Lucene search

K
cveApacheCVE-2016-6794
HistoryAug 10, 2017 - 4:29 p.m.

CVE-2016-6794

2017-08-1016:29:00
apache
web.nvd.nist.gov
147
cve-2016-6794
apache tomcat
securitymanager
configuration files
system properties
access control
nvd

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

7

Confidence

Low

EPSS

0.001

Percentile

43.7%

When a SecurityManager is configured, a web application’s ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.

Affected configurations

Nvd
Vulners
Node
apachetomcatRange6.0.06.0.45
OR
apachetomcatRange7.0.07.0.70
OR
apachetomcatRange8.08.0.36
OR
apachetomcatRange8.5.08.5.4
OR
apachetomcatMatch9.0.0milestone1
OR
apachetomcatMatch9.0.0milestone2
OR
apachetomcatMatch9.0.0milestone3
OR
apachetomcatMatch9.0.0milestone4
OR
apachetomcatMatch9.0.0milestone5
OR
apachetomcatMatch9.0.0milestone6
OR
apachetomcatMatch9.0.0milestone7
OR
apachetomcatMatch9.0.0milestone8
OR
apachetomcatMatch9.0.0milestone9
Node
debiandebian_linuxMatch8.0
Node
redhatjboss_enterprise_web_serverMatch3.0.0
OR
redhatenterprise_linux_desktopMatch7.0
OR
redhatenterprise_linux_eusMatch7.4
OR
redhatenterprise_linux_eusMatch7.5
OR
redhatenterprise_linux_eusMatch7.6
OR
redhatenterprise_linux_eusMatch7.7
OR
redhatenterprise_linux_serverMatch7.0
OR
redhatenterprise_linux_server_ausMatch7.6
OR
redhatenterprise_linux_server_ausMatch7.7
OR
redhatenterprise_linux_server_tusMatch7.6
OR
redhatenterprise_linux_server_tusMatch7.7
OR
redhatenterprise_linux_workstationMatch7.0
Node
netapponcommand_insightMatch-
OR
netapponcommand_shiftMatch-
OR
netappsnap_creator_frameworkMatch-
Node
canonicalubuntu_linuxMatch16.04esm
Node
oracletekelec_platform_distributionRange7.4.07.7.1
VendorProductVersionCPE
apachetomcat*cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
apachetomcat9.0.0cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*
apachetomcat9.0.0cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*
apachetomcat9.0.0cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*
apachetomcat9.0.0cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*
apachetomcat9.0.0cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*
apachetomcat9.0.0cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*
apachetomcat9.0.0cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*
apachetomcat9.0.0cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*
apachetomcat9.0.0cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*
Rows per page:
1-10 of 281

CNA Affected

[
  {
    "product": "Apache Tomcat",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "status": "affected",
        "version": "9.0.0.M1 to 9.0.0.M9"
      },
      {
        "status": "affected",
        "version": "8.5.0 to 8.5.4"
      },
      {
        "status": "affected",
        "version": "8.0.0.RC1 to 8.0.36"
      },
      {
        "status": "affected",
        "version": "7.0.0 to 7.0.70"
      },
      {
        "status": "affected",
        "version": "6.0.0 to 6.0.45"
      }
    ]
  }
]

References

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

7

Confidence

Low

EPSS

0.001

Percentile

43.7%