You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2016/02/22 14:18:59 UTC
svn commit: r1731638 - in /tomcat/site/trunk: docs/security-6.html
docs/security-7.html docs/security-8.html docs/security-9.html
xdocs/security-6.xml xdocs/security-7.xml xdocs/security-8.xml
xdocs/security-9.xml
Author: markt
Date: Mon Feb 22 13:18:59 2016
New Revision: 1731638
URL: http://svn.apache.org/viewvc?rev=1731638&view=rev
Log:
Improve descriptions. In particular, make it clear when an issue only impact users running untrusted web applications under a security manager.
Modified:
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/docs/security-8.html
tomcat/site/trunk/docs/security-9.html
tomcat/site/trunk/xdocs/security-6.xml
tomcat/site/trunk/xdocs/security-7.xml
tomcat/site/trunk/xdocs/security-8.xml
tomcat/site/trunk/xdocs/security-9.xml
Modified: tomcat/site/trunk/docs/security-6.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1731638&r1=1731637&r2=1731638&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Mon Feb 22 13:18:59 2016
@@ -338,6 +338,10 @@
</p>
+<p>This issue only affects users running untrusted web applications under a
+ security manager.</p>
+
+
<p>When accessing resources via the <code>ServletContext</code> methods
<code>getResource()</code> <code>getResourceAsStream()</code> and
<code>getResourcePaths()</code> the paths should be limited to the
@@ -410,12 +414,17 @@
</p>
-<p>The StatusManagerServlet could be loaded by a web application when a
- security manager was configured. This servlet would then provide the web
- application with a list of all deployed applications and a list of the
- HTTP request lines for all requests currently being processed. This could
- have exposed sensitive information from other web applications such as
- session IDs to the web application.</p>
+<p>This issue only affects users running untrusted web applications under a
+ security manager.</p>
+
+
+<p>The internal StatusManagerServlet could be loaded by a malicious web
+ application when a security manager was configured. This servlet could
+ then provide the malicious web application with a list of all deployed
+ applications and a list of the HTTP request lines for all requests
+ currently being processed. This could have exposed sensitive information
+ from other web applications, such as session IDs, to the web
+ application.</p>
<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1722802">1722802</a>.</p>
@@ -434,6 +443,10 @@
</p>
+<p>This issue only affects users running untrusted web applications under a
+ security manager.</p>
+
+
<p>Tomcat provides several session persistence mechanisms. The
<code>StandardManager</code> persists session over a restart. The
<code>PersistentManager</code> is able to persist sessions to files, a
Modified: tomcat/site/trunk/docs/security-7.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1731638&r1=1731637&r2=1731638&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Mon Feb 22 13:18:59 2016
@@ -398,15 +398,18 @@
<p>
-<strong>Low: CSRF token leak</strong>
+<strong>Moderate: CSRF token leak</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5351" rel="nofollow">CVE-2015-5351</a>
</p>
<p>The index page of the Manager and Host Manager applications included a
valid CSRF token when issuing a redirect as a result of an
- unauthenticated request to the root of the web application. This token
- could then be used by an attacker to construct a CSRF attack.</p>
+ unauthenticated request to the root of the web application. If an
+ attacker had access to the Manager or Host Manager applications
+ (typically these applications are only accessible to internal users, not
+ exposed to the Internet), this token could then be used by the attacker
+ to construct a CSRF attack.</p>
<p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&rev=1720661">1720661</a> and
@@ -426,12 +429,17 @@
</p>
-<p>The StatusManagerServlet could be loaded by a web application when a
- security manager was configured. This servlet would then provide the web
- application with a list of all deployed applications and a list of the
- HTTP request lines for all requests currently being processed. This could
- have exposed sensitive information from other web applications such as
- session IDs to the web application.</p>
+<p>This issue only affects users running untrusted web applications under a
+ security manager.</p>
+
+
