CVE-2016-8735

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2016-8735

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-8735.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2016-8735

Aliases

GHSA-cw54-59pw-4g8c

Related

Published

2017-04-06T21:59:00Z

Modified

2024-09-03T00:03:00Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

References

Affected packages

Git / github.com/apache/tomcat

Affected ranges

Type: GIT
Repo: https://github.com/apache/tomcat
Events: Introduced

e498667bd7811e846771a852b16ce9f1e524b81b

Fixed

fe0424f91a9f0af2f6422fe83bfaa769d92aa131