Lucene search

[email protected]CVE-2016-0763

HistoryFeb 25, 2016 - 1:59 a.m.

CVE-2016-0763

2016-02-2501:59:06

CWE-264

[email protected]

web.nvd.nist.gov

cve

2016

0763

apache tomcat

security

authorization

remote

authenticated

bypass

denial of service

nvd

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

6.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

7.1 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.9%

JSON

The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.

Affected configurations

NVD

Node

debiandebian_linuxMatch7.0

debiandebian_linuxMatch8.0

Node

apachetomcatMatch7.0.0beta

apachetomcatMatch7.0.2beta

apachetomcatMatch7.0.4beta

apachetomcatMatch7.0.5beta

apachetomcatMatch7.0.6

apachetomcatMatch7.0.10

apachetomcatMatch7.0.11

apachetomcatMatch7.0.12

apachetomcatMatch7.0.14

apachetomcatMatch7.0.16

apachetomcatMatch7.0.19

apachetomcatMatch7.0.20

apachetomcatMatch7.0.21

apachetomcatMatch7.0.22

apachetomcatMatch7.0.23

apachetomcatMatch7.0.25

apachetomcatMatch7.0.26

apachetomcatMatch7.0.27

apachetomcatMatch7.0.28

apachetomcatMatch7.0.29

apachetomcatMatch7.0.30

apachetomcatMatch7.0.32

apachetomcatMatch7.0.33

apachetomcatMatch7.0.34

apachetomcatMatch7.0.35

apachetomcatMatch7.0.37

apachetomcatMatch7.0.39

apachetomcatMatch7.0.40

apachetomcatMatch7.0.41

apachetomcatMatch7.0.42

apachetomcatMatch7.0.47

apachetomcatMatch7.0.50

apachetomcatMatch7.0.52

apachetomcatMatch7.0.53

apachetomcatMatch7.0.54

apachetomcatMatch7.0.55

apachetomcatMatch7.0.56

apachetomcatMatch7.0.57

apachetomcatMatch7.0.59

apachetomcatMatch7.0.61

apachetomcatMatch7.0.62

apachetomcatMatch7.0.63

apachetomcatMatch7.0.64

apachetomcatMatch7.0.65

apachetomcatMatch7.0.67

apachetomcatMatch8.0.0rc1

apachetomcatMatch8.0.0rc10

apachetomcatMatch8.0.0rc3

apachetomcatMatch8.0.0rc5

apachetomcatMatch8.0.1

apachetomcatMatch8.0.3

apachetomcatMatch8.0.11

apachetomcatMatch8.0.12

apachetomcatMatch8.0.14

apachetomcatMatch8.0.15

apachetomcatMatch8.0.17

apachetomcatMatch8.0.18

apachetomcatMatch8.0.20

apachetomcatMatch8.0.21

apachetomcatMatch8.0.22

apachetomcatMatch8.0.23

apachetomcatMatch8.0.24

apachetomcatMatch8.0.26

apachetomcatMatch8.0.27

apachetomcatMatch8.0.28

apachetomcatMatch8.0.29

apachetomcatMatch8.0.30

apachetomcatMatch9.0.0milestone1

Node

canonicalubuntu_linuxMatch12.04lts

canonicalubuntu_linuxMatch14.04lts

canonicalubuntu_linuxMatch15.10

canonicalubuntu_linuxMatch16.04lts

CPENameOperatorVersion
debian:debian_linuxdebian debian linuxeq7.0
debian:debian_linuxdebian debian linuxeq8.0

CPE	Name	Operator	Version
debian:debian_linux	debian debian linux	eq	7.0
debian:debian_linux	debian debian linux	eq	8.0

References

lists.fedoraproject.org/pipermail/package-announce/2016-March/179356.html

lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html

lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html

lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html

rhn.redhat.com/errata/RHSA-2016-1089.html

rhn.redhat.com/errata/RHSA-2016-2599.html

rhn.redhat.com/errata/RHSA-2016-2807.html

rhn.redhat.com/errata/RHSA-2016-2808.html

seclists.org/bugtraq/2016/Feb/147

svn.apache.org/viewvc?view=revision&revision=1725926

svn.apache.org/viewvc?view=revision&revision=1725929

svn.apache.org/viewvc?view=revision&revision=1725931

tomcat.apache.org/security-7.html

tomcat.apache.org/security-8.html

tomcat.apache.org/security-9.html

www.debian.org/security/2016/dsa-3530

www.debian.org/security/2016/dsa-3552

www.debian.org/security/2016/dsa-3609

www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

www.securityfocus.com/bid/83326

www.securitytracker.com/id/1035069

www.ubuntu.com/usn/USN-3024-1

access.redhat.com/errata/RHSA-2016:1087

access.redhat.com/errata/RHSA-2016:1088

bto.bluecoat.com/security-advisory/sa118

h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442

h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626

h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755

lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

security.gentoo.org/glsa/201705-09

security.netapp.com/advisory/ntap-20180531-0001/

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

6.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

7.1 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.9%

JSON

Related for CVE-2016-0763