Skip to main content

CVE-2016-0706

Severity

4.3

Description

Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.

Mitigation

We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Workaround for versions including and above 6.x:
Add the below line to the `RestrictedServlets.properties` file:
```
org.apache.catalina.manager.StatusManagerServlet=restricted
```

Related links:

Project

Apache Tomcat

Apache TomEE

Category
n/a
Tags
data
operational
privileged
Date Disclosed

2016-02-24

Date Discovered

2015-12-16

Apache TomEE 1.7.x

First release:
2014-08-09
0
Support Lifecycle:
Namespace:
javax
1.7.01.7.11.7.21.7.3

Apache TomEE 1.6.x

First release:
2013-11-17
0
Support Lifecycle:
Namespace:
javax
1.6.01.6.0.11.6.0.2

Apache TomEE 1.5.x

First release:
2012-09-28
0
Support Lifecycle:
Namespace:
javax
1.5.01.5.11.5.2

Apache TomEE 1.0.x

First release:
2012-04-27
0
Support Lifecycle:
Namespace:
javax
1.0.0
Feel Vulnerable? 

Contact us so we can help you.

* These fields are required.