vulnerability
CentOS: (CVE-2016-0706) CESA-2016:2045: tomcat6
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:L/Au:S/C:P/I:N/A:N) | Feb 24, 2016 | Oct 21, 2016 | May 7, 2019 |
Severity
4
CVSS
(AV:N/AC:L/Au:S/C:P/I:N/A:N)
Published
Feb 24, 2016
Added
Oct 21, 2016
Modified
May 7, 2019
Description
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.
Solutions
centos-upgrade-tomcat6centos-upgrade-tomcat6-admin-webappscentos-upgrade-tomcat6-docs-webappcentos-upgrade-tomcat6-el-2-1-apicentos-upgrade-tomcat6-javadoccentos-upgrade-tomcat6-jsp-2-1-apicentos-upgrade-tomcat6-libcentos-upgrade-tomcat6-servlet-2-5-apicentos-upgrade-tomcat6-webapps
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.