CVSS: 9.1EPSS: 0%CPEs: 33EXPL: 1CVE-2016-5018 – tomcat: security manager bypass via IntrospectHelper utility function
https://notcve.org/view.php?id=CVE-2016-5018
In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. En Apache Tomcat 9.0.0.M1 a 9.0.0.M9, 8.5.0 a 8.5.4, 8.0.0.RC1 a 8.0.36, 7.0.0 a 7.0.70, y 6.0.0 a 6.0.45 una aplicación web maliciosa era capaz de omitir un SecurityManager configurado mediante un método utility Tomcat accesible para las aplicaciones web. It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. • http://packetstormsecurity.com/files/155873/Tomcat-9.0.0.M1-Sandbox-Escape.html http://rhn.redhat.com/errata/RHSA-2017-0457.html http://rhn.redhat.com/errata/RHSA-2017-1551.html http://www.debian.org/security/2016/dsa-3720 http://www.securityfocus.com/bid/93942 http://www.securitytracker.com/id/1037142 http://www.securitytracker.com/id/1038757 https://access.redhat.com/errata/RHSA-2017:0455 https://access.redhat.com/errata/RHSA-2017:0456 https://access.redhat.com/err •
CVSS: 5.9EPSS: 0%CPEs: 33EXPL: 0CVE-2016-0762 – tomcat: timing attack in Realm implementation
https://notcve.org/view.php?id=CVE-2016-0762
The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. Las implementaciones Realm en Apache Tomcat versiones 9.0.0.M1 a 9.0.0.M9, 8.5.0 a 8.5.4, 8.0.0.RC1 a 8.0.36, 7.0.0 a 7.0.70, y 6.0.0 a 6.0.45 no procesaban la contraseña proporcionada si el nombre de usuario proporcionado no existía. Esto hizo posible la realización de un ataque basado en tiempo para determinar nombres de usuario válidos. • http://rhn.redhat.com/errata/RHSA-2017-0457.html http://www.debian.org/security/2016/dsa-3720 http://www.securityfocus.com/bid/93939 http://www.securitytracker.com/id/1037144 https://access.redhat.com/errata/RHSA-2017:0455 https://access.redhat.com/errata/RHSA-2017:0456 https://access.redhat.com/errata/RHSA-2017:2247 https://lists.apache.org/thread.html/1872f96bad43647832bdd84a408794cd06d9cbb557af63085ca10009%40%3Cannounce.tomcat.apache.org%3E https://lists.apache.org/thread.html/343558d982879bf88e • CWE-203: Observable Discrepancy •
CVSS: 7.5EPSS: 0%CPEs: 32EXPL: 0CVE-2016-6797 – tomcat: unrestricted access to global resources
https://notcve.org/view.php?id=CVE-2016-6797
The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. La implementación ResourceLinkFactory en Apache Tomcat 9.0.0.M1 a 9.0.0.M9, 8.5.0 a 8.5.4, 8.0.0.RC1 a 8.0.36, 7.0.0 a 7.0.70 a 6.0.0 a 6.0.45 no limitaba el acceso de las aplicaciones web a recursos globales JNDI a aquellos relacionados explícitamente con la aplicación web. Por lo tanto, era posible que una aplicación web accediese a cualquier recurso global JNDI sin importar si se había configurado un ResourceLink explícito. It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. • http://rhn.redhat.com/errata/RHSA-2017-0457.html http://www.debian.org/security/2016/dsa-3720 http://www.securityfocus.com/bid/93940 http://www.securitytracker.com/id/1037145 https://access.redhat.com/errata/RHSA-2017:0455 https://access.redhat.com/errata/RHSA-2017:0456 https://access.redhat.com/errata/RHSA-2017:2247 https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/37220405a377c0182d2afdb • CWE-863: Incorrect Authorization •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2016-9775
https://notcve.org/view.php?id=CVE-2016-9775
