CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS
Percentile
54.8%
Low: Unrestricted Access to Global Resources CVE-2016-6797
The ResourceLinkFactory did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.
This was fixed in revision 1757272 for 8.5.x and revision 1757273 for 8.0.x.
This issue was identified by the Apache Tomcat Security Team on 18 January 2016 and made public on 27 October 2016.
Affects: 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36
Low: Security Manager Bypass CVE-2016-6796
A malicious web application was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.
This was fixed in revisions 1758493 and 1763233 for 8.5.x and revisions 1758494 and 1763234for 8.0.x.
This issue was identified by the Apache Tomcat Security Team on 27 December 2015 and made public on 27 October 2016.
Affects: 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36
Low: System Property Disclosure CVE-2016-6794
When a SecurityManager is configured, a web application’s ability to read system properties should be controlled by the SecurityManager. Tomcat’s system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.
This was fixed in revision 1754726 for 8.5.x and revision 1754727 for 8.0.x.
This issue was identified by the Apache Tomcat Security Team on 27 December 2015 and made public on 27 October 2016.
Affects: 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36
Low: Security Manager Bypass CVE-2016-5018
A malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.
This was fixed in revisions 1754900 and 1760305 for 8.5.x and revisions 1754901 and 1760307 for 8.0.x.
This issue was discovered by Alvaro Munoz and Alexander Mirosh of the HP Enterprise Security Team and reported to the Apache Tomcat Security Team on 5 July 2016. It was made public on 27 October 2016.
Affects: 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36
Low: Timing Attack CVE-2016-0762
The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.
This was fixed in revision 1758500 for 8.5.x and revision 1758501 for 8.0.x.
This issue was identified by the Apache Tomcat Security Team on 1 January 2016 and made public on 27 October 2016.
Affects: 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS
Percentile
54.8%