2016-02-25 02:59:05 2019-04-15 18:30:24

The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.

Vector

NETWORK

Complexity

LOW

Authentication

SINGLE_INSTANCE

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

PARTIAL
Apache Tomcat 9.0.0 M1 (not an official CPE) Apache Tomcat 8.0.30 (not an official CPE) Apache Tomcat 8.0.29 (not an official CPE) Apache Tomcat 8.0.28 (not an official CPE) Apache Tomcat 8.0.27 (not an official CPE) Apache Tomcat 8.0.26 (not an official CPE) Apache Tomcat 8.0.24 (not an official CPE) Apache Tomcat 8.0.23 (not an official CPE) Apache Tomcat 8.0.22 (not an official CPE) Apache Tomcat 8.0.21 (not an official CPE) Apache Tomcat 8.0.20 (not an official CPE) Apache Tomcat 8.0.18 (not an official CPE) Apache Tomcat 8.0.17 (not an official CPE) Apache Software Foundation Tomcat 8.0.15 Apache Software Foundation Tomcat 8.0.14 Apache Software Foundation Tomcat 8.0.12 Apache Software Foundation Tomcat 8.0.11 Apache Tomcat 8.0.3 (not an official CPE) Apache Software Foundation Tomcat 8.0.1 Apache Software Foundation Tomcat 8.0.0 release candidate 5 Apache Tomcat 8.0.0 Rc3 (not an official CPE) Apache Software Foundation Tomcat 8.0.0 release candidate 10 Apache Software Foundation Tomcat 8.0.0 Release Candidate 1 Apache Tomcat 7.0.67 (not an official CPE) Apache Tomcat 7.0.65 (not an official CPE) Apache Tomcat 7.0.64 (not an official CPE) Apache Tomcat 7.0.63 (not an official CPE) Apache Tomcat 7.0.62 (not an official CPE) Apache Tomcat 7.0.61 (not an official CPE) Apache Tomcat 7.0.59 (not an official CPE) Apache Software Foundation Tomcat 7.0.57 Apache Software Foundation Tomcat 7.0.56 Apache Software Foundation Tomcat 7.0.55 Apache Software Foundation Tomcat 7.0.54 Apache Tomcat 7.0.53 (not an official CPE) Apache Tomcat 7.0.52 (not an official CPE) Apache Software Foundation Tomcat 7.0.50 Apache Software Foundation Tomcat 7.0.47 Apache Software Foundation Tomcat 7.0.42 Apache Software Foundation Tomcat 7.0.41 Apache Software Foundation Tomcat 7.0.40 Apache Software Foundation Tomcat 7.0.39 Apache Software Foundation Tomcat 7.0.37 Apache Software Foundation Tomcat 7.0.35 Apache Software Foundation Tomcat 7.0.34 Apache Software Foundation Tomcat 7.0.33 Apache Software Foundation Tomcat 7.0.30 Apache Software Foundation Tomcat 7.0.32 Apache Software Foundation Tomcat 7.0.29 Apache Software Foundation Tomcat 7.0.28 Apache Software Foundation Tomcat 7.0.27 Apache Software Foundation Tomcat 7.0.26 Apache Software Foundation Tomcat 7.0.25 Apache Software Foundation Tomcat 7.0.23 Apache Software Foundation Tomcat 7.0.22 Apache Software Foundation Tomcat 7.0.21 Apache Software Foundation Tomcat 7.0.20 Apache Software Foundation Tomcat 7.0.19 Apache Software Foundation Tomcat 7.0.16 Apache Software Foundation Tomcat 7.0.14 Apache Software Foundation Tomcat 7.0.12 Apache Software Foundation Tomcat 7.0.11 Apache Software Foundation Tomcat 7.0.10 Apache Software Foundation Tomcat 7.0.6 Apache Tomcat 7.0.5 Beta (not an official CPE) Apache Software Foundation Tomcat 7.0.4 beta Apache Software Foundation Tomcat 7.0.2 beta Apache Software Foundation Tomcat 7.0.0 beta Apache Tomcat 6.0.44 (not an official CPE) Apache Software Foundation Tomcat 6.0.43 Apache Software Foundation Tomcat 6.0.41 Apache Tomcat 6.0.39 (not an official CPE) Apache Software Foundation Tomcat 6.0.37 Apache Software Foundation Tomcat 6.0.36 Apache Software Foundation Tomcat 6.0.35 Apache Software Foundation Tomcat 6.0.33 Apache Software Foundation Tomcat 6.0.32 Apache Software Foundation Tomcat 6.0.30 Apache Software Foundation Tomcat 6.0.29 Apache Software Foundation Tomcat 6.0.28 Apache Software Foundation Tomcat 6.0.26 Apache Software Foundation Tomcat 6.0.24 Apache Software Foundation Tomcat 6.0.20 Apache Software Foundation Tomcat 6.0.18 Apache Software Foundation Tomcat 6.0.16 Apache Software Foundation Tomcat 6.0.14 Apache Software Foundation Tomcat 6.0.13 Apache Software Foundation Tomcat 6.0.11 Apache Software Foundation Tomcat 6.0.10 Apache Software Foundation Tomcat 6.0.4 alpha Apache Software Foundation Tomcat 6.0.4 Apache Software Foundation Tomcat 6.0.2 beta Apache Software Foundation Tomcat 6.0.2 alpha Apache Software Foundation Tomcat 6.0.2 Apache Software Foundation Tomcat 6.0.1 alpha Apache Software Foundation Tomcat 6.0.1 Apache Software Foundation Tomcat 6.0.0 alpha Apache Software Foundation Tomcat 6.0.0
Advisory Patch Confirmed Link
[tomcat-dev] 20190319 svn commit: r1855831 [23/30] - in ...
[tomcat-dev] 20190415 svn commit: r1857582 [16/22] - in ...
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/d...
[tomcat-dev] 20190325 svn commit: r1856174 [21/29] - in ...
[tomcat-dev] 20190413 svn commit: r1857494 [15/20] - in ...
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/d...
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/d...
RHSA-2016:1088
https://bto.bluecoat.com/security-advisory/sa118
RHSA-2016:1087
1037640
USN-3024-1
http://www.oracle.com/technetwork/topics/security/linuxb...
83327
1035069
http://svn.apache.org/viewvc?view=revision&revision=1726...
http://www.oracle.com/technetwork/topics/security/bullet...
http://svn.apache.org/viewvc?view=revision&revision=1725...
http://www.oracle.com/technetwork/security-advisory/cpuo...
http://www.oracle.com/technetwork/security-advisory/cpuo...
DSA-3609
http://www.oracle.com/technetwork/security-advisory/cpuj...
DSA-3552
DSA-3530
http://tomcat.apache.org/security-9.html
http://tomcat.apache.org/security-8.html
http://svn.apache.org/viewvc?view=revision&revision=1726...
http://svn.apache.org/viewvc?view=revision&revision=1727...
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
http://svn.apache.org/viewvc?view=revision&revision=1727...
http://svn.apache.org/viewvc?view=revision&revision=1727...
http://svn.apache.org/viewvc?view=revision&revision=1725...
http://svn.apache.org/viewvc?view=revision&revision=1726...
20160222 [SECURITY] CVE-2016-0714 Apache Tomcat Security...
RHSA-2016:2807
RHSA-2016:2808
RHSA-2016:2599
RHSA-2016:1089
RHSA-2016:2045
HPSBUX03561
SUSE-SU-2016:0839
openSUSE-SU-2016:0865
SUSE-SU-2016:0822
SUSE-SU-2016:0769
GLSA-201705-09
https://security.netapp.com/advisory/ntap-20180531-0001/