6.4
CVSSv2

CVE-2007-5342

Published: 27/12/2007 Updated: 25/03/2019
CVSS v2 Base Score: 6.4 | Impact Score: 4.9 | Exploitability Score: 10
VMScore: 570
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N

Vulnerability Summary

The default catalina.policy in the JULI logging component in Apache Tomcat 5.5.9 up to and including 5.5.25 and 6.0.0 up to and including 6.0.15 does not restrict certain permissions for web applications, which allows malicious users to modify logging configuration options and overwrite arbitrary files, as demonstrated by changing the (1) level, (2) directory, and (3) prefix attributes in the org.apache.juli.FileHandler handler.

Affected Products

Vendor Product Versions
ApacheTomcat5.5.9, 5.5.10, 5.5.11, 5.5.12, 5.5.13, 5.5.14, 5.5.15, 5.5.16, 5.5.17, 5.5.18, 5.5.19, 5.5.20, 5.5.21, 5.5.22, 5.5.23, 5.5.24, 5.5.25, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15

Vendor Advisories

Synopsis Low: JBoss Enterprise Application Platform 430CP02 security update Type/Severity Security Advisory: Low Topic Updated JBoss Enterprise Application Platform (JBEAP) 43 packages that fixvarious security issues are now available for Red Hat Enterprise Linux 5 asJBEAP 430CP02This update has been ...
Synopsis Important: tomcat security update Type/Severity Security Advisory: Important Topic Updated tomcat packages that fix several security issues are now availablefor Red Hat Application Server v2This update has been rated as having important security impact by the RedHat Security Response Team ...

References

CWE-264http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.htmlhttp://marc.info/?l=bugtraq&m=139344343412337&w=2http://osvdb.org/39833http://secunia.com/advisories/28274http://secunia.com/advisories/28317http://secunia.com/advisories/28915http://secunia.com/advisories/29313http://secunia.com/advisories/29711http://secunia.com/advisories/30676http://secunia.com/advisories/32120http://secunia.com/advisories/32222http://secunia.com/advisories/32266http://secunia.com/advisories/37460http://secunia.com/advisories/57126http://security.gentoo.org/glsa/glsa-200804-10.xmlhttp://securityreason.com/securityalert/3485http://support.apple.com/kb/HT3216http://support.avaya.com/elmodocs2/security/ASA-2008-401.htmhttp://svn.apache.org/viewvc?view=rev&revision=606594http://tomcat.apache.org/security-5.htmlhttp://tomcat.apache.org/security-6.htmlhttp://www.debian.org/security/2008/dsa-1447http://www.mandriva.com/security/advisories?name=MDVSA-2008:188http://www.redhat.com/support/errata/RHSA-2008-0042.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0195.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0831.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0832.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0833.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0834.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0862.htmlhttp://www.securityfocus.com/archive/1/485481/100/0/threadedhttp://www.securityfocus.com/archive/1/507985/100/0/threadedhttp://www.securityfocus.com/bid/27006http://www.securityfocus.com/bid/31681http://www.vmware.com/security/advisories/VMSA-2008-0010.htmlhttp://www.vmware.com/security/advisories/VMSA-2009-0016.htmlhttp://www.vupen.com/english/advisories/2008/0013http://www.vupen.com/english/advisories/2008/1856/referenceshttp://www.vupen.com/english/advisories/2008/2780http://www.vupen.com/english/advisories/2008/2823http://www.vupen.com/english/advisories/2009/3316https://exchange.xforce.ibmcloud.com/vulnerabilities/39201https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3Ehttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10417https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00315.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-February/msg00460.htmlhttps://access.redhat.com/errata/RHSA-2008:0832http://tools.cisco.com/security/center/viewAlert.x?alertId=14831https://nvd.nist.govhttps://www.rapid7.com/db/vulnerabilities/hpux-cve-2008-2364