CVE-2016-6816 – org.apache.tomcat:tomcat-coyote

Package

Manager: maven
Name: org.apache.tomcat:tomcat-coyote
Vulnerable Version: >=9.0.0.m1 <9.0.0.m12 || >=8.5.0 <8.5.8 || >=8.0.0rc1 <8.0.39 || >=7.0.0 <7.0.73 || >=6.0.0 <6.0.48

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.02781 pctl0.85516

Details

Improper Input Validation in Apache Tomcat The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.

Metadata

Created: 2022-05-13T01:14:53Z
Modified: 2024-02-22T20:24:38Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jc7p-5r39-9477/GHSA-jc7p-5r39-9477.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-jc7p-5r39-9477
Finding: F184
Auto approve: 1