Apache Tomcat Security Bypass and Information Disclosure Vulnerabilities (Windows) CVE-2016-6794CVE-2016-0762CVE-2016-5018CVE-2016-6796CVE-2016-6797
- CVSSv3 Score
- Vulnerability description
Apache Tomcat is prone to security bypass and information disclosure vulnerabilities.
- Risk description
Multiple flaws exist due to: - An error in the system property replacement feature for configuration files. - An error in the realm implementations in Apache Tomcat that does not process the supplied password if the supplied user name did not exist. - An error in the configured SecurityManager via a Tomcat utility method that is accessible to web applications. - An error in the configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. - An error in the ResourceLinkFactory implementation in Apache Tomcat that does not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Successful exploitation will allow remote attackers to gain access to potentially sensitive information and bypass certain security restrictions.
Upgrade to Apache Tomcat version 9.0.0.M10 or 8.5.5 or 8.0.37 or 7.0.72 or 6.0.47 or later.
- Not available