Apache Tomcat contains a flaw that allows a local attacker to traverse outside of a restricted path. The issue is due to the 'SecurityManager' not properly making the 'ServletContext' attribute read-only, allowing for directory traversal style attacks (e.g., ../../). This directory traversal attack would allow the attacker to manipulate arbitrary files.
Local Access Required
Loss of Integrity
Upgrade to version 5.5.33, 6.0.32, 7.0.8 or higher, as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.