Lucene search

K
f5F5F5:K50116122
HistoryDec 01, 2016 - 12:00 a.m.

K50116122 : Apache Tomcat vulnerability CVE-2016-6816

2016-12-0100:00:00
my.f5.com
129

AI Score

8.3

Confidence

High

EPSS

0.003

Percentile

66.0%

Security Advisory Description

The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own. (CVE-2016-6816)
Impact
An attacker may be able to perform HTTP request smuggling by sending an invalid character in HTTP requests. For more information about HTTP request smuggling, refer to Section 9.5 Request Smuggling of Internet Engineering Task Force (RFC 7230).Note: This link takes you to a resource outside of AskF5. The third party could remove the document without our knowledge.