HomePentest-Tools.com Logo

Apache Tomcat Security Bypass and Information Disclosure Vulnerabilities (Windows) CVE-2016-6794CVE-2016-0762CVE-2016-5018CVE-2016-6796CVE-2016-6797

Severity
CVSSv3 Score
7.5
Vulnerability description

Apache Tomcat is prone to security bypass and information disclosure vulnerabilities.

Risk description

Multiple flaws exist due to: - An error in the system property replacement feature for configuration files. - An error in the realm implementations in Apache Tomcat that does not process the supplied password if the supplied user name did not exist. - An error in the configured SecurityManager via a Tomcat utility method that is accessible to web applications. - An error in the configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. - An error in the ResourceLinkFactory implementation in Apache Tomcat that does not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Successful exploitation will allow remote attackers to gain access to potentially sensitive information and bypass certain security restrictions.

Recommendation

Upgrade to Apache Tomcat version 9.0.0.M10 or 8.5.5 or 8.0.37 or 7.0.72 or 6.0.47 or later.

Codename
Not available
Detectable with
Network Scanner
Scan engine
OpenVAS
Exploitable with Sniper
No
CVE Published
Aug 10, 2017
Detection added at
Software Type
Not available
Vendor
Not available
Product
Not available