HomePentest-Tools.com Logo

Apache Tomcat Security Bypass and Information Disclosure Vulnerabilities (Windows) CVE-2016-6794CVE-2016-0762CVE-2016-5018CVE-2016-6796CVE-2016-6797

CVSSv3 Score
Vulnerability description

Apache Tomcat is prone to security bypass and information disclosure vulnerabilities.

Risk description

Multiple flaws exist due to: - An error in the system property replacement feature for configuration files. - An error in the realm implementations in Apache Tomcat that does not process the supplied password if the supplied user name did not exist. - An error in the configured SecurityManager via a Tomcat utility method that is accessible to web applications. - An error in the configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. - An error in the ResourceLinkFactory implementation in Apache Tomcat that does not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Successful exploitation will allow remote attackers to gain access to potentially sensitive information and bypass certain security restrictions.


Upgrade to Apache Tomcat version 9.0.0.M10 or 8.5.5 or 8.0.37 or 7.0.72 or 6.0.47 or later.

Not available
Detectable with
Network Scanner
Scan engine
Exploitable with Sniper
CVE Published
Aug 10, 2017
Detection added at
Software Type
Not available
Not available
Not available