CVSS: 9.8EPSS: 94%CPEs: 56EXPL: 0CVE-2016-8735 – Apache Tomcat Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2016-8735
18 Dec 2016 — Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types. La ejecución remota de código es posible con Apache Tomcat en versiones anteriores a 6.0.48, 7.x en versiones anteriores a 7.0.73, 8.x en versiones ... • http://rhn.redhat.com/errata/RHSA-2017-0457.html • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.1EPSS: 0%CPEs: 20EXPL: 2CVE-2015-8960
https://notcve.org/view.php?id=CVE-2015-8960
21 Sep 2016 — The TLS protocol 1.2 and earlier supports the rsa_fixed_dh, dss_fixed_dh, rsa_fixed_ecdh, and ecdsa_fixed_ecdh values for ClientCertificateType but does not directly document the ability to compute the master secret in certain situations with a client secret key and server public key but not a server secret key, which makes it easier for man-in-the-middle attackers to spoof TLS servers by leveraging knowledge of the secret key for an arbitrary installed client X.509 certificate, aka the "Key Compromise Impe... • http://twitter.com/matthew_d_green/statuses/630908726950674433 • CWE-295: Improper Certificate Validation •