HomePentest-Tools.com Logo

Apache Tomcat Security Manager Bypass Vulnerability - 01 - Feb16 (Windows) CVE-2016-0714CVE-2016-0706

Severity
CVSSv3 Score
8.8
Vulnerability description

Apache Tomcat is prone to a security manager bypass vulnerability.

Risk description

The flaw exists due to an improper validation of several session persistence mechanisms and the StatusManagerServlet loaded by a web application when a security manager was configured. Successful exploitation will allow remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context and read arbitrary HTTP requests, and consequently discover session ID values.

Recommendation

Upgrade to version 6.0.45 or 7.0.68 or 8.0.32 or 9.0.0.M3 or later.

Codename
Not available
Detectable with
Network Scanner
Scan engine
OpenVAS
Exploitable with Sniper
No
CVE Published
Feb 25, 2016
Detection added at
Software Type
Not available
Vendor
Not available
Product
Not available