The postrm script in the tomcat6 package before 6.0.45+dfsg-1~deb7u3 on Debian wheezy, before 6.0.45+dfsg-1~deb8u1 on Debian jessie, before 6.0.35-1ubuntu3.9 on Ubuntu 12.04 LTS and on Ubuntu 14.04 LTS; the tomcat7 package before 7.0.28-4+deb7u7 on Debian wheezy, before 7.0.56-3+deb8u6 on Debian jessie, before 7.0.52-1ubuntu0.8 on Ubuntu 14.04 LTS, and on Ubuntu 12.04 LTS, 16.04 LTS, and 16.10; and the tomcat8 package before 8.0.14-1+deb8u5 on Debian jessie, before 8.0.32-1ubuntu1.3 on Ubuntu 16.04 LTS, before 8.0.37-1ubuntu0.1 on Ubuntu 16.10, and before 8.0.38-2ubuntu1 on Ubuntu 17.04 might allow local users with access to the tomcat account to gain root privileges via a setgid program in the Catalina directory, as demonstrated by /etc/tomcat8/Catalina/attack. El script postrm en el paquete tomcat6 en versiones anteriores a 6.0.45+dfsg-1~deb7u3 en Debian wheezy, en versiones anteriores a 6.0.45+dfsg-1~deb8u1 en Debian jessie, en versiones anteriores a 6.0.35-1ubuntu3.9 rn Ubuntu 12.04 LTS y en Ubuntu 14.04 LTS; el paquete tomcat7 en versiones anteriores a 7.0.28-4+deb7u7 en Debian wheezy, en versiones anteriores a 7.0.56-3+deb8u6 en Debian jessie, en versiones anteriores a 7.0.52-1ubuntu0.8 en Ubuntu 14.04 LTS, y en Ubuntu 12.04 LTS, 16.04 LTS y 16.10; y el paquete tomcat8 en versiones anteriores a 8.0.14-1+deb8u5 en Debian jessie, en versiones anteriores a 8.0.32-1ubuntu1.3 en Ubuntu 16.04 LTS, en versiones anteriores a 8.0.37-1ubuntu0.1 en Ubuntu 16.10 y en versiones anteriores a 8.0.38-2ubuntu1 en Ubuntu 17.04 podrían permitir a usuarios locales con acceso a la cuenta tomcat obtener privilegios root a través de un programa setgid en el directorio Catalina, como se demuestra por /etc/tomcat8/Catalina/attack • http://www.debian.org/security/2016/dsa-3738 http://www.debian.org/security/2016/dsa-3739 http://www.openwall.com/lists/oss-security/2016/12/02/10 http://www.openwall.com/lists/oss-security/2016/12/02/5 http://www.securityfocus.com/bid/94643 http://www.ubuntu.com/usn/USN-3177-1 http://www.ubuntu.com/usn/USN-3177-2 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845385 https://security.netapp.com/advisory/ntap-20180731-0002 https://www.oracle. • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2016-9774
https://notcve.org/view.php?id=CVE-2016-9774
The postinst script in the tomcat6 package before 6.0.45+dfsg-1~deb7u4 on Debian wheezy, before 6.0.35-1ubuntu3.9 on Ubuntu 12.04 LTS and on Ubuntu 14.04 LTS; the tomcat7 package before 7.0.28-4+deb7u8 on Debian wheezy, before 7.0.56-3+deb8u6 on Debian jessie, before 7.0.52-1ubuntu0.8 on Ubuntu 14.04 LTS, and on Ubuntu 12.04 LTS, 16.04 LTS, and 16.10; and the tomcat8 package before 8.0.14-1+deb8u5 on Debian jessie, before 8.0.32-1ubuntu1.3 on Ubuntu 16.04 LTS, before 8.0.37-1ubuntu0.1 on Ubuntu 16.10, and before 8.0.38-2ubuntu1 on Ubuntu 17.04 might allow local users with access to the tomcat account to obtain sensitive information or gain root privileges via a symlink attack on the Catalina localhost directory. El script postinst en el paquete tomcat6 en versiones anteriores a 6.0.45+dfsg-1~deb7u4 en Debian wheezy, en versiones anteriores a 6.0.35-1ubuntu3.9 en Ubuntu 12.04 LTS y en Ubuntu 14.04 LTS; el paquete tomcat7 en versiones anteriores a 7.0.28-4+deb7u8 en Debian wheezy, en versiones anteriores a 7.0.56-3+deb8u6 en Debian jessie, en versiones anteriores a 7.0.52-1ubuntu0.8 en Ubuntu 14.04 LTS, y en Ubuntu 12.04 LTS, 16.04 LTS y 16.10; y el paquete tomcat8 en versiones anteriores a 8.0.14-1+deb8u5 en Debian jessie, en versiones anteriores a 8.0.32-1ubuntu1.3 en Ubuntu 16.04 LTS, en versiones anteriores a 8.0.37-1ubuntu0.1 en Ubuntu 16.10 y en versiones anteriores a 8.0.38-2ubuntu1 en Ubuntu 17.04 podrían permitir a usuarios locales con acceso a la cuenta tomcat obtener información sensible u obtener privilegios root a través de un ataque de enlace simbólico en el directorio localhost Catalina. • http://www.debian.org/security/2016/dsa-3738 http://www.debian.org/security/2016/dsa-3739 http://www.openwall.com/lists/oss-security/2016/12/02/10 http://www.openwall.com/lists/oss-security/2016/12/02/5 http://www.securityfocus.com/bid/94643 http://www.ubuntu.com/usn/USN-3177-1 http://www.ubuntu.com/usn/USN-3177-2 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845393 https://security.netapp.com/advisory/ntap-20180731-0002 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •