CVE-2016-8735 – org.apache.tomcat:tomcat-catalina

Package

Manager: maven
Name: org.apache.tomcat:tomcat-catalina
Vulnerable Version: >=0 <6.0.48 || >=7.0.0 <7.0.73 || >=8.0.0 <8.0.39 || >=8.5.0 <8.5.7 || >=9.0.0.m1 <9.0.0.m12

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.94003 pctl0.99885

Details

Apache Tomcat Improper Access Control vulnerability Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

Metadata

Created: 2022-05-13T01:14:52Z
Modified: 2024-06-27T21:36:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-cw54-59pw-4g8c/GHSA-cw54-59pw-4g8c.json
CWE IDs: ["CWE-284"]
Alternative ID: GHSA-cw54-59pw-4g8c
Finding: F039
Auto approve: 1