GHSA-w65j-cmqc-37p2

Suggest an improvement
Source
https://github.com/advisories/GHSA-w65j-cmqc-37p2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-w65j-cmqc-37p2/GHSA-w65j-cmqc-37p2.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-w65j-cmqc-37p2
Aliases
  • CVE-2007-5342
Published
2022-05-01T18:32:22Z
Modified
2023-11-08T03:56:48.676445Z
Summary
JULI logging component in Apache Tomcat does not restrict certain permissions for web applications
Details

The default catalina.policy in the JULI logging component in Apache Tomcat 5.5.9 through 5.5.25 and 6.0.0 through 6.0.15 does not restrict certain permissions for web applications, which allows attackers to modify logging configuration options and overwrite arbitrary files, as demonstrated by changing the (1) level, (2) directory, and (3) prefix attributes in the org.apache.juli.FileHandler handler.

Database specific
{
    "nvd_published_at": "2007-12-27T22:46:00Z",
    "cwe_ids": [
        "CWE-284"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-22T21:54:06Z"
}
References

Affected packages

Maven / org.apache.tomcat:tomcat-juli

Package

Name
org.apache.tomcat:tomcat-juli
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-juli

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.5.9
Last affected
5.5.25

Maven / org.apache.tomcat:tomcat-juli

Package

Name
org.apache.tomcat:tomcat-juli
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-juli

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Last affected
6.0.15