CVE-2010-3718
tomcat6 - several
EPSS 0.40%
Description
Apache Tomcat 7.0.0 through 7.0.3, 6.0.x, and 5.5.x, when running within a SecurityManager, does not make the ServletContext attribute read-only, which allows local web applications to read or write files outside of the intended working directory, as demonstrated using a directory traversal attack.
How to fix CVE-2010-3718
To remediate CVE-2010-3718, upgrade the affected package to a fixed version below.
- Debian/tomcat6—upgrade to 6.0.28-9+squeeze1 or later
- Maven/org.apache.tomcat:tomcat—upgrade to 7.0.4 or later
Is CVE-2010-3718 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 6.0.28-9+squeeze1
- >= 7.0.0, < 7.0.4