Description
org/apache/catalina/core/DefaultInstanceManager.java in Apache Tomcat 7.x before 7.0.22 does not properly restrict ContainerServlets in the Manager application, which allows local users to gain privileges by using an untrusted web application to access the Manager application's functionality.
References (4)
Core 4
Core References
Patch x_refsource_confirm
http://svn.apache.org/viewvc?view=revision&revision=1176588
Vendor Advisory x_refsource_confirm
http://tomcat.apache.org/security-7.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/50603
Scores
EPSS
0.0064
EPSS Percentile
46.6%
Details
CWE
CWE-264
Status
published
Products (22)
apache/tomcat
7.0.0 (2 CPE variants)
apache/tomcat
7.0.1
apache/tomcat
7.0.2
apache/tomcat
7.0.3
apache/tomcat
7.0.4
apache/tomcat
7.0.5
apache/tomcat
7.0.6
apache/tomcat
7.0.7
apache/tomcat
7.0.8
apache/tomcat
7.0.9
... and 12 more
Published
Nov 11, 2011
Tracked Since
Feb 18, 2026