Vulnerabilities > CVE-2016-0706 - Information Exposure vulnerability in multiple products

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
LOW
Integrity impact
NONE
Availability impact
NONE
network
low complexity
canonical
debian
apache
CWE-200
nessus
NVD
Published: 2016-02-25
Updated: 2023-12-08

Summary

Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.

Vulnerable Configurations

Part Description Count
OS
Canonical
4
OS
Debian
2
Application
Apache
98

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Nessus

  • NASL familyCGI abuses
    NASL idMYSQL_ENTERPRISE_MONITOR_3_1_5_7958.NASL
    descriptionAccording to its self-reported version, the MySQL Enterprise Monitor application running on the remote host is 3.1.x prior to 3.1.5.7958. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists in the bundled version of Apache Tomcat in the Manager and Host Manager web applications due to a flaw in the index page when issuing redirects in response to unauthenticated requests for the root directory of the application. An authenticated, remote attacker can exploit this to gain access to the XSRF token information stored in the index page. (CVE-2015-5351) - A remote code execution vulnerability exists in the Framework subcomponent that allows an authenticated, remote attacker to execute arbitrary code. (CVE-2016-0635) - An information disclosure vulnerability exists in the bundled version of Apache Tomcat that allows a specially crafted web application to load the StatusManagerServlet. An authenticated, remote attacker can exploit this to gain unauthorized access to a list of all deployed applications and a list of the HTTP request lines for all requests currently being processed. (CVE-2016-0706) - A remote code execution vulnerability exists in the bundled version of Apache Tomcat due to a flaw in the StandardManager, PersistentManager, and cluster implementations that is triggered when handling persistent sessions. An authenticated, remote attacker can exploit this, via a crafted object in a session, to bypass the security manager and execute arbitrary code. (CVE-2016-0714) - A security bypass vulnerability exists in the bundled version of Apache Tomcat due to a failure to consider whether ResourceLinkFactory.setGlobalContext callers are authorized. An authenticated, remote attacker can exploit this, via a web application that sets a crafted global context, to bypass intended SecurityManager restrictions and read or write to arbitrary application data or cause a denial of service condition. (CVE-2016-0763) - Multiple integer overflow conditions exist in the bundled version of OpenSSL in s3_srvr.c, ssl_sess.c, and t1_lib.c due to improper use of pointer arithmetic for heap-buffer boundary checks. An unauthenticated, remote attacker can exploit this to cause a denial of service. (CVE-2016-2177) - An information disclosure vulnerability exists in the bundled version of OpenSSL in the dsa_sign_setup() function in dsa_ossl.c due to a failure to properly ensure the use of constant-time operations. An unauthenticated, remote attacker can exploit this, via a timing side-channel attack, to disclose DSA key information. (CVE-2016-2178) - A denial of service vulnerability exists in the bundled version of OpenSSL in the DTLS implementation due to a failure to properly restrict the lifetime of queue entries associated with unused out-of-order messages. An unauthenticated, remote attacker can exploit this, by maintaining multiple crafted DTLS sessions simultaneously, to exhaust memory. (CVE-2016-2179) - An out-of-bounds read error exists in the bundled version of OpenSSL in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation. An unauthenticated, remote attacker can exploit this, via a crafted time-stamp file that is mishandled by the
    last seen2020-06-01
    modified2020-06-02
    plugin id96767
    published2017-01-25
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96767
    titleMySQL Enterprise Monitor 3.1.x < 3.1.5.7958 Multiple Vulnerabilities (SWEET32) (January 2017 CPU)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2016-2599.NASL
    descriptionFrom Red Hat Security Advisory 2016:2599 : An update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. The following packages have been upgraded to a newer upstream version: tomcat (7.0.69). (BZ#1287928) Security Fix(es) : * A CSRF flaw was found in Tomcat
    last seen2020-06-01
    modified2020-06-02
    plugin id94718
    published2016-11-11
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94718
    titleOracle Linux 7 : tomcat (ELSA-2016-2599)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2016-680.NASL
