CVE-2014-7810

NameCVE-2014-7810
DescriptionThe Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-232-1, DSA-3428-1, DSA-3447-1, DSA-3530-1
Debian Bugs787010

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat6sourcesqueeze6.0.41-2+squeeze7DLA-232-1
tomcat6sourcewheezy6.0.45+dfsg-1~deb7u1DSA-3530-1
tomcat6source(unstable)6.0.41-3787010
tomcat7sourcewheezy7.0.28-4+deb7u3DSA-3447-1
tomcat7sourcejessie7.0.56-3+deb8u1DSA-3447-1
tomcat7source(unstable)7.0.61-1
tomcat8sourcejessie8.0.14-1+deb8u1DSA-3428-1
tomcat8source(unstable)8.0.21-2

Notes

Marked as fixed in 6.0.41-3 which only builds the libservlet2.5-java and libservlet2.5-java-doc packages
http://svn.apache.org/viewvc?view=revision&revision=1645366 (6.x)
http://svn.apache.org/viewvc?view=revision&revision=1659538 (6.x)
http://svn.apache.org/viewvc?view=revision&revision=1644019 (7.x)
http://svn.apache.org/viewvc?view=revision&revision=1645644 (7.x)

Search for package or bug name: Reporting problems