Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2016-0762

Опубликовано: 10 авг. 2017
Источник: debian

Описание

The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
tomcat8fixed8.0.37-1package
tomcat7fixed7.0.72-1package
tomcat6fixed6.0.41-3package

Примечания

  • Since 6.0.41-3, src:tomcat6 only builds a servlet and docs in Jessie

  • http://markmail.org/message/pzuk6hauzljnm4r7?q=list:org.apache.tomcat.announce/

  • Fixed by: http://svn.apache.org/r1758501 (8.0.x)

  • Fixed by: http://svn.apache.org/r1758502 (7.0.x)

  • Fixed by: https://svn.apache.org/viewvc?view=revision&revision=1758506 (6.0.x)

Связанные уязвимости

ubuntu логотип

CVE-2016-0762

CVSS3: 5.9
ubuntu
почти 8 лет назад

The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.

redhat логотип

CVE-2016-0762

CVSS3: 3.7
redhat
больше 8 лет назад

The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.

nvd логотип

CVE-2016-0762

CVSS3: 5.9
nvd
почти 8 лет назад

The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.

github логотип

GHSA-wxcp-f2c8-x6xv

CVSS3: 5.9
github
около 3 лет назад

Observable Discrepancy in Apache Tomcat

fstec логотип

BDU:2022-04494

CVSS3: 5.9
fstec
больше 9 лет назад

Уязвимость реализации Realm сервера приложений Apache Tomcat, связанная с раскрытием информации через несоответствие, позволяющая нарушителю определить все существующие имена пользователей