The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: redhat
Published: 2016-02-25T01:00:00
Updated: 2020-02-13T16:06:09
Reserved: 2015-12-16T00:00:00
Link: CVE-2016-0763
JSON object: View
NVD Information
Status : Modified
Published: 2016-02-25T01:59:06.280
Modified: 2023-12-08T16:41:18.860
Link: CVE-2016-0763
JSON object: View
Redhat Information
No data.
CWE