Your submission was sent successfully! Close

CVE-2016-6816

Published: 23 November 2016

The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.

Priority

Medium

CVSS 3 base score: 7.1

Status

Package Release Status
tomcat6
Launchpad, Ubuntu, Debian
Upstream
Released (6.0.48)
Ubuntu 21.10 (Impish Indri) Does not exist

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus)
Released (6.0.45+dfsg-1ubuntu0.1)
Ubuntu 14.04 ESM (Trusty Tahr) Needed

Patches:
Upstream: https://svn.apache.org/viewvc?view=revision&revision=1720418 (bp)
Upstream: https://svn.apache.org/viewvc?view=revision&revision=1743650 (bp)
Upstream: http://svn.apache.org/r1767683
tomcat7
Launchpad, Ubuntu, Debian
Upstream
Released (7.0.73)
Ubuntu 21.10 (Impish Indri) Does not exist

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(7.0.73-1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (7.0.68-1ubuntu0.3)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (7.0.52-1ubuntu0.8)
Patches:
Upstream: http://svn.apache.org/r1767675
tomcat8
Launchpad, Ubuntu, Debian
Upstream
Released (8.0.39)
Ubuntu 21.10 (Impish Indri) Does not exist

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver)
Released (8.0.38-2ubuntu1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (8.0.32-1ubuntu1.3)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: http://svn.apache.org/r1767653