Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.0.M11
Apache Tomcat 8.5.0 to 8.5.6
Apache Tomcat 8.0.0.RC1 to 8.0.38
Apache Tomcat 7.0.0 to 7.0.72
Apache Tomcat 6.0.0 to 6.0.47
Earlier, unsupported versions may also be affected.

Description
The code that parsed the HTTP request line permitted invalid characters.
This could be exploited, in conjunction with a proxy that also permitted
the invalid characters but with a different interpretation, to inject
data into the HTTP response. By manipulating the HTTP response the
attacker could poison a web-cache, perform an XSS attack and/or obtain
sensitive information from requests other then their own.

Mitigation
Users of affected versions should apply one of the following mitigations

Upgrade to Apache Tomcat 9.0.0.M13 or later
(Apache Tomcat 9.0.0.M12 has the fix but was not released)
Upgrade to Apache Tomcat 8.5.8 or later
(Apache Tomcat 8.5.7 has the fix but was not released)
Upgrade to Apache Tomcat 8.0.39 or later
Upgrade to Apache Tomcat 7.0.73 or later
Upgrade to Apache Tomcat 6.0.48 or later

Credit:
This issue was discovered by Regis Leroy from Makina Corpus.

ibm 33

ubuntucve 2

exploitpack 1

openvas 20

cve 2

github 1

osv 5

redhatcve 1

packetstorm 1

f5 3

nessus 42

prion 2

zdt 1

veracode 2

debiancve 2

exploitdb 1

redhat 10

oraclelinux 2

centos 2

debian 7

freebsd 1

amazon 4

fedora 3

tomcat 5

archlinux 1

mageia 1

atlassian 4

hackerone 2

suse 6

ubuntu 3

oracle 2

ibm

Security Bulletin: Rational DOORS Web Access is affected by Apache Tomcat vulnerability (CVE-2016-6816)

2018-06-17 05:21:29

Security Bulletin: WebSphere Message Broker and IBM Integration Bus are affected by Open Source Tomcat vulnerability

2020-03-23 20:41:52

Security Bulletin: Rational Test Control Panel in Rational Test Workbench and Rational Test Virtualization Server affected by Apache Tomcat vulnerability (CVE-2016-6816)

2018-06-17 05:19:39

ubuntucve

CVE-2016-6816

2016-11-23 00:00:00

CVE-2017-6056

2017-02-13 00:00:00

exploitpack

Apache Tomcat 6789 - Information Disclosure

2017-04-04 00:00:00

openvas

Apache Tomcat HTTP Request Line Information Disclosure Vulnerability

2017-04-04 00:00:00

Apache Tomcat HTTP Request Line Information Disclosure Vulnerability (Linux)

2017-03-24 00:00:00

Apache Tomcat HTTP Request Line Information Disclosure Vulnerability (Windows)

2017-03-24 00:00:00

cve

CVE-2016-6816

2017-03-20 18:59:00

CVE-2017-6056

2017-02-17 07:59:00

github

Improper Input Validation in Apache Tomcat

2022-05-13 01:14:53

osv

Improper Input Validation in Apache Tomcat

2022-05-13 01:14:53

CVE-2016-6816

2017-03-20 18:59:00

tomcat6 vulnerabilities

2020-09-30 12:55:19

redhatcve

CVE-2016-6816

2021-07-11 07:51:46

packetstorm

Apache Tomcat 6 / 7 / 8 / 9 Information Disclosure

2017-04-04 00:00:00

SOL50116122 - Apache Tomcat vulnerability CVE-2016-6816

2016-12-01 00:00:00

K50116122 : Apache Tomcat vulnerability CVE-2016-6816

2016-12-01 00:00:00

K37337112 : Apache Tomcat vulnerability CVE-2017-6056

2017-03-06 00:00:00

nessus

F5 Networks BIG-IP : Apache Tomcat vulnerability (K50116122)

2017-02-28 00:00:00

CentOS 6 : tomcat6 (CESA-2017:0527)

2017-03-20 00:00:00

Amazon Linux AMI : tomcat6 (ALAS-2016-776)

