Access Restriction Bypass Affecting org.apache.tomcat.embed:tomcat-embed-core package, versions [7.0.0,7.0.68) [8.0.0-RC1,8.0.32) [9.0.0.M1,9.0.0.M3)
Do your applications use this vulnerable package?
- Snyk ID SNYK-JAVA-ORGAPACHETOMCATEMBED-30989
- published 22 Feb 2016
- disclosed 22 Feb 2016
- credit Unknown
The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.