CVE-2013-2185 was assigned for this issue.

https://bugzilla.redhat.com/show_bug.cgi?id=974813

Description Arun Babu Neelicattu 2013-06-16 01:25:42 EDT

A poison null byte flaw was found in the implementation of the DiskFileItem class. A remote attacker able to supply a serialized instance of the DiskFileItem class, which will be deserialized on a server, could use this flaw to write arbitrary content to any location on the server that is permitted by the user running the application server process.

-----------------------
Comment via oss-security:

From: David Jorm
Date: Thu, 05 Sep 2013 13:35:23 +1000

This flaw was reported to the tomcat security team, but they were of the
opinion that it did not constitute a security flaw in tomcat. The Red
Hat security team decided that we did consider it a security flaw in
tomcat, and handled it accordingly. I think whether or not this category
of issue is considered a security flaw is an unresolved debate - having
some consensus either way would be helpful in my opinion.

The DiskFileItem class's readObject method contained a poison null byte
flaw. A remote attacker able to supply a serialized instance of the
DiskFileItem class, which will be deserialized on a server, could use
this flaw to write arbitrary content to any location on the server that
is permitted by the user running the application server process. The key
point here is that an application is only vulnerable if it deserializes
arbitrary user-supplied data, and it has DiskFileItem on the classpath.
One argument is that since exploitation relies on an application
allowing deserialization of user-supplied data, the real flaw lies in
that application, so this is not actually a security flaw in
DiskFileItem. The opposing argument is that an application allowing
deserialization of user-supplied data would not necessarily expose any
kind of security flaw, but if a vulnerable class (e.g. DiskFileItem)
existed on the server's classpath, then it would, therefore this is a
security flaw in DiskFileItem.