Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[SECURITY] CVE-2011-3376 Apache Tomcat - Privilege Escalation via Manager app
From: Mark Thomas <markt () apache org>
Date: Tue, 08 Nov 2011 17:52:16 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2011-3376 Apache Tomcat - Privilege Escalation via Manager app

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
- - Tomcat 7.0.0 to 7.0.21

Description:
This issue only affects environments running web applications that are
not trusted (e.g. shared hosting environments). The Servlets that
implement the functionality of the Manager application that ships with
Apache Tomcat should only be available to Contexts (web applications)
that are marked as privileged. However, this check was not being made.
This allowed an untrusted web application to use the functionality of
the Manager application. This could be used to obtain information on
running web applications as well as deploying additional web applications.

Mitigation:
Users of Tomcat 7.0.x should upgrade to 7.0.22 or later

Credit:
This issue was identified by Ate Douma

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOuWxPAAoJEBDAHFovYFnng3oP/jkYsplqxz9hjWi6uztQK3Gv
BlS1IlbyqW5HW8rqr/pyfLWDDiJZUc+FmWRbyT96r/V4z0w4oGglGi289owLr1Lx
bsGlauWQhZh7k5nWKboMVEk6CjGOXVQ9zMJJwhEkrXn6/HNV5O65F/0nnLoHgStM
DNyKKpYDtc6XCI7+Pcutv3fqkk9niF3KSF3rePKlpUstVbuLx9HlX+0fbj7+X4w/
PyE5R9tVfr3Toiwn546QQR73VkOSmAGt0IEE9P06oY50ruW3/Z6wJjVHrlJUsoQ3
txupoC+FCZ5ph8DfoeVzav6Y3W9dImXz6rzxm3YnUKCDZuWnGVNzDE4IUyKdRM5t
W/Smquaat8VxsxMbU34bSJHYA1m2nos4qPrQvJl2w0wKWrPFRnu4f8RImvg1BIPH
gZ17raqPjdoBuE3H4ivgF0DSasVdYM/Ge977B+6nD9jzwE6FEFAFCCRpbYvD/6SA
//QbqSlcULb6CKZ6D/rNbLSQ3e0QD6GYaz3HjJcCtJkqo2FoLGY88AxtoF4es5SB
thYJf7r51J9W8g7nvw+b7Y0+eG3IczsBA0spIoyzIKr1RxSEFE2220idPdotpjAf
aticEwF9U5przWmwNab7lKUd91bo32ZVtvIprPGL/NfHrL3KC891gjYqkQtrcJC5
SkiQ74ix/uGZTB6HHCWm
=wak3
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • [SECURITY] CVE-2011-3376 Apache Tomcat - Privilege Escalation via Manager app Mark Thomas (Nov 08)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]