CVE-2016-0706 tomcat6

Metadata

medium
4.0
tomcat6
CVE-2016-0706
2017-12-29 22:17
ALAS-2016-681
ALAS-2016-680
ALAS-2016-679
CVE-2016-0706 tomcat8
CVE-2016-0706 tomcat7
CVE-2016-0706
2017-06-16 19:17
2017-04-01 19:31
2017-01-05 17:42

Description

Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Release Package Patched in
jessie tomcat6 6.0.41-3
wheezy tomcat6 6.0.45+dfsg-1~deb7u1