+<p>The internal StatusManagerServlet could be loaded by a malicious web
+ application when a security manager was configured. This servlet could
+ then provide the malicious web application with a list of all deployed
+ applications and a list of the HTTP request lines for all requests
+ currently being processed. This could have exposed sensitive information
+ from other web applications, such as session IDs, to the web
+ application.</p>
<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1722801">1722801</a>.</p>
@@ -450,6 +458,10 @@
</p>
+<p>This issue only affects users running untrusted web applications under a
+ security manager.</p>
+
+
<p>Tomcat provides several session persistence mechanisms. The
<code>StandardManager</code> persists session over a restart. The
<code>PersistentManager</code> is able to persist sessions to files, a
@@ -479,11 +491,15 @@
</p>
+<p>This issue only affects users running untrusted web applications under a
+ security manager.</p>
+
+
<p>
<code>ResourceLinkFactory.setGlobalContext()</code> is a public method
- and was accessible by web applications running under a security manager
- without any checks. This allowed a malicious web application to inject a
- malicious global context that could in turn be used to disrupt other web
+ and was accessible to web applications even when running under a security
+ manager. This allowed a malicious web application to inject a malicious
+ global context that could in turn be used to disrupt other web
applications and/or read and write data owned by other web
applications.</p>
@@ -553,6 +569,10 @@
</p>
+<p>This issue only affects users running untrusted web applications under a
+ security manager.</p>
+
+
<p>When accessing resources via the <code>ServletContext</code> methods
<code>getResource()</code> <code>getResourceAsStream()</code> and
<code>getResourcePaths()</code> the paths should be limited to the
Modified: tomcat/site/trunk/docs/security-8.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1731638&r1=1731637&r2=1731638&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-8.html (original)
+++ tomcat/site/trunk/docs/security-8.html Mon Feb 22 13:18:59 2016
@@ -340,15 +340,18 @@
<p>
-<strong>Low: CSRF token leak</strong>
+<strong>Moderate: CSRF token leak</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5351" rel="nofollow">CVE-2015-5351</a>
</p>
<p>The index page of the Manager and Host Manager applications included a
valid CSRF token when issuing a redirect as a result of an
- unauthenticated request to the root of the web application. This token
- could then be used by an attacker to construct a CSRF attack.</p>
+ unauthenticated request to the root of the web application. If an
+ attacker had access to the Manager or Host Manager applications
+ (typically these applications are only accessible to internal users, not
+ exposed to the Internet), this token could then be used by the attacker
+ to construct a CSRF attack.</p>
<p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&rev=1720658">1720658</a> and
@@ -368,12 +371,17 @@
</p>
-<p>The StatusManagerServlet could be loaded by a web application when a
- security manager was configured. This servlet would then provide the web
- application with a list of all deployed applications and a list of the
- HTTP request lines for all requests currently being processed. This could
- have exposed sensitive information from other web applications such as
- session IDs to the web application.</p>
+<p>This issue only affects users running untrusted web applications under a
+ security manager.</p>
+
+
+<p>The internal StatusManagerServlet could be loaded by a malicious web
+ application when a security manager was configured. This servlet could
+ then provide the malicious web application with a list of all deployed
+ applications and a list of the HTTP request lines for all requests
+ currently being processed. This could have exposed sensitive information
+ from other web applications, such as session IDs, to the web
+ application.</p>
<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1722800">1722800</a>.</p>
@@ -392,6 +400,10 @@
</p>
+<p>This issue only affects users running untrusted web applications under a
+ security manager.</p>
+
+
<p>Tomcat provides several session persistence mechanisms. The
<code>StandardManager</code> persists session over a restart. The
<code>PersistentManager</code> is able to persist sessions to files, a
@@ -421,11 +433,15 @@
