Vulnerability Description
Apache Tomcat 7.0.0 through 7.0.3, 6.0.x, and 5.5.x, when running within a SecurityManager, does not make the ServletContext attribute read-only, which allows local web applications to read or write files outside of the intended working directory, as demonstrated using a directory traversal attack.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Tomcat | 7.0.0 |
References
- http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html
- http://marc.info/?l=bugtraq&m=130168502603566&w=2
- http://marc.info/?l=bugtraq&m=132215163318824&w=2
- http://marc.info/?l=bugtraq&m=136485229118404&w=2
- http://marc.info/?l=bugtraq&m=139344343412337&w=2
- http://secunia.com/advisories/43192Vendor Advisory
- http://secunia.com/advisories/45022
- http://secunia.com/advisories/57126
- http://securityreason.com/securityalert/8072
- http://support.apple.com/kb/HT5002
- http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5098550.
- http://tomcat.apache.org/security-5.htmlVendor Advisory
- http://tomcat.apache.org/security-6.htmlVendor Advisory
- http://tomcat.apache.org/security-7.htmlVendor Advisory
FAQ
What is CVE-2010-3718?
CVE-2010-3718 is a vulnerability with a CVSS score of 1.2 (LOW). Apache Tomcat 7.0.0 through 7.0.3, 6.0.x, and 5.5.x, when running within a SecurityManager, does not make the ServletContext attribute read-only, which allows local web applications to read or write f...
How severe is CVE-2010-3718?
CVE-2010-3718 has been rated LOW with a CVSS base score of 1.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2010-3718?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat.