vulnerability
Oracle Linux: CVE-2016-0706: ELSA-2016-2045: tomcat6 security and bug fix update (IMPORTANT) (Multiple Advisories)
Severity | CVSS | Published | Added | Modified |
---|---|---|---|---|
4 | (AV:N/AC:L/Au:S/C:P/I:N/A:N) | Feb 22, 2016 | Oct 11, 2016 | Dec 5, 2024 |
Severity
4
CVSS
(AV:N/AC:L/Au:S/C:P/I:N/A:N)
Published
Feb 22, 2016
Added
Oct 11, 2016
Modified
Dec 5, 2024
Description
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.
It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs.
It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs.
Solution(s)
oracle-linux-upgrade-tomcatoracle-linux-upgrade-tomcat6oracle-linux-upgrade-tomcat6-admin-webappsoracle-linux-upgrade-tomcat6-docs-webapporacle-linux-upgrade-tomcat6-el-2-1-apioracle-linux-upgrade-tomcat6-javadocoracle-linux-upgrade-tomcat6-jsp-2-1-apioracle-linux-upgrade-tomcat6-liboracle-linux-upgrade-tomcat6-servlet-2-5-apioracle-linux-upgrade-tomcat6-webappsoracle-linux-upgrade-tomcat-admin-webappsoracle-linux-upgrade-tomcat-docs-webapporacle-linux-upgrade-tomcat-el-2-2-apioracle-linux-upgrade-tomcat-javadocoracle-linux-upgrade-tomcat-jsp-2-2-apioracle-linux-upgrade-tomcat-jsvcoracle-linux-upgrade-tomcat-liboracle-linux-upgrade-tomcat-servlet-3-0-apioracle-linux-upgrade-tomcat-webapps

NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.