CVE-2016-5018

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 9.0.0.M1 through 9.0.0.M9 Apache Tomcat versions 8.5.0 through 8.5.4 Apache Tomcat versions 8.0.0.RC1 through 8.0.36 Apache Tomcat versions 7.0.0 through 7.0.70 Apache Tomcat versions 6.0.0 through 6.0.45

Description A malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.

Recommendations For Apache Tomcat versions 9.0.0.M1 through 9.0.0.M9, update to a version outside of this range to mitigate the issue. For Apache Tomcat versions 8.5.0 through 8.5.4, update to a version outside of this range to mitigate the issue. For Apache Tomcat versions 8.0.0.RC1 through 8.0.36, update to a version outside of this range to mitigate the issue. For Apache Tomcat versions 7.0.0 through 7.0.70, update to a version outside of this range to mitigate the issue. For Apache Tomcat versions 6.0.0 through 6.0.45, update to a version outside of this range to mitigate the issue. As a temporary workaround, consider restricting access to Tomcat utility methods to minimize the risk of exploitation.