CVE-2007-5342: Apache Tomcat's default security policy is too open CVSS Base Score: 6.4/10 Exploit Range: Remote Risk: Low Local/Remote: Local: Yes, Remote: No CWE: CWE-264 Credit: Delian Krustev Vendor: The Apache Software Foundation Versions Affected: Tomcat 5.5.9 to 5.5.25 Tomcat 6.0.0 to 6.0.15 Description: The JULI logging component allows web applications to provide their own logging configurations. The default security policy does not restrict this configuration and allows an untrusted web application to add files or overwrite existing files where the Tomcat process has the necessary file permissions to do so. Mitigation: Apply the following patch to the file: Patch URL: http://svn.apache.org/viewvc?rev=606594&view=rev Patch included in versions 5.5.25 onwards and 6.0.16 onwards. Reference: http://tomcat.apache.org/security.html