CVE-2007-5342 — Improper Access Control in Apache Tomcat

CWE-264 CWE-284 — Improper Access Control6 documents6 sources

Severity

6.4MEDIUMNVD

EPSS

18.1%

top 4.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Tomcat

Timeline

PublishedDec 27

Latest updateMay 1

Description

The default catalina.policy in the JULI logging component in Apache Tomcat 5.5.9 through 5.5.25 and 6.0.0 through 6.0.15 does not restrict certain permissions for web applications, which allows attackers to modify logging configuration options and overwrite arbitrary files, as demonstrated by changing the (1) level, (2) directory, and (3) prefix attributes in the org.apache.juli.FileHandler handler.

CVSS vector

AV:N/AC:L/C:P/I:P/A:NExploitability: 10.0 | Impact: 4.9

Affected Packages1 packages

▶NVDapache/tomcat33 versions+32

Patches

Patch: www.securityfocus.com ↗Patch: www.securityfocus.com ↗

🔴Vulnerability Details

GHSA

JULI logging component in Apache Tomcat does not restrict certain permissions for web applications↗2022-05-01

▶

OSV

JULI logging component in Apache Tomcat does not restrict certain permissions for web applications↗2022-05-01

▶

CVEList

CVE-2007-5342: The default catalina↗2007-12-27

▶

📋Vendor Advisories

Red Hat

Apache Tomcat's default security policy is too open↗2007-12-23

▶

💬Community

Bugzilla

CVE-2007-5342 Apache Tomcat's default security policy is too open↗2008-01-02

▶