CVE-2016-0706

Metadata

medium
4.0
tomcat7, tomcat6, tomcat8
CVE-2016-0706
cve.mitre.org, seclists.org, usn.ubuntu.com, bugs.debian.org
2016-02-24
2017-12-16 00:04
ALAS-2016-681
ALAS-2016-680
ALAS-2016-679
CVE-2016-0706 tomcat8
CVE-2016-0706 tomcat6
CVE-2016-0706 tomcat7
2017-10-23 13:32
2017-06-16 19:17
2017-06-15 01:20
2017-05-10 22:50
2017-04-14 09:38
2017-04-01 21:03
2017-01-05 19:30

Description

Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Release Package Patched in
precise tomcat6 6.0.35-1ubuntu3.7
precise/esm tomcat6 6.0.35-1ubuntu3.7
trusty tomcat6 None
tomcat7 7.0.52-1ubuntu0.6
upstream tomcat6 6.0.45
tomcat7 7.0.68-1
tomcat8 8.0.32-1
wily tomcat7 7.0.64-1ubuntu0.3
xenial tomcat6 None

Unaffected

Release Package Reason
precise tomcat7 ignored
tomcat8 DNE
precise/esm tomcat7 DNE
tomcat8 DNE
vivid/stable-phone-overlay tomcat7 DNE
tomcat6 DNE
tomcat8 DNE
vivid/ubuntu-core tomcat7 DNE
tomcat6 DNE
tomcat8 DNE
xenial tomcat7 not-affected
tomcat8 not-affected
yakkety tomcat7 not-affected
tomcat6 DNE
tomcat8 not-affected
zesty tomcat7 not-affected
tomcat6 DNE
tomcat8 not-affected
artful tomcat7 not-affected
tomcat6 DNE
tomcat8 not-affected
devel tomcat7 not-affected
tomcat6 DNE
tomcat8 not-affected
wily tomcat6 ignored
tomcat8 ignored
trusty tomcat8 DNE