Test your applications

Overview

org.apache.tomcat:tomcat-catalina Apache Tomcat 7.0.x before 7.0.17 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application. NOTE: this vulnerability exists because of a CVE-2009-0783 regression.

References

CVSS Score

5.9
medium severity
  • Attack Vector
    Local
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Credit
Unknown
CVE
CVE-2011-2481
CWE
CWE-284
Snyk ID
SNYK-JAVA-ORGAPACHETOMCAT-30892
Disclosed
10 Jun, 2015
Published
10 Jun, 2015