CVE - CVE-2007-5342

CVE-ID
CVE-2007-5342	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
The default catalina.policy in the JULI logging component in Apache Tomcat 5.5.9 through 5.5.25 and 6.0.0 through 6.0.15 does not restrict certain permissions for web applications, which allows attackers to modify logging configuration options and overwrite arbitrary files, as demonstrated by changing the (1) level, (2) directory, and (3) prefix attributes in the org.apache.juli.FileHandler handler.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
BUGTRAQ:20071223 [CVE-2007-5342] Apache Tomcat's default security policy is too open URL:http://www.securityfocus.com/archive/1/485481/100/0/threaded BUGTRAQ:20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components URL:http://www.securityfocus.com/archive/1/507985/100/0/threaded MISC:http://svn.apache.org/viewvc?view=rev&revision=606594 CONFIRM:http://tomcat.apache.org/security-5.html CONFIRM:http://tomcat.apache.org/security-6.html CONFIRM:http://www.vmware.com/security/advisories/VMSA-2008-0010.html CONFIRM:http://support.apple.com/kb/HT3216 CONFIRM:http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm CONFIRM:http://www.vmware.com/security/advisories/VMSA-2009-0016.html APPLE:APPLE-SA-2008-10-09 URL:http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html DEBIAN:DSA-1447 URL:http://www.debian.org/security/2008/dsa-1447 FEDORA:FEDORA-2008-1467 URL:https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00315.html FEDORA:FEDORA-2008-1603 URL:https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00460.html GENTOO:GLSA-200804-10 URL:http://security.gentoo.org/glsa/glsa-200804-10.xml HP:HPSBST02955 URL:http://marc.info/?l=bugtraq&m=139344343412337&w=2 MANDRIVA:MDVSA-2008:188 URL:http://www.mandriva.com/security/advisories?name=MDVSA-2008:188 REDHAT:RHSA-2008:0042 URL:http://www.redhat.com/support/errata/RHSA-2008-0042.html REDHAT:RHSA-2008:0195 URL:http://www.redhat.com/support/errata/RHSA-2008-0195.html REDHAT:RHSA-2008:0862 URL:http://www.redhat.com/support/errata/RHSA-2008-0862.html REDHAT:RHSA-2008:0831 URL:http://www.redhat.com/support/errata/RHSA-2008-0831.html REDHAT:RHSA-2008:0832 URL:http://www.redhat.com/support/errata/RHSA-2008-0832.html REDHAT:RHSA-2008:0833 URL:http://www.redhat.com/support/errata/RHSA-2008-0833.html REDHAT:RHSA-2008:0834 URL:http://www.redhat.com/support/errata/RHSA-2008-0834.html SUSE:SUSE-SR:2009:004 URL:http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html BID:27006 URL:http://www.securityfocus.com/bid/27006 BID:31681 URL:http://www.securityfocus.com/bid/31681 OVAL:oval:org.mitre.oval:def:10417 URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10417 SECUNIA:37460 URL:http://secunia.com/advisories/37460 SECUNIA:57126 URL:http://secunia.com/advisories/57126 VUPEN:ADV-2008-0013 URL:http://www.vupen.com/english/advisories/2008/0013 VUPEN:ADV-2008-1856 URL:http://www.vupen.com/english/advisories/2008/1856/references VUPEN:ADV-2008-2823 URL:http://www.vupen.com/english/advisories/2008/2823 VUPEN:ADV-2008-2780 URL:http://www.vupen.com/english/advisories/2008/2780 OSVDB:39833 URL:http://osvdb.org/39833 SECUNIA:28274 URL:http://secunia.com/advisories/28274 SECUNIA:28317 URL:http://secunia.com/advisories/28317 SECUNIA:28915 URL:http://secunia.com/advisories/28915 SECUNIA:29313 URL:http://secunia.com/advisories/29313 SECUNIA:29711 URL:http://secunia.com/advisories/29711 SECUNIA:30676 URL:http://secunia.com/advisories/30676 SECUNIA:32222 URL:http://secunia.com/advisories/32222 SECUNIA:32120 URL:http://secunia.com/advisories/32120 SECUNIA:32266 URL:http://secunia.com/advisories/32266 SREASON:3485 URL:http://securityreason.com/securityalert/3485 VUPEN:ADV-2009-3316 URL:http://www.vupen.com/english/advisories/2009/3316 XF:apache-juli-logging-weak-security(39201) URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/39201
Assigning CNA
N/A
Date Entry Created
20071010	Disclaimer: The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20071010)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an entry on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: cve@mitre.org