tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject [SECURITY] CVE-2010-3718 Apache Tomcat Local bypass of security manger file permissions
Date Sat, 05 Feb 2011 02:04:57 GMT
CVE-2010-3718 Apache Tomcat Local bypass of security manger file permissions

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
- Tomcat 7.0.0 to 7.0.3
- Tomcat 6.0.0 to 6.0.?
- Tomcat 5.5.0 to 5.5.?
- Earlier, unsupported versions may also be affected

When running under a SecurityManager, access to the file system is
limited but web applications are granted read/write permissions to the
work directory. This directory is used for a variety of temporary files
such as the intermediate files generated when compiling JSPs to Servlets.
The location of the work directory is specified by a ServletContect
attribute that is meant to be read-only to web applications. However,
due to a coding error, the read-only setting was not applied. Therefore
a malicious web application may modify the attribute before Tomcat
applies the file permissions. This can be used to grant read/write
permissions to any area on the file system which a malicious web
application may then take advantage of.
This vulnerability is only applicable when hosting web applications from
untrusted sources such as shared hosting environments.

Example (AL2 licensed):

Listener source
package listeners;
import javax.servlet.ServletContext;
import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;

public final class FooListener implements ServletContextListener {
    public void contextInitialized(ServletContextEvent event) {
        ServletContext context = event.getServletContext(); workdir = ( context
        if (workdir.toString().indexOf("..") < 0) {
                    new, "../../../../conf"));
    public void contextDestroyed(ServletContextEvent event) {

web.xml snippet

Users of affected versions should apply one of the following mitigations:
- Upgrade to a Tomcat version where this issue is fixed
- Undeploy all web applications from untrusted sources

The issue was identified by the Tomcat security team.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message