CVE-2016-0714 – org.apache.tomcat:tomcat

Package

Manager: maven
Name: org.apache.tomcat:tomcat
Vulnerable Version: =9.0.0.m1 || >=9.0.0.m1 <9.0.0.m2 || >=8.0.0.rc1 <8.0.32 || >=7.0.0 <7.0.70 || >=6.0.0 <6.0.46

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.10248 pctl0.92871

Details

Improper Access Control in Apache Tomcat The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.

Metadata

Created: 2022-05-14T01:10:17Z
Modified: 2024-02-29T23:35:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-mv42-px54-87jw/GHSA-mv42-px54-87jw.json
CWE IDs: ["CWE-284"]
Alternative ID: GHSA-mv42-px54-87jw
Finding: F039
Auto approve: 1