CVSS: 7.5EPSS: 0%CPEs: 138EXPL: 0CVE-2016-8745 – tomcat: information disclosure due to incorrect Processor sharing
https://notcve.org/view.php?id=CVE-2016-8745
A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions. • http://rhn.redhat.com/errata/RHSA-2017-0457.html http://rhn.redhat.com/errata/RHSA-2017-0527.html http://www.debian.org/security/2017/dsa-3754 http://www.debian.org/security/2017/dsa-3755 http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html http://www.securityfocus.com/bid/94828 http://www.securitytracker.com/id/1037432 https://access.redhat.com/errata/RHSA-2017:0455 https://a • CWE-388: 7PK - Errors •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 1CVE-2016-1240 – Apache Tomcat 8/7/6 (Debian-Based Distros) - Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2016-1240
The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and libtomcat6-java packages before 6.0.35-1ubuntu3.8 on Ubuntu 12.04 LTS, the tomcat7 and libtomcat7-java packages before 7.0.52-1ubuntu0.7 on Ubuntu 14.04 LTS, and tomcat8 and libtomcat8-java packages before 8.0.32-1ubuntu1.2 on Ubuntu 16.04 LTS allows local users with access to the tomcat account to gain root privileges via a symlink attack on the Catalina log file, as demonstrated by /var/log/tomcat7/catalina.out. El inicio de secuencia de comandos de Tomcat en el paquete tomcat7 en versiones anteriores 7.0.56-3+deb8u4 y el paquete tomcat8 en versiones anteriores 8.0.14-1+deb8u3 en Debian jessie y los paquetes tomcat6 y libtomcat6-java en versiones anteriores 6.0.35-1ubuntu3.8 en Ubuntu 12.04 LTS, los paquetes tomcat7 y libtomcat7-java en versiones anteriores 7.0.52-1ubuntu0.7 en Ubuntu 14.04 LTS y los paquetes tomcat8 y libtomcat8-java en versiones anteriores 8.0.32-1ubuntu1.2 en Ubuntu 16.04 LTS permite a usuarios locales con acceso a la cuenta tomcat obtener privilegios de root a través de un ataque de enlace simbólico en archivo de registro Catalina, según lo demostrado por /var/log/tomcat7/catalina.out. It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation. Apache Tomcat versions 8.0.36-2 and below, 7.0.70-2 and below, and 6.0.45+dfsg-1~deb8ul and below suffer from a local root privilege escalation vulnerability. • https://www.exploit-db.com/exploits/40450 http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html http://packetstormsecurity.com/files/170857/Apache-Tomcat-On-Ubuntu-Log-Init-Privilege-Escalation.html http://rhn.redhat.com/errata/RHSA-2017-0457.html http://www.debian.org/security/2016/dsa-3669 http://www.debian.org/security/2016/dsa-3670 http://www.securityfocus.com/archive/1/539519/100/0/threaded http://www.securityfocus.com/bid/93263 http&# • CWE-20: Improper Input Validation CWE-284: Improper Access Control •
CVSS: 8.1EPSS: 94%CPEs: 18EXPL: 0CVE-2016-5388 – Tomcat: CGI sets environmental variable based on user supplied Proxy request header
https://notcve.org/view.php?id=CVE-2016-5388
Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability. Apache Tomcat, en versiones 7.x hasta la 7.0.70 y versiones 8.x hasta la 8.5.4, cuando el Servlet CGI está habilitado, sigue la sección 4.1.18 de RFC 3875 y, por lo tanto, no protege aplicaciones ante la presencia de datos de cliente no fiables en la variable de entorno HTTP_PROXY. Esto podría permitir que atacantes remotos redirijan el tráfico HTTP saliente de una aplicación a un servidor proxy arbitrario mediante una cabecera Proxy manipulada en una petición HTTP. Esto también se conoce como problema "httpoxy". • http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html http://rhn.redhat.com/errata/RHSA-2016-1624.html http://rhn.redhat.com/errata/RHSA-2016-2045.html http://rhn.redhat.com/errata/RHSA-2016-2046.html http://www.kb.cert.org/vuls/id/797896 http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html http://www.securityfocus.com/bid/91818 http://www.securitytracker.com/id/ • CWE-20: Improper Input Validation CWE-284: Improper Access Control •
CVSS: 7.8EPSS: 5%CPEs: 94EXPL: 0CVE-2016-3092 – tomcat: Usage of vulnerable FileUpload package can result in denial of service
https://notcve.org/view.php?id=CVE-2016-3092
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string. La clase MultipartStream en Apache Commons Fileupload en versiones anteriores a 1.3.2, tal como se utiliza en Apache Tomcat 7.x en versiones anteriores a 7.0.70, 8.x en versiones anteriores a 8.0.36, 8.5.x en versiones anteriores a 8.5.3 y 9.x en versiones anteriores a 9.0.0.M7 y otros productos, permite a atacantes remotos provocar una denegación de servicio (consumo de CPU) a través de una cadena de límite largo. A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. • http://jvn.jp/en/jp/JVN89379547/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2016-000121 http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html http://mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3E http://rhn.redhat.com/errata/RHSA-2016-2068.html http://rhn.redhat.com/errata/RHSA-2016-2069.html http://rhn.redhat.com/errata/RHSA-2016-2070.html http://rhn.redhat.com/errata/RHSA-2016 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 74EXPL: 0CVE-2016-0763 – tomcat: security manager bypass via setGlobalContext()
https://notcve.org/view.php?id=CVE-2016-0763
The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. El método setGlobalContext en org/apache/naming/factory/ResourceLinkFactory.java en Apache Tomcat 7.x en versiones anteriores a 7.0.68, 8.x en versiones anteriores a 8.0.31 y 9.x en versiones anteriores a 9.0.0.M3 no considera si los que llaman a ResourceLinkFactory.setGlobalContext están autorizados, lo que permite a usuarios remotos autenticados eludir las restricciones de SecurityManager previstas y leer o escribir a datos de aplicación arbitrarios, o provocar una denegación de servicio (interrupción de aplicación), a través de una aplicación web que establece un contexto global manipulado. A security manager bypass flaw was found in Tomcat that could allow remote, authenticated users to access arbitrary application data, potentially resulting in a denial of service. • http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179356.html http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html http://rhn.redhat.com/errata/RHSA-2016-1089.html http://rhn.redhat.com/errata/RHSA-2016-2599.html http://rhn.redhat.com/errata/RHSA-2016-2807.html http://rhn.redhat.com/errata/RHSA-2016 • CWE-264: Permissions, Privileges, and Access Controls CWE-287: Improper Authentication •