    descriptionResourceLinkFactory.setGlobalContext() is a public method and was discovered to be accessible by web applications running under a security manager without any checks. This allowed a malicious web application to inject a malicious global context that could in turn be used to disrupt other web applications and/or read and write data owned by other web applications. (CVE-2016-0763) The Manager and Host Manager applications were discovered to establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token. (CVE-2015-5351) The Mapper component processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. (CVE-2015-5345) The session-persistence implementation was discovered to mishandle session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. (CVE-2016-0714) It was discovered that org.apache.catalina.manager.StatusManagerServlet was not placed on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. (CVE-2016-0706)
    last seen2020-06-01
    modified2020-06-02
    plugin id90273
    published2016-04-01
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/90273
    titleAmazon Linux AMI : tomcat7 (ALAS-2016-680)
  • NASL familyWeb Servers
    NASL idTOMCAT_9_0_0_M3.NASL
    descriptionAccording to its self-reported version number, the Apache Tomcat instance listening on the remote host is prior to 9.0.0.M3. It is, therefore, affected by multiple vulnerabilities: - An information disclosure vulnerability exists due to a failure to enforce access restrictions when handling directory requests that are missing trailing slashes. An unauthenticated, remote attacker can exploit this to enumerate valid directories. (CVE-2015-5345) - A flaw exists due to a failure to invalidate a previous session ID when assigning an ID to a new session. An attacker can exploit this, via a crafted request that uses the requestedSessionSSL field to fixate the session ID, to ensure that the user authenticates with a known session ID, allowing the session to be subsequently hijacked. (CVE-2015-5346) - An information disclosure vulnerability exists in the Manager and Host Manager web applications due to a flaw in the index page when issuing redirects in response to unauthenticated requests for the root directory of the application. An unauthenticated, remote attacker can exploit this to gain access to the XSRF token information stored in the index page. (CVE-2015-5351) - An information disclosure vulnerability exists that allows a specially crafted web application to load the StatusManagerServlet. An attacker can exploit this to gain unauthorized access to a list of all deployed applications and a list of the HTTP request lines for all requests currently being processed. (CVE-2016-0706) - A security bypass vulnerability exists due to a flaw in the StandardManager, PersistentManager, and cluster implementations that is triggered when handling persistent sessions. An unauthenticated, remote attacker can exploit this, via a crafted object in a session, to bypass the security manager and execute arbitrary code. (CVE-2016-0714) - A flaw exists due to the setGlobalContext() method of ResourceLinkFactory being accessible to web applications even when run under a security manager. An unauthenticated, remote attacker can exploit this to inject malicious global context, allowing data owned by other web applications to be read or written to. (CVE-2016-0763) Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-03-18
    modified2019-01-11
    plugin id121125
    published2019-01-11
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121125
    titleApache Tomcat < 9.0.0.M3 Multiple Vulnerabilities
  • NASL familyWeb Servers
    NASL idTOMCAT_8_0_32.NASL
    descriptionAccording to its self-reported version number, the Apache Tomcat service running on the remote host is 8.0.x prior to 8.0.32. It is, therefore, affected by multiple vulnerabilities : - A flaw exists due to a failure to invalidate a previous session ID when assigning an ID to a new session. An attacker can exploit this, via a crafted request that uses the requestedSessionSSL field to fixate the session ID, to ensure that the user authenticates with a known session ID, allowing the session to be subsequently hijacked. (CVE-2015-5346) - An information disclosure vulnerability exists in the Manager and Host Manager web applications due to a flaw in the index page when issuing redirects in response to unauthenticated requests for the root directory of the application. An unauthenticated, remote attacker can exploit this to gain access to the XSRF token information stored in the index page. (CVE-2015-5351) - An information disclosure vulnerability exists that allows a specially crafted web application to load the StatusManagerServlet. An attacker can exploit this to gain unauthorized access to a list of all deployed applications and a list of the HTTP request lines for all requests currently being processed. (CVE-2016-0706) - A security bypass vulnerability exists due to a flaw in the StandardManager, PersistentManager, and cluster implementations that is triggered when handling persistent sessions. An unauthenticated, remote attacker can exploit this, via a crafted object in a session, to bypass the security manager and execute arbitrary code. (CVE-2016-0714) - A flaw exists due to the setGlobalContext() method of ResourceLinkFactory being accessible to web applications even when run under a security manager. An unauthenticated, remote attacker can exploit this to inject malicious global context, allowing data owned by other web applications to be read or written to. (CVE-2016-0763) Note that Nessus has not attempted to exploit these issues but has instead relied only on the application
