GHSA-6vx3-hr43-cfrh

Source

https://github.com/advisories/GHSA-6vx3-hr43-cfrh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6vx3-hr43-cfrh/GHSA-6vx3-hr43-cfrh.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-6vx3-hr43-cfrh

Aliases

CVE-2016-0706

Published

2022-05-14T01:10:17Z

Modified

2024-03-16T05:20:11.841130Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat

Details

Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.

Database specific

{
    "nvd_published_at": "2016-02-25T01:59:00Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-06T20:07:37Z"
}

References

Affected packages

Maven / org.apache.tomcat:tomcat

Package

Name: org.apache.tomcat:tomcat; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.0.M1

Fixed

9.0.0.M2

Affected versions

9.*

9.0.0.M1

Maven / org.apache.tomcat:tomcat

Package

Name: org.apache.tomcat:tomcat; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0.RC1

Fixed

8.0.31

Affected versions

8.*

8.0.1

8.0.3

8.0.5

8.0.8

8.0.9

8.0.11

8.0.12

8.0.14

8.0.15

8.0.17

8.0.18

8.0.20

8.0.21

8.0.22

8.0.23

8.0.24

8.0.26

8.0.27

8.0.28

8.0.29

8.0.30

Database specific

{
    "last_known_affected_version_range": "<= 8.0.30"
}

Maven / org.apache.tomcat:tomcat

Package

Name: org.apache.tomcat:tomcat; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.0.45

Database specific

{
    "last_known_affected_version_range": "<= 6.0.44"
}