GHSA-3mjp-p938-4329

Suggest an improvement
Source
https://github.com/advisories/GHSA-3mjp-p938-4329
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3mjp-p938-4329/GHSA-3mjp-p938-4329.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3mjp-p938-4329
Aliases
Published
2022-05-13T01:02:16Z
Modified
2024-03-11T05:32:15.935246Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Apache Tomcat vulnerable to SecurityManager bypass
Details

A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.

References

Affected packages

Maven / org.apache.tomcat:tomcat

Package

Name
org.apache.tomcat:tomcat
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type
ECOSYSTEM
Events
Introduced
9.0.0.M1
Fixed
9.0.0.M10

Affected versions

9.*

9.0.0.M1
9.0.0.M3
9.0.0.M4
9.0.0.M6
9.0.0.M8
9.0.0.M9

Database specific

{
    "last_known_affected_version_range": "<= 9.0.0.M9"
}

Maven / org.apache.tomcat:tomcat

Package

Name
org.apache.tomcat:tomcat
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.5.0
Fixed
8.5.5

Affected versions

8.*

8.5.0
8.5.2
8.5.3
8.5.4

Database specific

{
    "last_known_affected_version_range": "<= 8.5.4"
}

Maven / org.apache.tomcat:tomcat

Package

Name
org.apache.tomcat:tomcat
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.0.0.RC1
Fixed
8.0.37

Affected versions

8.*

8.0.1
8.0.3
8.0.5
8.0.8
8.0.9
8.0.11
8.0.12
8.0.14
8.0.15
8.0.17
8.0.18
8.0.20
8.0.21
8.0.22
8.0.23
8.0.24
8.0.26
8.0.27
8.0.28
8.0.29
8.0.30
8.0.32
8.0.33
8.0.35
8.0.36

Database specific

{
    "last_known_affected_version_range": "<= 8.0.36"
}

Maven / org.apache.tomcat:tomcat

Package

Name
org.apache.tomcat:tomcat
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0.0
Fixed
7.0.71

Affected versions

7.*

7.0.35
7.0.37
7.0.39
7.0.40
7.0.41
7.0.42
7.0.47
7.0.50
7.0.52
7.0.53
7.0.54
7.0.55
7.0.56
7.0.57
7.0.59
7.0.61
7.0.62
7.0.63
7.0.64
7.0.65
7.0.67
7.0.68
7.0.69
7.0.70

Database specific

{
    "last_known_affected_version_range": "<= 7.0.70"
}

Maven / org.apache.tomcat:tomcat

Package

Name
org.apache.tomcat:tomcat
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.46

Database specific

{
    "last_known_affected_version_range": "<= 6.0.45"
}