    last seen2020-03-18
    modified2016-02-24
    plugin id88937
    published2016-02-24
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/88937
    titleApache Tomcat 8.0.0.RC1 < 8.0.32 Multiple Vulnerabilities
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2016-2045.NASL
    descriptionFrom Red Hat Security Advisory 2016:2045 : An update for tomcat6 is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) * It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714) * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) * A directory traversal flaw was found in Tomcat
    last seen2020-06-01
    modified2020-06-02
    plugin id93947
    published2016-10-11
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93947
    titleOracle Linux 6 : tomcat6 (ELSA-2016-2045) (httpoxy)
  • NASL familyWeb Servers
    NASL idTOMCAT_7_0_68.NASL
    descriptionAccording to its self-reported version number, the Apache Tomcat service running on the remote host is 7.0.x prior to 7.0.68. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists due to a failure to enforce access restrictions when handling directory requests that are missing trailing slashes. An unauthenticated, remote attacker can exploit this to enumerate valid directories. (CVE-2015-5345) - An information disclosure vulnerability exists in the Manager and Host Manager web applications due to a flaw in the index page when issuing redirects in response to unauthenticated requests for the root directory of the application. An unauthenticated, remote attacker can exploit this to gain access to the XSRF token information stored in the index page. Note that the Apache Tomcat advisory does not list Tomcat version 7.0.0 as affected by this vulnerability. (CVE-2015-5351) - An information disclosure vulnerability exists that allows a specially crafted web application to load the StatusManagerServlet. An attacker can exploit this to gain unauthorized access to a list of all deployed applications and a list of the HTTP request lines for all requests currently being processed. (CVE-2016-0706) - A security bypass vulnerability exists due to a flaw in the StandardManager, PersistentManager, and cluster implementations that is triggered when handling persistent sessions. An unauthenticated, remote attacker can exploit this, via a crafted object in a session, to bypass the security manager and execute arbitrary code. (CVE-2016-0714) - A flaw exists due to the setGlobalContext() method of ResourceLinkFactory being accessible to web applications even when run under a security manager. An unauthenticated, remote attacker can exploit this to inject malicious global context, allowing data owned by other web applications to be read or written to. (CVE-2016-0763) Note that Nessus has not attempted to exploit these issues but has instead relied only on the application
    last seen2020-03-18
    modified2016-02-24
    plugin id88936
    published2016-02-24
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/88936
    titleApache Tomcat 7.0.x < 7.0.68 Multiple Vulnerabilities
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_1F1124FEDE5C11E58FA814DAE9D210B8.NASL
    descriptionMark Thomas reports : - CVE-2015-5345 Apache Tomcat Directory disclosure - CVE-2016-0706 Apache Tomcat Security Manager bypass - CVE-2016-0714 Apache Tomcat Security Manager Bypass
    last seen2020-06-01
    modified2020-06-02
    plugin id89006
    published2016-02-29
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89006
    titleFreeBSD : tomcat -- multiple vulnerabilities (1f1124fe-de5c-11e5-8fa8-14dae9d210b8)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2016-1054.NASL
    descriptionAccording to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.(CVE-2015-5174) - The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character.(CVE-2015-5345) - The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.(CVE-2015-5351) - Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.(CVE-2016-0706) - The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.(CVE-2016-0714) - The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.(CVE-2016-0763) - The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.(CVE-2016-3092) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2017-05-01
    plugin id99816
    published2017-05-01
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99816
    titleEulerOS 2.0 SP1 : tomcat (EulerOS-SA-2016-1054)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3609.NASL
    descriptionMultiple security vulnerabilities have been discovered in the Tomcat servlet and JSP engine, which may result in information disclosure, the bypass of CSRF protections, bypass of the SecurityManager or denial of service.
