PT-2016-7115 · Apache+5 · Apache Tomcat+5

Published

2016-09-05

·

Updated

2023-12-08

·

CVE-2016-6796

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 9.0.0.M1 through 9.0.0.M9 Apache Tomcat versions 8.5.0 through 8.5.4 Apache Tomcat versions 8.0.0.RC1 through 8.0.36 Apache Tomcat versions 7.0.0 through 7.0.70 Apache Tomcat versions 6.0.0 through 6.0.45
Description A malicious web application was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.
Recommendations For Apache Tomcat versions 9.0.0.M1 through 9.0.0.M9, update the configuration parameters for the JSP Servlet to prevent manipulation. For Apache Tomcat versions 8.5.0 through 8.5.4, update the configuration parameters for the JSP Servlet to prevent manipulation. For Apache Tomcat versions 8.0.0.RC1 through 8.0.36, update the configuration parameters for the JSP Servlet to prevent manipulation. For Apache Tomcat versions 7.0.0 through 7.0.70, update the configuration parameters for the JSP Servlet to prevent manipulation. For Apache Tomcat versions 6.0.0 through 6.0.45, update the configuration parameters for the JSP Servlet to prevent manipulation.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Related Identifiers

ALT-PU-2017-2558
CESA-2017_2247
CVE-2016-6796
DLA-728-1
DLA-729-1
DSA-3720-1
DSA-3721-1
GHSA-3MJP-P938-4329
MGASA-2016-0367
OPENSUSE-SU-2016_3129-1
OPENSUSE-SU-2016_3144-1
RHSA-2017:0455
RHSA-2017:0456
RHSA-2017:1548
RHSA-2017:1549
RHSA-2017:1550
RHSA-2017:1552
RHSA-2017:2247
RHSA-2017_2247
SUSE-SU-2016:3079-1
SUSE-SU-2016:3081-1
SUSE-SU-2017:1632-1
SUSE-SU-2017:1660-1
USN-3177-1
USN-3177-2
USN-4557-1

Affected Products

Alt Linux
Apache Tomcat
Centos
Red Hat
Suse
Ubuntu