CVE-2017-5648

CRITICAL Year: 2017
CVSS v3 Score
9.1
Critical
CVSS v2 Score
6.4
Medium
Weakness Type
CWE-668
View all →

Vulnerability Description

While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.

Related Vulnerabilities

CVE-2007-3915

CRITICAL
CVSS:9.1(Critical)

Mondo 2.24 has insecure handling of temporary files.

CWE-6682007

CVE-2009-5042

CRITICAL
CVSS:9.1(Critical)

python-docutils allows insecure usage of temporary files

CWE-6682009

CVE-2020-16263

CRITICAL
CVSS:9.1(Critical)

Winston 1.5.4 devices have a CORS configuration that trusts arbitrary origins. This allows requests to be made and viewed by arbitrary origins.

CWE-6682020

CVE-2020-22647

CRITICAL
CVSS:9.1(Critical)

An issue found in DepositGame v.1.0 allows an attacker to gain sensitive information via the GetBonusWithdraw and withdraw functions.

CWE-6682020

CVE-2020-5887

CRITICAL
CVSS:9.1(Critical)

On versions 15.1.0-15.1.0.1, 15.0.0-15.0.1.2, and 14.1.0-14.1.2.3, BIG-IP Virtual Edition (VE) may expose a mechanism for remote attackers to access local daemons and bypass port lockdown settings.

CWE-6682020

CVE-2021-42640

CRITICAL
CVSS:9.1(Critical)

PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability that allows an unauthenticated attacker to reassign drivers for any p...

CWE-6682021