    last seen2020-06-01
    modified2020-06-02
    plugin id91906
    published2016-07-01
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91906
    titleDebian DSA-3609-1 : tomcat8 - security update
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-1087.NASL
    descriptionRed Hat JBoss Web Server 3.0.3 is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.0.3 serves as a replacement for Red Hat JBoss Web Server 3.0.2, and includes bug fixes and enhancements, which are documented in the Release Notes documented linked to in the References. Security Fix(es) : * A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346) * A CSRF flaw was found in Tomcat
    last seen2020-06-01
    modified2020-06-02
    plugin id91245
    published2016-05-19
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91245
    titleRHEL 6 : JBoss Web Server (RHSA-2016:1087)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3024-1.NASL
    descriptionIt was discovered that Tomcat incorrectly handled pathnames used by web applications in a getResource, getResourceAsStream, or getResourcePaths call. A remote attacker could use this issue to possibly list a parent directory . This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2015-5174) It was discovered that the Tomcat mapper component incorrectly handled redirects. A remote attacker could use this issue to determine the existence of a directory. This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2015-5345) It was discovered that Tomcat incorrectly handled different session settings when multiple versions of the same web application was deployed. A remote attacker could possibly use this issue to hijack web sessions. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2015-5346) It was discovered that the Tomcat Manager and Host Manager applications incorrectly handled new requests. A remote attacker could possibly use this issue to bypass CSRF protection mechanisms. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2015-5351) It was discovered that Tomcat did not place StatusManagerServlet on the RestrictedServlets list. A remote attacker could possibly use this issue to read arbitrary HTTP requests, including session ID values. This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2016-0706) It was discovered that the Tomcat session-persistence implementation incorrectly handled session attributes. A remote attacker could possibly use this issue to execute arbitrary code in a privileged context. This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2016-0714) It was discovered that the Tomcat setGlobalContext method incorrectly checked if callers were authorized. A remote attacker could possibly use this issue to read or wite to arbitrary application data, or cause a denial of service. This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2016-0763) It was discovered that the Tomcat Fileupload library incorrectly handled certain upload requests. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-3092). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id91954
    published2016-07-06
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91954
    titleUbuntu 12.04 LTS / 14.04 LTS / 15.10 / 16.04 LTS : tomcat6, tomcat7 vulnerabilities (USN-3024-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-2807.NASL
    descriptionAn update is now available for Red Hat JBoss Enterprise Web Server 2 for RHEL 6 and Red Hat JBoss Enterprise Web Server 2 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. This release of Red Hat JBoss Web Server 2.1.2 serves as a replacement for Red Hat JBoss Web Server 2.1.1. It contains security fixes for the Tomcat 7 component. Only users of the Tomcat 7 component in JBoss Web Server need to apply the fixes delivered in this release. Security Fix(es) : * A CSRF flaw was found in Tomcat
    last seen2020-06-01
    modified2020-06-02
    plugin id95024
    published2016-11-21
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95024
    titleRHEL 6 / 7 : JBoss Web Server (RHSA-2016:2807)
  • NASL familyCGI abuses
    NASL idMYSQL_ENTERPRISE_MONITOR_3_2_2_1075.NASL
    descriptionAccording to its self-reported version, the MySQL Enterprise Monitor application running on the remote host is 3.2.x prior to 3.2.2.1075. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists in the bundled version of Apache Tomcat in the Manager and Host Manager web applications due to a flaw in the index page when issuing redirects in response to unauthenticated requests for the root directory of the application. An authenticated, remote attacker can exploit this to gain access to the XSRF token information stored in the index page. (CVE-2015-5351) - A remote code execution vulnerability exists in the JMXInvokerServlet interface due to improper validation of Java objects before deserialization. An authenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2015-7501) - A remote code execution vulnerability exists in the Framework subcomponent that allows an authenticated, remote attacker to execute arbitrary code. (CVE-2016-0635) - An information disclosure vulnerability exists in the bundled version of Apache Tomcat that allows a specially crafted web application to load the StatusManagerServlet. An authenticated, remote attacker can exploit this to gain unauthorized access to a list of all deployed applications and a list of the HTTP request lines for all requests currently being processed. (CVE-2016-0706) - A remote code execution vulnerability exists in the bundled version of Apache Tomcat due to a flaw in the StandardManager, PersistentManager, and cluster implementations that is triggered when handling persistent sessions. An authenticated, remote attacker can exploit this, via a crafted object in a session, to bypass the security manager and execute arbitrary code. (CVE-2016-0714) - A security bypass vulnerability exists in the bundled version of Apache Tomcat due to a failure to consider whether ResourceLinkFactory.setGlobalContext callers are authorized. An authenticated, remote attacker can exploit this, via a web application that sets a crafted global context, to bypass intended SecurityManager restrictions and read or write to arbitrary application data or cause a denial of service condition. (CVE-2016-0763)
    last seen2020-06-01
    modified2020-06-02
    plugin id96769
    published2017-01-25
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96769
    titleMySQL Enterprise Monitor 3.2.x < 3.2.2.1075 Multiple Vulnerabilities (January 2017 CPU)
  • NASL familyF5 Networks Local Security Checks
    NASL idF5_BIGIP_SOL18174924.NASL
    descriptionApache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. (CVE-2016-0706) Impact When this vulnerability is exploited via crafted web application, a remote authenticated user may bypass the intended security manager restrictions, read arbitrary HTTP requests, and discover session ID values. BIG-IP/Enterprise Manager BIG-IP and Enterprise Manager systems do not use the affected feature. The vulnerable software is present; however, the software is not used in a way that exposes this vulnerability. BIG-IP and Enterprise Manager systems are only vulnerable if you manually enable the feature by setting the SECURITY_MANAGER directive to true in the /etc/tomcat/tomcat.conf file. Traffix SDC Exploitation of this vulnerability may occur if an attacker has access to the local network of the system; the Tomcat service is accessible only from the internal network.
    last seen2020-03-19
    modified2018-03-06
    plugin id107135
    published2018-03-06
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107135
    titleF5 Networks BIG-IP : Apache Tomcat 6.x vulnerability (K18174924)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-384.NASL
    descriptionThis update for tomcat fixes the following issues : Tomcat 8 was updated from 8.0.23 to 8.0.32, to fix bugs and security issues. Fixed security issues : - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java in Apache Tomcat allowed remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. (bsc#967967) - CVE-2015-5346: Session fixation vulnerability in Apache Tomcat when different session settings are used for deployments of multiple versions of the same web application, might have allowed remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java. (bsc#967814) - CVE-2015-5345: The Mapper component in Apache Tomcat processes redirects before considering security constraints and Filters, which allowed remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. (bsc#967965) - CVE-2015-5351: The (1) Manager and (2) Host Manager applications in Apache Tomcat established sessions and send CSRF tokens for arbitrary new requests, which allowed remote attackers to bypass a CSRF protection mechanism by using a token. (bsc#967812) - CVE-2016-0706: Apache Tomcat did not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allowed remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. (bsc#967815) - CVE-2016-0714: The session-persistence implementation in Apache Tomcat mishandled session attributes, which allowed remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. (bsc#967964) - CVE-2016-0763: The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat did not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allowed remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. (bsc#967966) The full changes can be read on: http://tomcat.apache.org/tomcat-8.0-doc/changelog.html This update was imported from the SUSE:SLE-12-SP1:Update update project.
    last seen2020-06-05
    modified2016-03-24
    plugin id90136
    published2016-03-24
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/90136
    titleopenSUSE Security Update : tomcat (openSUSE-2016-384)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3552.NASL
    descriptionMultiple security vulnerabilities have been discovered in the Tomcat servlet and JSP engine, which may result in information disclosure, the bypass of CSRF protections and bypass of the SecurityManager.
    last seen2020-06-01
    modified2020-06-02
    plugin id90552
    published2016-04-18
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90552
    titleDebian DSA-3552-1 : tomcat7 - security update
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-2045.NASL
    descriptionAn update for tomcat6 is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) * It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714) * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) * A directory traversal flaw was found in Tomcat
    last seen2020-06-01
    modified2020-06-02
    plugin id93950
    published2016-10-11
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93950
    titleRHEL 6 : tomcat6 (RHSA-2016:2045) (httpoxy)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20161010_TOMCAT6_ON_SL6_X.NASL
    descriptionSecurity Fix(es) : - It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) - It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714) - It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) - A directory traversal flaw was found in Tomcat
    last seen2020-03-18
    modified2016-10-12
    plugin id94004
    published2016-10-12
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94004
    titleScientific Linux Security Update : tomcat6 on SL6.x (noarch) (20161010) (httpoxy)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2016-2599.NASL
    descriptionAn update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. The following packages have been upgraded to a newer upstream version: tomcat (7.0.69). (BZ#1287928) Security Fix(es) : * A CSRF flaw was found in Tomcat
    last seen2020-06-01
    modified2020-06-02
    plugin id95345
    published2016-11-28
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95345
    titleCentOS 7 : tomcat (CESA-2016:2599)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20161103_TOMCAT_ON_SL7_X.NASL
    descriptionThe following packages have been upgraded to a newer upstream version: tomcat (7.0.69). Security Fix(es) : - A CSRF flaw was found in Tomcat
    last seen2020-03-18
    modified2016-12-15
    plugin id95863
    published2016-12-15
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95863
    titleScientific Linux Security Update : tomcat on SL7.x (noarch) (20161103)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3530.NASL
    descriptionMultiple security vulnerabilities have been fixed in the Tomcat servlet and JSP engine, which may result on bypass of security manager restrictions, information disclosure, denial of service or session fixation.
