CVE-2014-7810Improper Access Control in Apache Tomcat

CWE-284Improper Access Control12 documents8 sources
Severity
5.0MEDIUMNVD
EPSS
9.5%
top 7.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache TomcatDebian Linux
Timeline
PublishedJun 7
Latest updateMay 14

Description

The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

NVDapache/tomcat103 versions+102

Also affects: Debian Linux 7.0

Patches

Patch: svn.apache.orgPatch: svn.apache.orgPatch: tomcat.apache.org

🔴Vulnerability Details

4
OSV
Improper Access Control in Apache Tomcat2022-05-14
GHSA
Improper Access Control in Apache Tomcat2022-05-14
CVEList
CVE-2014-7810: The Expression Language (EL) implementation in Apache Tomcat 62015-06-07
OSV
CVE-2014-7810: The Expression Language (EL) implementation in Apache Tomcat 62015-06-07

📋Vendor Advisories

4
Ubuntu
Tomcat vulnerabilities2015-06-25
Ubuntu
Tomcat vulnerabilities2015-06-25
Red Hat
Tomcat/JbossWeb: security manager bypass via EL expressions2015-05-14
Apache
Apache tomcat: CVE-2014-7810

💬Community

3
Bugzilla
CVE-2014-7810 tomcat: Tomcat/JbossWeb: security manager bypass via EL expressions [epel-6]2015-05-18
Bugzilla
CVE-2014-7810 Tomcat/JbossWeb: security manager bypass via EL expressions2015-05-18
Bugzilla
CVE-2014-7810 tomcat: Tomcat/JbossWeb: security manager bypass via EL expressions [fedora-all]2015-05-18
CVE-2014-7810 — Improper Access Control in Apache | cvebase