Apache Tomcat CVE-2010-3718 Security Manager File Permission Bypass

Key Information Vulnerability Title: Apache Tomcat Local bypass of security manager file permissions CVE ID: CVE-2010-3718 CVSS Base Score: 1.2/10 Risk Level: Low Impact Subscore: 2.9/10 Exploitability Subscore: 1.9/10 Authentication Required: None Vulnerability Type: CWE-DesignError CVSS Score Details: - Scope: Local - Confidentiality Impact: None - Integrity Impact: Partial - Availability Impact: None - Attack Complexity: High Affected Versions Tomcat 7.0.0 to 7.0.3 Tomcat 6.0.0 to 6.0.? Tomcat 5.5.0 to 5.5.? Earlier unsupported versions may also be affected. Vulnerability Description When running with a SecurityManager, file system access is restricted. However, web applications have read/write access to the working directory. This directory is used for various temporary files, such as intermediate files generated during JSP compilation. The location of this directory is specified by a ServletContext attribute, which should be read-only for web applications. Due to a coding error, the read-only setting was not enforced. As a result, a malicious web application could modify this attribute before Tomcat enforces application file permissions. This could be exploited to grant itself read/write access to any part of the file system. This vulnerability only applies when hosting web applications from untrusted sources, such as in shared hosting environments. Mitigation Users of affected versions should apply one of the following mitigations: Upgrade to a Tomcat version that fixes this issue Disable all web applications hosted from untrusted sources References http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html Discovery Attribution This issue was discovered by the Tomcat Security Team.

Goal Reached Thanks to every supporter — we hit 100%!

Apache Tomcat CVE-2010-3718 Security Manager File Permission Bypass