    last seen2020-06-01
    modified2020-06-02
    plugin id90205
    published2016-03-28
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90205
    titleDebian DSA-3530-1 : tomcat6 - security update
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-435.NASL
    descriptionTomcat 6, an implementation of the Java Servlet and the JavaServer Pages (JSP) specifications and a pure Java web server environment, was affected by multiple security issues prior version 6.0.45. CVE-2015-5174 Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. CVE-2015-5345 The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.67, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. CVE-2015-5351 The Manager and Host Manager applications in Apache Tomcat establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token. CVE-2016-0706 Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache /catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. CVE-2016-0714 The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. CVE-2016-0763 The setGlobalContext method in org/apache/naming/factory /ResourceLinkFactory.java in Apache Tomcat does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. For Debian 6
    last seen2020-03-17
    modified2016-02-29
    plugin id88996
    published2016-02-29
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/88996
    titleDebian DLA-435-1 : tomcat6 security update
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-1088.NASL
    descriptionRed Hat JBoss Web Server 3.0.3 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.0.3 serves as a replacement for Red Hat JBoss Web Server 3.0.2, and includes bug fixes and enhancements, which are documented in the Release Notes documented linked to in the References. Security Fix(es) : * A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346) * A CSRF flaw was found in Tomcat
    last seen2020-06-01
    modified2020-06-02
    plugin id91246
    published2016-05-19
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91246
    titleRHEL 7 : JBoss Web Server (RHSA-2016:1088)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2016-2045.NASL
    descriptionAn update for tomcat6 is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) * It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714) * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) * A directory traversal flaw was found in Tomcat
    last seen2020-06-01
    modified2020-06-02
    plugin id93965
    published2016-10-12
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93965
    titleCentOS 6 : tomcat6 (CESA-2016:2045) (httpoxy)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2016-681.NASL
    descriptionA directory traversal vulnerability in RequestUtil.java was discovered which allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call. (CVE-2015-5174) The Mapper component processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. (CVE-2015-5345) The session-persistence implementation was discovered to mishandle session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. (CVE-2016-0714) It was discovered that org.apache.catalina.manager.StatusManagerServlet was not placed on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. (CVE-2016-0706)
    last seen2020-06-01
    modified2020-06-02
    plugin id90274
    published2016-04-01
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/90274
    titleAmazon Linux AMI : tomcat6 (ALAS-2016-681)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-2599.NASL
    descriptionAn update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. The following packages have been upgraded to a newer upstream version: tomcat (7.0.69). (BZ#1287928) Security Fix(es) : * A CSRF flaw was found in Tomcat
    last seen2020-06-01
    modified2020-06-02
    plugin id94562
    published2016-11-04
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94562
    titleRHEL 7 : tomcat (RHSA-2016:2599)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201705-09.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201705-09 (Apache Tomcat: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Tomcat. Please review the CVE identifiers referenced below for details. Impact : A remote attacker may be able to cause a Denial of Service condition, obtain sensitive information, bypass protection mechanisms and authentication restrictions. A local attacker, who is a tomcat&rsquo;s system user or belongs to tomcat&rsquo;s group, could potentially escalate privileges. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id100262
