[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244625

 
 

909

 
 

193379

 
 

277

Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2016-0714Date: (C)2016-02-29   (M)2024-02-22


The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V3 Severity:CVSS V2 Severity:
CVSS Score : 8.8CVSS Score : 6.5
Exploit Score: 2.8Exploit Score: 8.0
Impact Score: 5.9Impact Score: 6.4
 
CVSS V3 Metrics:CVSS V2 Metrics:
Attack Vector: NETWORKAccess Vector: NETWORK
Attack Complexity: LOWAccess Complexity: LOW
Privileges Required: LOWAuthentication: SINGLE
User Interaction: NONEConfidentiality: PARTIAL
Scope: UNCHANGEDIntegrity: PARTIAL
Confidentiality: HIGHAvailability: PARTIAL
Integrity: HIGH 
Availability: HIGH 
  
Reference:
SECTRACK-1035069
SECTRACK-1037640
http://seclists.org/bugtraq/2016/Feb/145
BID-83327
DSA-3530
DSA-3552
DSA-3609
GLSA-201705-09
HPSBUX03561
RHSA-2016:1087
RHSA-2016:1088
RHSA-2016:1089
RHSA-2016:2045
RHSA-2016:2599
RHSA-2016:2807
RHSA-2016:2808
SUSE-SU-2016:0769
SUSE-SU-2016:0822
SUSE-SU-2016:0839
USN-3024-1
https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
http://svn.apache.org/viewvc?view=revision&revision=1725263
http://svn.apache.org/viewvc?view=revision&revision=1725914
http://svn.apache.org/viewvc?view=revision&revision=1726196
http://svn.apache.org/viewvc?view=revision&revision=1726203
http://svn.apache.org/viewvc?view=revision&revision=1726923
http://svn.apache.org/viewvc?view=revision&revision=1727034
http://svn.apache.org/viewvc?view=revision&revision=1727166
http://svn.apache.org/viewvc?view=revision&revision=1727182
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-8.html
http://tomcat.apache.org/security-9.html
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
https://bto.bluecoat.com/security-advisory/sa118
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626
https://security.netapp.com/advisory/ntap-20180531-0001/
openSUSE-SU-2016:0865

CWE    1
CWE-264
OVAL    19
oval:org.secpod.oval:def:602436
oval:org.secpod.oval:def:602469
oval:org.secpod.oval:def:1600384
oval:org.secpod.oval:def:1600336
...

© SecPod Technologies