The default catalina.policy in the JULI logging component in Apache Tomcat 5.5.9 through 5.5.25 and 6.0.0 through 6.0.15 does not restrict certain permissions for web applications, which allows attackers to modify logging configuration options and overwrite arbitrary files, as demonstrated by changing the (1) level, (2) directory, and (3) prefix attributes in the org.apache.juli.FileHandler handler.
References
Configurations
Configuration 1 (hide)
|
Information
Published : 2007-12-27 14:46
Updated : 2023-02-12 18:18
NVD link : CVE-2007-5342
Mitre link : CVE-2007-5342
JSON object : View
CWE
CWE-264
Permissions, Privileges, and Access Controls
Products Affected
apache
- tomcat