CVE-2016-6797 – org.apache.tomcat:tomcat

Package

Manager: maven
Name: org.apache.tomcat:tomcat
Vulnerable Version: >=9.0.0.m1 <9.0.0.m10 || >=8.5.0 <8.5.5 || >=8.0.0 <8.0.37 || >=7.0.0 <7.0.72

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00399 pctl0.59882

Details

Incorrect Authorization in Apache Tomcat The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.

Metadata

Created: 2022-05-13T01:02:15Z
Modified: 2024-02-23T16:16:51Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q6x7-f33r-3wxx/GHSA-q6x7-f33r-3wxx.json
CWE IDs: ["CWE-863"]
Alternative ID: GHSA-q6x7-f33r-3wxx
Finding: F006
Auto approve: 1