Arbitrary File Upload Affecting org.apache.tomcat.embed:tomcat-embed-core package, versions [7.0.0, 7.0.40)
Do your applications use this vulnerable package?
25 Dec 2016
19 Jan 2014
How to fix?
org.apache.tomcat.embed:tomcat-embed-core to version 7.0.40 or higher.
org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.
Affected versions of this package are vulnerable to Arbitrary File Upload in certain situations involving outdated
java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file.