</p>
+<p>This issue only affects users running untrusted web applications under a
+ security manager.</p>
+
+
<p>
<code>ResourceLinkFactory.setGlobalContext()</code> is a public method
- and was accessible by web applications running under a security manager
- without any checks. This allowed a malicious web application to inject a
- malicious global context that could in turn be used to disrupt other web
+ and was accessible to web applications even when running under a security
+ manager. This allowed a malicious web application to inject a malicious
+ global context that could in turn be used to disrupt other web
applications and/or read and write data owned by other web
applications.</p>
@@ -500,6 +516,10 @@
</p>
+<p>This issue only affects users running untrusted web applications under a
+ security manager.</p>
+
+
<p>When accessing resources via the <code>ServletContext</code> methods
<code>getResource()</code> <code>getResourceAsStream()</code> and
<code>getResourcePaths()</code> the paths should be limited to the
Modified: tomcat/site/trunk/docs/security-9.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-9.html?rev=1731638&r1=1731637&r2=1731638&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-9.html (original)
+++ tomcat/site/trunk/docs/security-9.html Mon Feb 22 13:18:59 2016
@@ -277,11 +277,15 @@
</p>
+<p>This issue only affects users running untrusted web applications under a
+ security manager.</p>
+
+
<p>
<code>ResourceLinkFactory.setGlobalContext()</code> is a public method
- and was accessible by web applications running under a security manager
- without any checks. This allowed a malicious web application to inject a
- malicious global context that could in turn be used to disrupt other web
+ and was accessible to web applications even when running under a security
+ manager. This allowed a malicious web application to inject a malicious
+ global context that could in turn be used to disrupt other web
applications and/or read and write data owned by other web
applications.</p>
@@ -378,15 +382,18 @@
<p>
-<strong>Low: CSRF token leak</strong>
+<strong>Moderate: CSRF token leak</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5351" rel="nofollow">CVE-2015-5351</a>
</p>
<p>The index page of the Manager and Host Manager applications included a
valid CSRF token when issuing a redirect as a result of an
- unauthenticated request to the root of the web application. This token
- could then be used by an attacker to construct a CSRF attack.</p>
+ unauthenticated request to the root of the web application. If an
+ attacker had access to the Manager or Host Manager applications
+ (typically these applications are only accessible to internal users, not
+ exposed to the Internet), this token could then be used by the attacker
+ to construct a CSRF attack.</p>
<p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&rev=1720652">1720652</a> and
@@ -406,12 +413,17 @@
</p>
-<p>The StatusManagerServlet could be loaded by a web application when a
- security manager was configured. This servlet would then provide the web
- application with a list of all deployed applications and a list of the
- HTTP request lines for all requests currently being processed. This could
- have exposed sensitive information from other web applications such as
- session IDs to the web application.</p>
+<p>This issue only affects users running untrusted web applications under a
+ security manager.</p>
+
+
+<p>The internal StatusManagerServlet could be loaded by a malicious web
+ application when a security manager was configured. This servlet could
+ then provide the malicious web application with a list of all deployed
+ applications and a list of the HTTP request lines for all requests
+ currently being processed. This could have exposed sensitive information
+ from other web applications, such as session IDs, to the web
+ application.</p>
<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1722799">1722799</a>.</p>
@@ -430,6 +442,10 @@
</p>
+<p>This issue only affects users running untrusted web applications under a
+ security manager.</p>
+
+
<p>Tomcat provides several session persistence mechanisms. The
<code>StandardManager</code> persists session over a restart. The
<code>PersistentManager</code> is able to persist sessions to files, a
Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1731638&r1=1731637&r2=1731638&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Mon Feb 22 13:18:59 2016
