CVE-2016-0706

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 6.x through 6.0.44 Apache Tomcat versions 7.x through 7.0.67 Apache Tomcat versions 8.x through 8.0.30 Apache Tomcat versions 9.x through 9.0.0.M1

Description The issue is related to the lack of protection for internal data in the Apache Tomcat server, allowing a remote attacker to bypass access restrictions and read arbitrary HTTP requests using a specially crafted web application. This could expose sensitive information, such as session IDs, from other web applications. The issue only affects users running untrusted web applications under a security manager.

Recommendations For Apache Tomcat versions 6.x through 6.0.44, update to version 6.0.45 or later. For Apache Tomcat versions 7.x through 7.0.67, update to version 7.0.68 or later. For Apache Tomcat versions 8.x through 8.0.30, update to version 8.0.31 or later. For Apache Tomcat versions 9.x through 9.0.0.M1, update to version 9.0.0.M2 or later. As a temporary workaround, consider restricting access to the org.apache.catalina.manager.StatusManagerServlet to minimize the risk of exploitation.