Vulnerability Description
The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian | Debian Linux | 7.0 |
| Apache | Tomcat | 6.0.0 |
| Hp | Hp-Ux | 11.31 |
Related Weaknesses (CWE)
References
- http://marc.info/?l=bugtraq&m=145974991225029&w=2Third Party Advisory
- http://rhn.redhat.com/errata/RHSA-2015-1621.html
- http://rhn.redhat.com/errata/RHSA-2015-1622.html
- http://rhn.redhat.com/errata/RHSA-2016-0492.html
- http://rhn.redhat.com/errata/RHSA-2016-2046.html
- http://svn.apache.org/viewvc?view=revision&revision=1644018Patch
- http://svn.apache.org/viewvc?view=revision&revision=1645642Patch
- http://tomcat.apache.org/security-6.htmlPatchVendor Advisory
- http://tomcat.apache.org/security-7.htmlPatchVendor Advisory
- http://tomcat.apache.org/security-8.htmlPatchVendor Advisory
- http://www.debian.org/security/2015/dsa-3428
- http://www.debian.org/security/2016/dsa-3447
- http://www.debian.org/security/2016/dsa-3530Third Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
FAQ
What is CVE-2014-7810?
CVE-2014-7810 is a vulnerability with a CVSS score of 5.0 (MEDIUM). The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implement...
How severe is CVE-2014-7810?
CVE-2014-7810 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-7810?
Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Apache Tomcat, Hp Hp-Ux.