The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
08 Dec 2023, 16:41
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:* | |
References |
|
|
Information
Published : 2016-02-25 01:59
Updated : 2024-02-04 18:53
NVD link : CVE-2016-0763
Mitre link : CVE-2016-0763
CVE.ORG link : CVE-2016-0763
JSON object : View
Products Affected
canonical
- ubuntu_linux
apache
- tomcat
debian
- debian_linux
CWE
CWE-264
Permissions, Privileges, and Access Controls