Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2016-0762

Опубликовано: 10 авг. 2017
Источник: debian
EPSS Низкий

Описание

The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
tomcat8fixed8.0.37-1package
tomcat7fixed7.0.72-1package
tomcat6fixed6.0.41-3package

Примечания

  • Since 6.0.41-3, src:tomcat6 only builds a servlet and docs in Jessie

  • http://markmail.org/message/pzuk6hauzljnm4r7?q=list:org.apache.tomcat.announce/

  • Fixed by: http://svn.apache.org/r1758501 (8.0.x)

  • Fixed by: http://svn.apache.org/r1758502 (7.0.x)

  • Fixed by: https://svn.apache.org/viewvc?view=revision&revision=1758506 (6.0.x)

EPSS

Процентиль: 76%
0.00967
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2016-0762

CVSS3: 5.9
ubuntu
около 8 лет назад

The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.

redhat логотип

CVE-2016-0762

CVSS3: 3.7
redhat
около 9 лет назад

The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.

nvd логотип

CVE-2016-0762

CVSS3: 5.9
nvd
около 8 лет назад

The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.

github логотип

GHSA-wxcp-f2c8-x6xv

CVSS3: 5.9
github
больше 3 лет назад

Observable Discrepancy in Apache Tomcat

fstec логотип

BDU:2022-04494

CVSS3: 5.9
fstec
почти 10 лет назад

Уязвимость реализации Realm сервера приложений Apache Tomcat, связанная с раскрытием информации через несоответствие, позволяющая нарушителю определить все существующие имена пользователей

EPSS

Процентиль: 76%
0.00967
Низкий