vulnerability

Apache Tomcat: Low: Timing Attack (CVE-2016-0762)

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:M/Au:N/C:P/I:N/A:N)

Published

Oct 28, 2016

Added

Oct 28, 2016

Modified

Mar 27, 2026

Description

The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.

Solutions

apache-tomcat-upgrade-6_0_47apache-tomcat-upgrade-7_0_72apache-tomcat-upgrade-8_0_37

References

CVE-2016-0762
https://attackerkb.com/topics/CVE-2016-0762
CWE-203
EUVD-EUVD-2022-5668
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-8.html
https://euvd.enisa.europa.eu/vulnerability/EUVD-2022-5668

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report