10.15 Do not allow cross context requests

Information

Setting crossContext to false prevents an application from calling ServletConext.getContext to return a dispatcher for another application.

Rationale:

Allowing crossContext creates the possibility for a malicious application to make requests to a restricted application.

Solution

Set the crossContext attribute in all context.xml files to false:

<Context ... crossContext='false' />

Default Value:

By default crossContext has a value of false.

References:

https://tomcat.apache.org/tomcat-8.0-doc/config/context.html

See Also

https://workbench.cisecurity.org/files/2506

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(10), CSCv7|4.7

Plugin: Unix

Control ID: cbb2dc4034341fc6f53ca78f7b1baf4d2828812c9c664f2424fd6d9ed27dc853