    published2017-05-18
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100262
    titleGLSA-201705-09 : Apache Tomcat: Multiple vulnerabilities
  • NASL familyWeb Servers
    NASL idTOMCAT_6_0_45.NASL
    descriptionAccording to its self-reported version number, the Apache Tomcat service running on the remote host is 6.0.x prior to 6.0.45. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists in the getResource(), getResourceAsStream(), and getResourcePaths() ServletContext methods due to a failure to properly sanitize user-supplied input. An unauthenticated, remote attacker can exploit this, via a crafted path traversal request, to gain access to the listing of directory contents. (CVE-2015-5174) - An information disclosure vulnerability exists due to a failure to enforce access restrictions when handling directory requests that are missing trailing slashes. An unauthenticated, remote attacker can exploit this to enumerate valid directories. (CVE-2015-5345) - An information disclosure vulnerability exists that allows a specially crafted web application to load the StatusManagerServlet. An attacker can exploit this to gain unauthorized access to a list of all deployed applications and a list of the HTTP request lines for all requests currently being processed. (CVE-2016-0706) - A security bypass vulnerability exists due to a flaw in the StandardManager, PersistentManager, and cluster implementations that is triggered when handling persistent sessions. An unauthenticated, remote attacker can exploit this, via a crafted object in a session, to bypass the security manager and execute arbitrary code. (CVE-2016-0714) Note that Nessus has not attempted to exploit these issues but has instead relied only on the application
    last seen2020-03-18
    modified2016-02-24
    plugin id88935
    published2016-02-24
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/88935
    titleApache Tomcat 6.0.x < 6.0.45 Multiple Vulnerabilities
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2016-679.NASL
    descriptionResourceLinkFactory.setGlobalContext() is a public method and was discovered to be accessible by web applications running under a security manager without any checks. This allowed a malicious web application to inject a malicious global context that could in turn be used to disrupt other web applications and/or read and write data owned by other web applications. (CVE-2016-0763) A session fixation vulnerability was discovered that might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request when different session settings are used for deployments of multiple versions of the same web application. (CVE-2015-5346) The Manager and Host Manager applications were discovered to establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token. (CVE-2015-5351) The session-persistence implementation was discovered to mishandle session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. (CVE-2016-0714) It was discovered that org.apache.catalina.manager.StatusManagerServlet was not placed on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. (CVE-2016-0706)
    last seen2020-06-01
    modified2020-06-02
    plugin id90272
    published2016-04-01
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/90272
    titleAmazon Linux AMI : tomcat8 (ALAS-2016-679)

Redhat

advisories
  • rhsa
    idRHSA-2016:1087
  • rhsa
    idRHSA-2016:1088
  • rhsa
    idRHSA-2016:1089
  • rhsa
    idRHSA-2016:2045
  • rhsa
    idRHSA-2016:2599
  • rhsa
    idRHSA-2016:2807
  • rhsa
    idRHSA-2016:2808
rpms
  • httpd24-0:2.4.6-61.ep7.el6
  • httpd24-debuginfo-0:2.4.6-61.ep7.el6
  • httpd24-devel-0:2.4.6-61.ep7.el6
  • httpd24-manual-0:2.4.6-61.ep7.el6
  • httpd24-tools-0:2.4.6-61.ep7.el6
  • mod_ldap24-0:2.4.6-61.ep7.el6
  • mod_proxy24_html-1:2.4.6-61.ep7.el6
  • mod_security-jws3-0:2.8.0-7.GA.ep7.el6
  • mod_security-jws3-debuginfo-0:2.8.0-7.GA.ep7.el6
  • mod_session24-0:2.4.6-61.ep7.el6
  • mod_ssl24-1:2.4.6-61.ep7.el6
