6.4
CVSSv2

CVE-2007-5342

Published: 27/12/2007 Updated: 25/03/2019
CVSS v2 Base Score: 6.4 | Impact Score: 4.9 | Exploitability Score: 10
VMScore: 570
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N

Vulnerability Summary

The default catalina.policy in the JULI logging component in Apache Tomcat 5.5.9 up to and including 5.5.25 and 6.0.0 up to and including 6.0.15 does not restrict certain permissions for web applications, which allows malicious users to modify logging configuration options and overwrite arbitrary files, as demonstrated by changing the (1) level, (2) directory, and (3) prefix attributes in the org.apache.juli.FileHandler handler.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.
Vulnerable Product Search on Vulmon Subscribe to Product

apache tomcat 5.5.10

apache tomcat 5.5.11

apache tomcat 5.5.18

apache tomcat 5.5.19

apache tomcat 6.0

apache tomcat 6.0.1

apache tomcat 6.0.2

apache tomcat 6.0.3

apache tomcat 5.5.12

apache tomcat 5.5.13

apache tomcat 5.5.20

apache tomcat 6.0.6

apache tomcat 6.0.11

apache tomcat 5.5.14

apache tomcat 6.0.7

apache tomcat 6.0.4

apache tomcat 5.5.15

apache tomcat 6.0.15

apache tomcat 5.5.21

apache tomcat 5.5.22

apache tomcat 6.0.10

apache tomcat 6.0.9

apache tomcat 5.5.9

apache tomcat 5.5.25

apache tomcat 6.0.14

apache tomcat 6.0.12

apache tomcat 5.5.24

apache tomcat 5.5.16

apache tomcat 6.0.5

apache tomcat 5.5.17

apache tomcat 6.0.13

apache tomcat 5.5.23

apache tomcat 6.0.8

Vendor Advisories

Synopsis Low: JBoss Enterprise Application Platform 430CP02 security update Type/Severity Security Advisory: Low Topic Updated JBoss Enterprise Application Platform (JBEAP) 43 packages that fixvarious security issues are now available for Red Hat Enterprise Linux 5 asJBEAP 430CP02This update has been ...
Synopsis Important: tomcat security update Type/Severity Security Advisory: Important Topic Updated tomcat packages that fix several security issues are now availablefor Red Hat Application Server v2This update has been rated as having important security impact by the RedHat Security Response Team ...

References

CWE-264http://svn.apache.org/viewvc?view=rev&revision=606594http://tomcat.apache.org/security-5.htmlhttp://tomcat.apache.org/security-6.htmlhttp://www.securityfocus.com/bid/27006http://www.debian.org/security/2008/dsa-1447http://secunia.com/advisories/28274http://secunia.com/advisories/28317http://securityreason.com/securityalert/3485https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00315.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-February/msg00460.htmlhttp://secunia.com/advisories/28915http://www.redhat.com/support/errata/RHSA-2008-0042.htmlhttp://secunia.com/advisories/29313http://security.gentoo.org/glsa/glsa-200804-10.xmlhttp://secunia.com/advisories/29711http://www.redhat.com/support/errata/RHSA-2008-0195.htmlhttp://secunia.com/advisories/30676http://www.vmware.com/security/advisories/VMSA-2008-0010.htmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2008:188http://www.redhat.com/support/errata/RHSA-2008-0862.htmlhttp://www.securityfocus.com/bid/31681http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.htmlhttp://secunia.com/advisories/32222http://support.apple.com/kb/HT3216http://support.avaya.com/elmodocs2/security/ASA-2008-401.htmhttp://osvdb.org/39833http://secunia.com/advisories/32120http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.htmlhttp://secunia.com/advisories/32266http://www.redhat.com/support/errata/RHSA-2008-0831.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0833.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0834.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0832.htmlhttp://www.vupen.com/english/advisories/2009/3316http://www.vmware.com/security/advisories/VMSA-2009-0016.htmlhttp://secunia.com/advisories/37460http://www.vupen.com/english/advisories/2008/2823http://www.vupen.com/english/advisories/2008/1856/referenceshttp://www.vupen.com/english/advisories/2008/0013http://www.vupen.com/english/advisories/2008/2780http://marc.info/?l=bugtraq&m=139344343412337&w=2http://secunia.com/advisories/57126https://exchange.xforce.ibmcloud.com/vulnerabilities/39201https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10417http://www.securityfocus.com/archive/1/507985/100/0/threadedhttp://www.securityfocus.com/archive/1/485481/100/0/threadedhttps://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3Ehttps://access.redhat.com/errata/RHSA-2008:0832http://tools.cisco.com/security/center/viewAlert.x?alertId=14831https://nvd.nist.gov