vulnerability

Oracle Linux: CVE-2016-0706: ELSA-2016-2045: tomcat6 security and bug fix update (IMPORTANT) (Multiple Advisories)

Try Surface Command
Back to search
Severity
4
CVSS
(AV:N/AC:L/Au:S/C:P/I:N/A:N)
Published
2016-02-22
Added
2016-10-11
Modified
2024-12-05

Description

Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.
It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs.

Solution(s)

oracle-linux-upgrade-tomcatoracle-linux-upgrade-tomcat6oracle-linux-upgrade-tomcat6-admin-webappsoracle-linux-upgrade-tomcat6-docs-webapporacle-linux-upgrade-tomcat6-el-2-1-apioracle-linux-upgrade-tomcat6-javadocoracle-linux-upgrade-tomcat6-jsp-2-1-apioracle-linux-upgrade-tomcat6-liboracle-linux-upgrade-tomcat6-servlet-2-5-apioracle-linux-upgrade-tomcat6-webappsoracle-linux-upgrade-tomcat-admin-webappsoracle-linux-upgrade-tomcat-docs-webapporacle-linux-upgrade-tomcat-el-2-2-apioracle-linux-upgrade-tomcat-javadocoracle-linux-upgrade-tomcat-jsp-2-2-apioracle-linux-upgrade-tomcat-jsvcoracle-linux-upgrade-tomcat-liboracle-linux-upgrade-tomcat-servlet-3-0-apioracle-linux-upgrade-tomcat-webapps

References

Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today