vulnerability

Apache Tomcat: Low: Security Manager bypass (CVE-2016-0706)

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:L/Au:S/C:P/I:N/A:N)

Published

Feb 23, 2016

Added

Feb 23, 2016

Modified

Mar 27, 2026

Description

Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.

Solutions

apache-tomcat-upgrade-6_0_45apache-tomcat-upgrade-7_0_68apache-tomcat-upgrade-8_0_32

References

CVE-2016-0706
https://attackerkb.com/topics/CVE-2016-0706
CWE-200
EUVD-EUVD-2022-2864
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-8.html
https://euvd.enisa.europa.eu/vulnerability/EUVD-2022-2864

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report