CVE-2014-7810: Improper Access Control
(updated )
The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.
References
- marc.info/?l=bugtraq&m=145974991225029&w=2
- rhn.redhat.com/errata/RHSA-2015-1621.html
- rhn.redhat.com/errata/RHSA-2015-1622.html
- rhn.redhat.com/errata/RHSA-2016-0492.html
- rhn.redhat.com/errata/RHSA-2016-2046.html
- svn.apache.org/viewvc?view=revision&revision=1644018
- svn.apache.org/viewvc?view=revision&revision=1645642
- tomcat.apache.org/security-6.html
- tomcat.apache.org/security-7.html
- tomcat.apache.org/security-8.html
- www.debian.org/security/2015/dsa-3428
- www.debian.org/security/2016/dsa-3447
- www.debian.org/security/2016/dsa-3530
- www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
- www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
- www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
- www.ubuntu.com/usn/USN-2654-1
- www.ubuntu.com/usn/USN-2655-1
- github.com/advisories/GHSA-4c43-cwvx-9crh
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964
- lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E
- lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E
- lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E
- lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E
- lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E
- lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E
- lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
- nvd.nist.gov/vuln/detail/CVE-2014-7810
Detect and mitigate CVE-2014-7810 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →