CVSS: 9.1EPSS: 0%CPEs: 33EXPL: 1CVE-2016-5018 – tomcat: security manager bypass via IntrospectHelper utility function
https://notcve.org/view.php?id=CVE-2016-5018
In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. En Apache Tomcat 9.0.0.M1 a 9.0.0.M9, 8.5.0 a 8.5.4, 8.0.0.RC1 a 8.0.36, 7.0.0 a 7.0.70, y 6.0.0 a 6.0.45 una aplicación web maliciosa era capaz de omitir un SecurityManager configurado mediante un método utility Tomcat accesible para las aplicaciones web. It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. • http://packetstormsecurity.com/files/155873/Tomcat-9.0.0.M1-Sandbox-Escape.html http://rhn.redhat.com/errata/RHSA-2017-0457.html http://rhn.redhat.com/errata/RHSA-2017-1551.html http://www.debian.org/security/2016/dsa-3720 http://www.securityfocus.com/bid/93942 http://www.securitytracker.com/id/1037142 http://www.securitytracker.com/id/1038757 https://access.redhat.com/errata/RHSA-2017:0455 https://access.redhat.com/errata/RHSA-2017:0456 https://access.redhat.com/err •
CVSS: 7.5EPSS: 0%CPEs: 34EXPL: 0CVE-2016-6796 – tomcat: security manager bypass via JSP Servlet config parameters
https://notcve.org/view.php?id=CVE-2016-6796
A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. Una aplicación web maliciosa en Apache Tomcat 9.0.0.M1 a 9.0.0.M9, 8.5.0 a 8.5.4, 8.0.0.RC1 a 8.0.36, 7.0.0 a 7.0.70, y 6.0.0 a 6.0.45 era capaz de eludir un SecurityManager configurado mediante la manipulación de los parámetros de configuración para el Servlet JSP. It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. • http://rhn.redhat.com/errata/RHSA-2017-0457.html http://rhn.redhat.com/errata/RHSA-2017-1551.html http://www.debian.org/security/2016/dsa-3720 http://www.securityfocus.com/bid/93944 http://www.securitytracker.com/id/1037141 http://www.securitytracker.com/id/1038757 https://access.redhat.com/errata/RHSA-2017:0455 https://access.redhat.com/errata/RHSA-2017:0456 https://access.redhat.com/errata/RHSA-2017:1548 https://access.redhat.com/errata/RHSA-2017:1549 https:/& •
CVSS: 7.5EPSS: 0%CPEs: 32EXPL: 0CVE-2016-6797 – tomcat: unrestricted access to global resources
https://notcve.org/view.php?id=CVE-2016-6797
The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. La implementación ResourceLinkFactory en Apache Tomcat 9.0.0.M1 a 9.0.0.M9, 8.5.0 a 8.5.4, 8.0.0.RC1 a 8.0.36, 7.0.0 a 7.0.70 a 6.0.0 a 6.0.45 no limitaba el acceso de las aplicaciones web a recursos globales JNDI a aquellos relacionados explícitamente con la aplicación web. Por lo tanto, era posible que una aplicación web accediese a cualquier recurso global JNDI sin importar si se había configurado un ResourceLink explícito. It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. • http://rhn.redhat.com/errata/RHSA-2017-0457.html http://www.debian.org/security/2016/dsa-3720 http://www.securityfocus.com/bid/93940 http://www.securitytracker.com/id/1037145 https://access.redhat.com/errata/RHSA-2017:0455 https://access.redhat.com/errata/RHSA-2017:0456 https://access.redhat.com/errata/RHSA-2017:2247 https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/37220405a377c0182d2afdb • CWE-863: Incorrect Authorization •
CVSS: 5.9EPSS: 0%CPEs: 33EXPL: 0CVE-2016-0762 – tomcat: timing attack in Realm implementation
https://notcve.org/view.php?id=CVE-2016-0762
The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. Las implementaciones Realm en Apache Tomcat versiones 9.0.0.M1 a 9.0.0.M9, 8.5.0 a 8.5.4, 8.0.0.RC1 a 8.0.36, 7.0.0 a 7.0.70, y 6.0.0 a 6.0.45 no procesaban la contraseña proporcionada si el nombre de usuario proporcionado no existía. Esto hizo posible la realización de un ataque basado en tiempo para determinar nombres de usuario válidos. • http://rhn.redhat.com/errata/RHSA-2017-0457.html http://www.debian.org/security/2016/dsa-3720 http://www.securityfocus.com/bid/93939 http://www.securitytracker.com/id/1037144 https://access.redhat.com/errata/RHSA-2017:0455 https://access.redhat.com/errata/RHSA-2017:0456 https://access.redhat.com/errata/RHSA-2017:2247 https://lists.apache.org/thread.html/1872f96bad43647832bdd84a408794cd06d9cbb557af63085ca10009%40%3Cannounce.tomcat.apache.org%3E https://lists.apache.org/thread.html/343558d982879bf88e • CWE-203: Observable Discrepancy •
CVSS: 5.3EPSS: 0%CPEs: 31EXPL: 0CVE-2016-6794 – tomcat: system property disclosure
https://notcve.org/view.php?id=CVE-2016-6794
When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. Cuando se configura un SecurityManager, la capacidad de una aplicación web de leer las propiedades del sistema debería estar controlada por SecurityManager. En Apache Tomcat 9.0.0.M1 a 9.0.0.M9, 8.5.0 a 8.5.4, 8.0.0.RC1 a 8.0.36, 7.0.0 a 7.0.70, 6.0.0 a 6.0.45 la funcionalidad de reemplazo de propiedades del sistema para archivos de configuración podría ser utilizada por una aplicación web maliciosa para eludir el SecurityManager y leer propiedades del sistema que no deberían ser visibles. It was discovered that when a SecurityManager was configured, Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. • http://rhn.redhat.com/errata/RHSA-2017-0457.html http://www.debian.org/security/2016/dsa-3720 http://www.securityfocus.com/bid/93943 http://www.securitytracker.com/id/1037143 https://access.redhat.com/errata/RHSA-2017:0455 https://access.redhat.com/errata/RHSA-2017:0456 https://access.redhat.com/errata/RHSA-2017:2247 https://lists.apache.org/thread.html/09d2f2c65ac4ff5da42f15dc2b0f78b655e50f1a42e8a9784134a9eb%40%3Cannounce.tomcat.apache.org%3E https://lists.apache.org/thread.html/343558d982879bf88e •