@@ -53,6 +53,9 @@
<p><strong>Low: Limited directory traversal</strong>
<cve>CVE-2015-5174</cve></p>
+ <p>This issue only affects users running untrusted web applications under a
+ security manager.</p>
+
<p>When accessing resources via the <code>ServletContext</code> methods
<code>getResource()</code> <code>getResourceAsStream()</code> and
<code>getResourcePaths()</code> the paths should be limited to the
@@ -109,12 +112,16 @@
<p><strong>Low: Security Manager bypass</strong>
<cve>CVE-2016-0706</cve></p>
- <p>The StatusManagerServlet could be loaded by a web application when a
- security manager was configured. This servlet would then provide the web
- application with a list of all deployed applications and a list of the
- HTTP request lines for all requests currently being processed. This could
- have exposed sensitive information from other web applications such as
- session IDs to the web application.</p>
+ <p>This issue only affects users running untrusted web applications under a
+ security manager.</p>
+
+ <p>The internal StatusManagerServlet could be loaded by a malicious web
+ application when a security manager was configured. This servlet could
+ then provide the malicious web application with a list of all deployed
+ applications and a list of the HTTP request lines for all requests
+ currently being processed. This could have exposed sensitive information
+ from other web applications, such as session IDs, to the web
+ application.</p>
<p>This was fixed in revision <revlink rev="1722802">1722802</revlink>.</p>
@@ -126,6 +133,9 @@
<p><strong>Moderate: Security Manager bypass</strong>
<cve>CVE-2016-0714</cve></p>
+ <p>This issue only affects users running untrusted web applications under a
+ security manager.</p>
+
<p>Tomcat provides several session persistence mechanisms. The
<code>StandardManager</code> persists session over a restart. The
<code>PersistentManager</code> is able to persist sessions to files, a
Modified: tomcat/site/trunk/xdocs/security-7.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1731638&r1=1731637&r2=1731638&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Mon Feb 22 13:18:59 2016
@@ -86,13 +86,16 @@
<p>Affects: 7.0.0 to 7.0.67</p>
- <p><strong>Low: CSRF token leak</strong>
+ <p><strong>Moderate: CSRF token leak</strong>
<cve>CVE-2015-5351</cve></p>
<p>The index page of the Manager and Host Manager applications included a
valid CSRF token when issuing a redirect as a result of an
- unauthenticated request to the root of the web application. This token
- could then be used by an attacker to construct a CSRF attack.</p>
+ unauthenticated request to the root of the web application. If an
+ attacker had access to the Manager or Host Manager applications
+ (typically these applications are only accessible to internal users, not
+ exposed to the Internet), this token could then be used by the attacker
+ to construct a CSRF attack.</p>
<p>This was fixed in revisions <revlink rev="1720661">1720661</revlink> and
<revlink rev="1720663">1720663</revlink>.</p>
@@ -105,12 +108,16 @@
<p><strong>Low: Security Manager bypass</strong>
<cve>CVE-2016-0706</cve></p>
- <p>The StatusManagerServlet could be loaded by a web application when a
- security manager was configured. This servlet would then provide the web
- application with a list of all deployed applications and a list of the
- HTTP request lines for all requests currently being processed. This could
- have exposed sensitive information from other web applications such as
- session IDs to the web application.</p>
+ <p>This issue only affects users running untrusted web applications under a
+ security manager.</p>
+
+ <p>The internal StatusManagerServlet could be loaded by a malicious web
+ application when a security manager was configured. This servlet could
+ then provide the malicious web application with a list of all deployed
+ applications and a list of the HTTP request lines for all requests
+ currently being processed. This could have exposed sensitive information
+ from other web applications, such as session IDs, to the web
+ application.</p>
<p>This was fixed in revision <revlink rev="1722801">1722801</revlink>.</p>
@@ -122,6 +129,9 @@
<p><strong>Moderate: Security Manager bypass</strong>
<cve>CVE-2016-0714</cve></p>
+ <p>This issue only affects users running untrusted web applications under a
+ security manager.</p>
+
