CVE-2016-0706
Published: 24 February 2016
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.
From the Ubuntu security team
It was discovered that Tomcat did not place StatusManagerServlet on the RestrictedServlets list. A remote attacker could possibly use this issue to read arbitrary HTTP requests, including session ID values. This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.10.
CVSS 3 base score: 4.3
Status
Package | Release | Status |
---|---|---|
tomcat6 Launchpad, Ubuntu, Debian |
Upstream |
Released
(6.0.45)
|
Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Released
(6.0.45+dfsg-1)
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Released
(6.0.39-1ubuntu0.1)
|
|
Patches: Upstream: http://svn.apache.org/viewvc?view=revision&revision=1722802 |
||
tomcat7 Launchpad, Ubuntu, Debian |
Upstream |
Released
(7.0.68-1)
|
Ubuntu 18.04 LTS (Bionic Beaver) |
Not vulnerable
(7.0.68-1)
|
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Not vulnerable
(7.0.68-1)
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Released
(7.0.52-1ubuntu0.6)
|
|
Patches: Upstream: http://svn.apache.org/viewvc?view=revision&revision=1722801 |
||
tomcat8 Launchpad, Ubuntu, Debian |
Upstream |
Released
(8.0.32-1)
|
Ubuntu 18.04 LTS (Bionic Beaver) |
Not vulnerable
(8.0.32-1ubuntu1)
|
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Not vulnerable
(8.0.32-1ubuntu1)
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
Patches: Upstream: http://svn.apache.org/viewvc?view=revision&revision=1722800 |