[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244625

 
 

909

 
 

193379

 
 

277

Paid content will be excluded from the download.


Download | Alert*
OVAL

ALAS-2016-657 ---- tomcat7

ID: oval:org.secpod.oval:def:1600351Date: (C)2016-05-19   (M)2023-12-14
Class: PATCHFamily: unix




A directory traversal vulnerability in RequestUtil.java was discovered which allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call. A session fixation vulnerability was discovered that might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request when different session settings are used for deployments of multiple versions of the same web application. It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections

Platform:
Amazon Linux AMI
Product:
tomcat7
Reference:
ALAS-2016-657
CVE-2015-5174
CVE-2015-5346
CVE-2014-7810
CVE    3
CVE-2014-7810
CVE-2015-5346
CVE-2015-5174
CPE    2
cpe:/o:amazon:linux
cpe:/a:apache:tomcat7

© SecPod Technologies