The setGlobalContext method in
org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat
7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not
consider whether ResourceLinkFactory.setGlobalContext callers are
authorized, which allows remote authenticated users to bypass intended
SecurityManager restrictions and read or write to arbitrary
application data, or cause a denial of service (application
disruption), via a web application that sets a crafted global context.
|