Apache Tomcat Bug Lets Remote Users Bypass Security Constraints
Version(s): 6.0.0 - 6.0.35, 7.0.0 - 7.0.29
A vulnerability was reported in Apache Tomcat.
When using FORM authentication it was possible to bypass the security constraint checks in the FORM authenticator by appending /j_security_check to the end of the URL if some other component (such as the Single-Sign-On valve) had called request.setUserPrincipal() before the call to FormAuthenticator#authenticate().
A remote user can bypass security constraints
The vendor has issued a fix (6.0.36, 7.0.30).