vulnerability
CentOS: (CVE-2016-0706) CESA-2016:2045: tomcat6
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:L/Au:S/C:P/I:N/A:N) | 2016-02-24 | 2016-10-21 | 2019-05-07 |
Severity
4
CVSS
(AV:N/AC:L/Au:S/C:P/I:N/A:N)
Published
2016-02-24
Added
2016-10-21
Modified
2019-05-07
Description
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.
Solution(s)
centos-upgrade-tomcat6centos-upgrade-tomcat6-admin-webappscentos-upgrade-tomcat6-docs-webappcentos-upgrade-tomcat6-el-2-1-apicentos-upgrade-tomcat6-javadoccentos-upgrade-tomcat6-jsp-2-1-apicentos-upgrade-tomcat6-libcentos-upgrade-tomcat6-servlet-2-5-apicentos-upgrade-tomcat6-webapps
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.