[Bug 65736] New: Improve org.apache.naming.factory.BeanFactory to mitigate JNDI injection

bugzilla Fri, 10 Dec 2021 00:33:00 -0800

https://bz.apache.org/bugzilla/show_bug.cgi?id=65736


            Bug ID: 65736
           Summary: Improve org.apache.naming.factory.BeanFactory to
                    mitigate JNDI injection
           Product: Tomcat 9
           Version: 9.0.55
          Hardware: PC
                OS: Mac OS X 10.1
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: zhouyanm...@gmail.com
  Target Milestone: -----

I can reproduce that vulnerability which leverage
"org.apache.naming.factory.BeanFactory" and "javax.el.ELProcessor" described in
https://www.veracode.com/blog/research/exploiting-jndi-injections-java
It would be great if tomcat can do something to mitigate it.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 65736] New: Improve org.apache.naming.factory.BeanFactory to mitigate JNDI injection

Reply via email to