GHSA-cw54-59pw-4g8c

Suggest an improvement
Source
https://github.com/advisories/GHSA-cw54-59pw-4g8c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-cw54-59pw-4g8c/GHSA-cw54-59pw-4g8c.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-cw54-59pw-4g8c
Aliases
Published
2022-05-13T01:14:52Z
Modified
2024-06-27T21:46:34.037366Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Apache Tomcat Improper Access Control vulnerability
Details

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

References

Affected packages

Maven / org.apache.tomcat:tomcat-catalina-jmx-remote

Package

Name
org.apache.tomcat:tomcat-catalina-jmx-remote
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-catalina-jmx-remote

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.48

Affected versions

6.*

6.0.36
6.0.37
6.0.39
6.0.41
6.0.43
6.0.44
6.0.45
6.0.47

Maven / org.apache.tomcat:tomcat-catalina-jmx-remote

Package

Name
org.apache.tomcat:tomcat-catalina-jmx-remote
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-catalina-jmx-remote

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0.0
Fixed
7.0.73

Affected versions

7.*

7.0.0
7.0.2
7.0.4
7.0.5
7.0.6
7.0.8
7.0.11
7.0.12
7.0.14
7.0.16
7.0.19
7.0.20
7.0.21
7.0.22
7.0.23
7.0.25
7.0.26
7.0.27
7.0.28
7.0.29
7.0.30
7.0.32
7.0.33
7.0.34
7.0.35
7.0.37
7.0.39
7.0.40
7.0.41
7.0.42
7.0.47
7.0.50
7.0.52
7.0.53
7.0.54
7.0.55
7.0.56
7.0.57
7.0.59
7.0.61
7.0.62
7.0.63
7.0.64
7.0.65
7.0.67
7.0.68
7.0.69
7.0.70
7.0.72

Maven / org.apache.tomcat:tomcat-catalina-jmx-remote

Package

Name
org.apache.tomcat:tomcat-catalina-jmx-remote
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-catalina-jmx-remote

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.0.0
Fixed
8.0.39

Affected versions

8.*

8.0.1
8.0.3
8.0.5
8.0.8
8.0.9
8.0.11
8.0.12
8.0.14
8.0.15
8.0.17
8.0.18
8.0.20
8.0.21
8.0.22
8.0.23
8.0.24
8.0.26
8.0.27
8.0.28
8.0.29
8.0.30
8.0.32
8.0.33
8.0.35
8.0.36
8.0.37
8.0.38

Maven / org.apache.tomcat:tomcat-catalina-jmx-remote

Package

Name
org.apache.tomcat:tomcat-catalina-jmx-remote
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-catalina-jmx-remote

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.5.0
Fixed
8.5.7

Affected versions

8.*

8.5.0
8.5.2
8.5.3
8.5.4
8.5.5
8.5.6

Maven / org.apache.tomcat:tomcat-catalina-jmx-remote

Package

Name
org.apache.tomcat:tomcat-catalina-jmx-remote
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-catalina-jmx-remote

Affected ranges

Type
ECOSYSTEM
Events
Introduced
9.0.0.M1
Fixed
9.0.0.M12

Affected versions

9.*

9.0.0.M1
9.0.0.M3
9.0.0.M4
9.0.0.M6
9.0.0.M8
9.0.0.M9
9.0.0.M10
9.0.0.M11

Maven / org.apache.tomcat:tomcat-catalina

Package

Name
org.apache.tomcat:tomcat-catalina
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-catalina

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.48

Maven / org.apache.tomcat:tomcat-catalina

Package

Name
org.apache.tomcat:tomcat-catalina
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-catalina

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0.0
Fixed
7.0.73

Affected versions

7.*

7.0.0
7.0.2
7.0.4
7.0.5
7.0.6
7.0.8
7.0.11
7.0.12
7.0.14
7.0.16
7.0.19
7.0.20
7.0.21
7.0.22
7.0.23
7.0.25
7.0.26
7.0.27
7.0.28
7.0.29
7.0.30
7.0.32
7.0.33
7.0.34
7.0.35
7.0.37
7.0.39
7.0.40
7.0.41
7.0.42
7.0.47
7.0.50
7.0.52
7.0.53
7.0.54
7.0.55
7.0.56
7.0.57
7.0.59
7.0.61
7.0.62
7.0.63
7.0.64
7.0.65
7.0.67
7.0.68
7.0.69
7.0.70
7.0.72

Maven / org.apache.tomcat:tomcat-catalina

Package

Name
org.apache.tomcat:tomcat-catalina
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-catalina

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.0.0
Fixed
8.0.39

Affected versions

8.*

8.0.1
8.0.3
8.0.5
8.0.8
8.0.9
8.0.11
8.0.12
8.0.14
8.0.15
8.0.17
8.0.18
8.0.20
8.0.21
8.0.22
8.0.23
8.0.24
8.0.26
8.0.27
8.0.28
8.0.29
8.0.30
8.0.32
8.0.33
8.0.35
8.0.36
8.0.37
8.0.38

Maven / org.apache.tomcat:tomcat-catalina

Package

Name
org.apache.tomcat:tomcat-catalina
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-catalina

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.5.0
Fixed
8.5.7

Affected versions

8.*

8.5.0
8.5.2
8.5.3
8.5.4
8.5.5
8.5.6

Maven / org.apache.tomcat:tomcat-catalina

Package

Name
org.apache.tomcat:tomcat-catalina
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-catalina

Affected ranges

Type
ECOSYSTEM
Events
Introduced
9.0.0.M1
Fixed
9.0.0.M12

Affected versions

9.*

9.0.0.M1
9.0.0.M3
9.0.0.M4
9.0.0.M6
9.0.0.M8
9.0.0.M9
9.0.0.M10
9.0.0.M11