Descriptionnative/unix/native/jsvc-unix.c in jsvc in the Daemon component 1.0.3 through 1.0.6 in Apache Commons, as used in Apache Tomcat 5.5.32 through 5.5.33, 6.0.30 through 6.0.32, and 7.0.x before 7.0.20 on Linux, does not drop capabilities, which allows remote attackers to bypass read permissions for files via a request to an application.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
commons-daemon (PTS)buster1.0.15-8+deb10u1fixed
sid, trixie1.0.15-11fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
commons-daemonsourcesqueeze(not affected)


[squeeze] - commons-daemon <not-affected> (Support for libcap was only added in 1.0.6)
According to jsvc needs to be build againt libcap to be exploitable

Search for package or bug name: Reporting problems