<p>Tomcat provides several session persistence mechanisms. The
<code>StandardManager</code> persists session over a restart. The
<code>PersistentManager</code> is able to persist sessions to files, a
@@ -144,10 +154,13 @@
<p><strong>Moderate: Security Manager bypass</strong>
<cve>CVE-2016-0763</cve></p>
+ <p>This issue only affects users running untrusted web applications under a
+ security manager.</p>
+
<p><code>ResourceLinkFactory.setGlobalContext()</code> is a public method
- and was accessible by web applications running under a security manager
- without any checks. This allowed a malicious web application to inject a
- malicious global context that could in turn be used to disrupt other web
+ and was accessible to web applications even when running under a security
+ manager. This allowed a malicious web application to inject a malicious
+ global context that could in turn be used to disrupt other web
applications and/or read and write data owned by other web
applications.</p>
@@ -196,6 +209,9 @@
<p><strong>Low: Limited directory traversal</strong>
<cve>CVE-2015-5174</cve></p>
+ <p>This issue only affects users running untrusted web applications under a
+ security manager.</p>
+
<p>When accessing resources via the <code>ServletContext</code> methods
<code>getResource()</code> <code>getResourceAsStream()</code> and
<code>getResourcePaths()</code> the paths should be limited to the
Modified: tomcat/site/trunk/xdocs/security-8.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?rev=1731638&r1=1731637&r2=1731638&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-8.xml (original)
+++ tomcat/site/trunk/xdocs/security-8.xml Mon Feb 22 13:18:59 2016
@@ -80,13 +80,16 @@
<p>Affects: 8.0.0.RC1 to 8.0.30</p>
- <p><strong>Low: CSRF token leak</strong>
+ <p><strong>Moderate: CSRF token leak</strong>
<cve>CVE-2015-5351</cve></p>
<p>The index page of the Manager and Host Manager applications included a
valid CSRF token when issuing a redirect as a result of an
- unauthenticated request to the root of the web application. This token
- could then be used by an attacker to construct a CSRF attack.</p>
+ unauthenticated request to the root of the web application. If an
+ attacker had access to the Manager or Host Manager applications
+ (typically these applications are only accessible to internal users, not
+ exposed to the Internet), this token could then be used by the attacker
+ to construct a CSRF attack.</p>
<p>This was fixed in revisions <revlink rev="1720658">1720658</revlink> and
<revlink rev="1720660">1720660</revlink>.</p>
@@ -99,12 +102,16 @@
<p><strong>Low: Security Manager bypass</strong>
<cve>CVE-2016-0706</cve></p>
- <p>The StatusManagerServlet could be loaded by a web application when a
- security manager was configured. This servlet would then provide the web
- application with a list of all deployed applications and a list of the
- HTTP request lines for all requests currently being processed. This could
- have exposed sensitive information from other web applications such as
- session IDs to the web application.</p>
+ <p>This issue only affects users running untrusted web applications under a
+ security manager.</p>
+
+ <p>The internal StatusManagerServlet could be loaded by a malicious web
+ application when a security manager was configured. This servlet could
+ then provide the malicious web application with a list of all deployed
+ applications and a list of the HTTP request lines for all requests
+ currently being processed. This could have exposed sensitive information
+ from other web applications, such as session IDs, to the web
+ application.</p>
<p>This was fixed in revision <revlink rev="1722800">1722800</revlink>.</p>
@@ -116,6 +123,9 @@
<p><strong>Moderate: Security Manager bypass</strong>
<cve>CVE-2016-0714</cve></p>
+ <p>This issue only affects users running untrusted web applications under a
+ security manager.</p>
+
<p>Tomcat provides several session persistence mechanisms. The
<code>StandardManager</code> persists session over a restart. The
<code>PersistentManager</code> is able to persist sessions to files, a
@@ -138,10 +148,13 @@
<p><strong>Moderate: Security Manager bypass</strong>
<cve>CVE-2016-0763</cve></p>
+ <p>This issue only affects users running untrusted web applications under a
+ security manager.</p>
+
<p><code>ResourceLinkFactory.setGlobalContext()</code> is a public method
- and was accessible by web applications running under a security manager