2016-12-16 00:00:00

prion

Design/Logic Flaw

2017-03-20 18:59:00

Design/Logic Flaw

2017-02-17 07:59:00

zdt

Apache Tomcat 6/7/8/9 - Information Disclosure Vulnerability

2017-04-03 00:00:00

veracode

Cross-site Scripting (XSS) Or Information Disclosure

2019-01-15 09:15:22

Denial Of Service (DoS) Via Infinite Loop

2017-02-22 02:23:40

debiancve

CVE-2016-6816

2017-03-20 18:59:00

CVE-2017-6056

2017-02-17 07:59:00

exploitdb

Apache Tomcat 6/7/8/9 - Information Disclosure

2017-04-04 00:00:00

redhat

(RHSA-2017:0935) Moderate: tomcat security update

2017-04-12 13:36:04

(RHSA-2017:0527) Moderate: tomcat6 security update

2017-03-15 12:06:21

(RHSA-2017:0250) Important: jboss-ec2-eap security, bug fix, and enhancement update

2017-02-02 20:54:34

oraclelinux

tomcat6 security update

2017-03-15 00:00:00

tomcat security update

2017-04-12 00:00:00

centos

tomcat security update

2017-04-13 11:00:11

tomcat6 security update

2017-03-17 14:19:39

debian

[SECURITY] [DLA 779-1] tomcat7 security update

2017-01-10 23:37:14

[SECURITY] [DSA 3738-1] tomcat7 security update

2016-12-18 09:12:10

[SECURITY] [DSA 3739-1] tomcat8 security update

2016-12-18 09:12:31

freebsd

tomcat -- multiple vulnerabilities

2016-11-22 00:00:00

amazon

Important: tomcat6

2016-12-15 00:41:00

Medium: tomcat6

2017-03-29 16:48:00

Important: tomcat8

2016-12-15 00:50:00

fedora

[SECURITY] Fedora 23 Update: tomcat-8.0.39-1.fc23

2016-12-15 01:21:03

[SECURITY] Fedora 25 Update: tomcat-8.0.39-1.fc25

2016-12-14 21:31:31

[SECURITY] Fedora 24 Update: tomcat-8.0.39-1.fc24

2016-12-14 22:57:34

tomcat

Fixed in Apache Tomcat 7.0.73

2016-11-14 00:00:00

Fixed in Apache Tomcat 8.0.39

2016-11-14 00:00:00

Fixed in Apache Tomcat 6.0.48

2016-11-15 00:00:00

archlinux

[ASA-201611-22] tomcat6: multiple issues

2016-11-23 00:00:00

mageia

Updated tomcat package fixes security vulnerabilities

2016-12-12 01:44:05

atlassian

Upgrade Tomcat to the version 8.5.29

2017-03-14 13:20:53

Upgrade Tomcat to the version 8.5.29

2017-03-14 13:20:53

Update bundled Apache Tomcat due to security vulnerabilities

2017-04-17 08:48:35

hackerone

Internet Bug Bounty: Apache HTTP Request Parsing Whitespace Defects

2017-06-29 17:41:22

Internet Bug Bounty: Multiple HTTP Smuggling reports

2019-07-17 22:47:10

suse

Security update for tomcat (important)

2016-12-14 01:28:16

Security update for tomcat (important)

2016-12-10 23:11:58

Security update for tomcat (important)

2016-12-14 01:14:48

ubuntu

Tomcat vulnerabilities

2020-09-30 00:00:00

Tomcat regression

2017-02-02 00:00:00

Tomcat vulnerabilities

2017-01-23 00:00:00

oracle

Oracle Critical Patch Update - October 2017

2017-10-17 00:00:00

Oracle Critical Patch Update Advisory - April 2017

2017-04-18 00:00:00

Products

Security Intelligence
Non-intrusive assessment
Developers SDK
Windows scanner
Linux scanner
Perimeter control tool
MSSP

Database

Vulnerabilities
Exploits
IOC
Security News
BugBounty
Popular
Wild Exploited
Top Vulnerabilities

Tools

Linux Security Scanner
API integration
Subscriptions
Plugins
Manual Audit

Learn More

Stats
API
Docs
Api-keys
License
Pricing
Glossary
FAQ

Company

Blog
Contacts
About Us
OpenSource
EULA
Brand Guideline
Privacy Policy

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please contact us. Using Vulners services you are accepting Vulners services end-user license agreement

@2024 Vulners Inc

0.003 Low

EPSS

Percentile

63.7%

JSON

Related for SSV:92678