Rapid7

vulnerability

Apache Tomcat: Low: Security Manager bypass (CVE-2016-0706)

Severity
4
CVSS
(AV:N/AC:L/Au:S/C:P/I:N/A:N)
Published
Feb 23, 2016
Added
Feb 23, 2016
Modified
Mar 27, 2026

Description

Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.

Solutions

apache-tomcat-upgrade-6_0_45apache-tomcat-upgrade-7_0_68apache-tomcat-upgrade-8_0_32
Title
Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.