- without any checks. This allowed a malicious web application to inject a
- malicious global context that could in turn be used to disrupt other web
+ and was accessible to web applications even when running under a security
+ manager. This allowed a malicious web application to inject a malicious
+ global context that could in turn be used to disrupt other web
applications and/or read and write data owned by other web
applications.</p>
@@ -197,6 +210,9 @@
<p><strong>Low: Limited directory traversal</strong>
<cve>CVE-2015-5174</cve></p>
+ <p>This issue only affects users running untrusted web applications under a
+ security manager.</p>
+
<p>When accessing resources via the <code>ServletContext</code> methods
<code>getResource()</code> <code>getResourceAsStream()</code> and
<code>getResourcePaths()</code> the paths should be limited to the
Modified: tomcat/site/trunk/xdocs/security-9.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-9.xml?rev=1731638&r1=1731637&r2=1731638&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-9.xml (original)
+++ tomcat/site/trunk/xdocs/security-9.xml Mon Feb 22 13:18:59 2016
@@ -55,10 +55,13 @@
<p><strong>Moderate: Security Manager bypass</strong>
<cve>CVE-2016-0763</cve></p>
+ <p>This issue only affects users running untrusted web applications under a
+ security manager.</p>
+
<p><code>ResourceLinkFactory.setGlobalContext()</code> is a public method
- and was accessible by web applications running under a security manager
- without any checks. This allowed a malicious web application to inject a
- malicious global context that could in turn be used to disrupt other web
+ and was accessible to web applications even when running under a security
+ manager. This allowed a malicious web application to inject a malicious
+ global context that could in turn be used to disrupt other web
applications and/or read and write data owned by other web
applications.</p>
@@ -132,13 +135,16 @@
<p>Affects: 9.0.0.M1</p>
- <p><strong>Low: CSRF token leak</strong>
+ <p><strong>Moderate: CSRF token leak</strong>
<cve>CVE-2015-5351</cve></p>
<p>The index page of the Manager and Host Manager applications included a
valid CSRF token when issuing a redirect as a result of an
- unauthenticated request to the root of the web application. This token
- could then be used by an attacker to construct a CSRF attack.</p>
+ unauthenticated request to the root of the web application. If an
+ attacker had access to the Manager or Host Manager applications
+ (typically these applications are only accessible to internal users, not
+ exposed to the Internet), this token could then be used by the attacker
+ to construct a CSRF attack.</p>
<p>This was fixed in revisions <revlink rev="1720652">1720652</revlink> and
<revlink rev="1720655">1720655</revlink>.</p>
@@ -151,12 +157,16 @@
<p><strong>Low: Security Manager bypass</strong>
<cve>CVE-2016-0706</cve></p>
- <p>The StatusManagerServlet could be loaded by a web application when a
- security manager was configured. This servlet would then provide the web
- application with a list of all deployed applications and a list of the
- HTTP request lines for all requests currently being processed. This could
- have exposed sensitive information from other web applications such as
- session IDs to the web application.</p>
+ <p>This issue only affects users running untrusted web applications under a
+ security manager.</p>
+
+ <p>The internal StatusManagerServlet could be loaded by a malicious web
+ application when a security manager was configured. This servlet could
+ then provide the malicious web application with a list of all deployed
+ applications and a list of the HTTP request lines for all requests
+ currently being processed. This could have exposed sensitive information
+ from other web applications, such as session IDs, to the web
+ application.</p>
<p>This was fixed in revision <revlink rev="1722799">1722799</revlink>.</p>
@@ -168,6 +178,9 @@
<p><strong>Moderate: Security Manager bypass</strong>
<cve>CVE-2016-0714</cve></p>
+ <p>This issue only affects users running untrusted web applications under a
+ security manager.</p>
+
<p>Tomcat provides several session persistence mechanisms. The
<code>StandardManager</code> persists session over a restart. The
<code>PersistentManager</code> is able to persist sessions to files, a
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org