CVE-2007-5342 – org.apache.tomcat:tomcat-juli

Package

Manager: maven
Name: org.apache.tomcat:tomcat-juli
Vulnerable Version: >=5.5.9 <=5.5.25 || >=6.0.0 <=6.0.15

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.12423 pctl0.9366

Details

JULI logging component in Apache Tomcat does not restrict certain permissions for web applications The default catalina.policy in the JULI logging component in Apache Tomcat 5.5.9 through 5.5.25 and 6.0.0 through 6.0.15 does not restrict certain permissions for web applications, which allows attackers to modify logging configuration options and overwrite arbitrary files, as demonstrated by changing the (1) level, (2) directory, and (3) prefix attributes in the `org.apache.juli.FileHandler` handler.

Metadata

Created: 2022-05-01T18:32:22Z
Modified: 2023-09-22T21:54:06Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-w65j-cmqc-37p2/GHSA-w65j-cmqc-37p2.json
CWE IDs: ["CWE-284"]
Alternative ID: GHSA-w65j-cmqc-37p2
Finding: F039
Auto approve: 1