Apache Tomcat 8.0.x < 8.0.17 Security Manager Bypass
Medium Nessus Plugin ID 83765
SynopsisThe remote Apache Tomcat server is affected by a security bypass vulnerability.
DescriptionAccording to its self-reported version number, the Apache Tomcat server listening on the remote host is 8.0.x prior to 8.0.17. It is, therefore, affected by a security bypass vulnerability due to a flaw that occurs when handling expression language. A remote attacker can exploit this, via a crafted web application, to bypass the security manager protection and execute arbitrary code.
Note that Nessus has not attempted to exploit this issue but has instead relied only on the application's self-reported version number.
SolutionUpgrade to Apache Tomcat version 8.0.17 or later.