vulnerability

Debian: CVE-2016-6816: tomcat6, tomcat7 -- security update

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
7	(AV:N/AC:M/Au:N/C:P/I:P/A:P)	Dec 1, 2016	Dec 19, 2016	Aug 15, 2025

Severity

CVSS

(AV:N/AC:M/Au:N/C:P/I:P/A:P)

Published

Dec 1, 2016

Added

Dec 19, 2016

Modified

Aug 15, 2025

Description

The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.

Solutions

debian-upgrade-tomcat6debian-upgrade-tomcat7

References

CVE-2016-6816
https://attackerkb.com/topics/CVE-2016-6816
CWE-20
DEBIAN-DLA-728-1
DEBIAN-DLA-729-1
DEBIAN-DSA-3738
DEBIAN-DSA-3739

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today