vulnerability
Oracle Linux: CVE-2016-0763: ELSA-2016-2599: tomcat security, bug fix, and enhancement update (MODERATE)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:L/Au:S/C:P/I:P/A:P) | 2016-02-22 | 2016-11-09 | 2024-11-27 |
Severity
7
CVSS
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
Published
2016-02-22
Added
2016-11-09
Modified
2024-11-27
Description
The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.
A security manager bypass flaw was found in Tomcat that could allow remote, authenticated users to access arbitrary application data, potentially resulting in a denial of service.
A security manager bypass flaw was found in Tomcat that could allow remote, authenticated users to access arbitrary application data, potentially resulting in a denial of service.
Solution(s)
oracle-linux-upgrade-tomcatoracle-linux-upgrade-tomcat-admin-webappsoracle-linux-upgrade-tomcat-docs-webapporacle-linux-upgrade-tomcat-el-2-2-apioracle-linux-upgrade-tomcat-javadocoracle-linux-upgrade-tomcat-jsp-2-2-apioracle-linux-upgrade-tomcat-jsvcoracle-linux-upgrade-tomcat-liboracle-linux-upgrade-tomcat-servlet-3-0-apioracle-linux-upgrade-tomcat-webapps
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.