  • tomcat7-0:7.0.59-50_patch_01.ep7.el6
  • tomcat7-admin-webapps-0:7.0.59-50_patch_01.ep7.el6
  • tomcat7-docs-webapp-0:7.0.59-50_patch_01.ep7.el6
  • tomcat7-el-2.2-api-0:7.0.59-50_patch_01.ep7.el6
  • tomcat7-javadoc-0:7.0.59-50_patch_01.ep7.el6
  • tomcat7-jsp-2.2-api-0:7.0.59-50_patch_01.ep7.el6
  • tomcat7-lib-0:7.0.59-50_patch_01.ep7.el6
  • tomcat7-log4j-0:7.0.59-50_patch_01.ep7.el6
  • tomcat7-servlet-3.0-api-0:7.0.59-50_patch_01.ep7.el6
  • tomcat7-webapps-0:7.0.59-50_patch_01.ep7.el6
  • tomcat8-0:8.0.18-61_patch_01.ep7.el6
  • tomcat8-admin-webapps-0:8.0.18-61_patch_01.ep7.el6
  • tomcat8-docs-webapp-0:8.0.18-61_patch_01.ep7.el6
  • tomcat8-el-2.2-api-0:8.0.18-61_patch_01.ep7.el6
  • tomcat8-javadoc-0:8.0.18-61_patch_01.ep7.el6
  • tomcat8-jsp-2.3-api-0:8.0.18-61_patch_01.ep7.el6
  • tomcat8-lib-0:8.0.18-61_patch_01.ep7.el6
  • tomcat8-log4j-0:8.0.18-61_patch_01.ep7.el6
  • tomcat8-servlet-3.1-api-0:8.0.18-61_patch_01.ep7.el6
  • tomcat8-webapps-0:8.0.18-61_patch_01.ep7.el6
  • httpd24-0:2.4.6-61.ep7.el7
  • httpd24-debuginfo-0:2.4.6-61.ep7.el7
  • httpd24-devel-0:2.4.6-61.ep7.el7
  • httpd24-manual-0:2.4.6-61.ep7.el7
  • httpd24-tools-0:2.4.6-61.ep7.el7
  • mod_ldap24-0:2.4.6-61.ep7.el7
  • mod_proxy24_html-1:2.4.6-61.ep7.el7
  • mod_security-jws3-0:2.8.0-7.GA.ep7.el7
  • mod_security-jws3-debuginfo-0:2.8.0-7.GA.ep7.el7
  • mod_session24-0:2.4.6-61.ep7.el7
  • mod_ssl24-1:2.4.6-61.ep7.el7
  • tomcat7-0:7.0.59-50_patch_01.ep7.el7
  • tomcat7-admin-webapps-0:7.0.59-50_patch_01.ep7.el7
  • tomcat7-docs-webapp-0:7.0.59-50_patch_01.ep7.el7
  • tomcat7-el-2.2-api-0:7.0.59-50_patch_01.ep7.el7
  • tomcat7-javadoc-0:7.0.59-50_patch_01.ep7.el7
  • tomcat7-jsp-2.2-api-0:7.0.59-50_patch_01.ep7.el7
  • tomcat7-lib-0:7.0.59-50_patch_01.ep7.el7
  • tomcat7-log4j-0:7.0.59-50_patch_01.ep7.el7
  • tomcat7-servlet-3.0-api-0:7.0.59-50_patch_01.ep7.el7
  • tomcat7-webapps-0:7.0.59-50_patch_01.ep7.el7
  • tomcat8-0:8.0.18-61_patch_01.ep7.el7
  • tomcat8-admin-webapps-0:8.0.18-61_patch_01.ep7.el7
  • tomcat8-docs-webapp-0:8.0.18-61_patch_01.ep7.el7
  • tomcat8-el-2.2-api-0:8.0.18-61_patch_01.ep7.el7
  • tomcat8-javadoc-0:8.0.18-61_patch_01.ep7.el7
  • tomcat8-jsp-2.3-api-0:8.0.18-61_patch_01.ep7.el7
  • tomcat8-lib-0:8.0.18-61_patch_01.ep7.el7
  • tomcat8-log4j-0:8.0.18-61_patch_01.ep7.el7
  • tomcat8-servlet-3.1-api-0:8.0.18-61_patch_01.ep7.el7
  • tomcat8-webapps-0:8.0.18-61_patch_01.ep7.el7
  • tomcat6-0:6.0.24-98.el6_8
  • tomcat6-admin-webapps-0:6.0.24-98.el6_8
  • tomcat6-docs-webapp-0:6.0.24-98.el6_8
  • tomcat6-el-2.1-api-0:6.0.24-98.el6_8
  • tomcat6-javadoc-0:6.0.24-98.el6_8
  • tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8
  • tomcat6-lib-0:6.0.24-98.el6_8
  • tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8
  • tomcat6-webapps-0:6.0.24-98.el6_8
  • tomcat-0:7.0.69-10.el7
  • tomcat-admin-webapps-0:7.0.69-10.el7
  • tomcat-docs-webapp-0:7.0.69-10.el7
  • tomcat-el-2.2-api-0:7.0.69-10.el7
  • tomcat-javadoc-0:7.0.69-10.el7
  • tomcat-jsp-2.2-api-0:7.0.69-10.el7
  • tomcat-jsvc-0:7.0.69-10.el7
  • tomcat-lib-0:7.0.69-10.el7
  • tomcat-servlet-3.0-api-0:7.0.69-10.el7
  • tomcat-webapps-0:7.0.69-10.el7
  • tomcat7-0:7.0.54-23_patch_05.ep6.el6
  • tomcat7-0:7.0.54-23_patch_05.ep6.el7
  • tomcat7-admin-webapps-0:7.0.54-23_patch_05.ep6.el6
  • tomcat7-admin-webapps-0:7.0.54-23_patch_05.ep6.el7
  • tomcat7-docs-webapp-0:7.0.54-23_patch_05.ep6.el6
  • tomcat7-docs-webapp-0:7.0.54-23_patch_05.ep6.el7
  • tomcat7-el-2.2-api-0:7.0.54-23_patch_05.ep6.el6
  • tomcat7-el-2.2-api-0:7.0.54-23_patch_05.ep6.el7
  • tomcat7-javadoc-0:7.0.54-23_patch_05.ep6.el6
  • tomcat7-javadoc-0:7.0.54-23_patch_05.ep6.el7
  • tomcat7-jsp-2.2-api-0:7.0.54-23_patch_05.ep6.el6
  • tomcat7-jsp-2.2-api-0:7.0.54-23_patch_05.ep6.el7
  • tomcat7-lib-0:7.0.54-23_patch_05.ep6.el6
  • tomcat7-lib-0:7.0.54-23_patch_05.ep6.el7
  • tomcat7-log4j-0:7.0.54-23_patch_05.ep6.el6
  • tomcat7-log4j-0:7.0.54-23_patch_05.ep6.el7
  • tomcat7-maven-devel-0:7.0.54-23_patch_05.ep6.el6
  • tomcat7-maven-devel-0:7.0.54-23_patch_05.ep6.el7
  • tomcat7-servlet-3.0-api-0:7.0.54-23_patch_05.ep6.el6
  • tomcat7-servlet-3.0-api-0:7.0.54-23_patch_05.ep6.el7
  • tomcat7-webapps-0:7.0.54-23_patch_05.ep6.el6
  • tomcat7-webapps-0:7.0.54-23_patch_05.ep6.el7

References