The session-persistence implementation in Apache Tomcat 6.x before
6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2
mishandles session attributes, which allows remote authenticated users
to bypass intended SecurityManager restrictions and execute arbitrary
code in a privileged context via a web application that places a
crafted object in a session.
|