Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2016-6794

Опубликовано: 10 авг. 2017
Источник: debian

Описание

When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
tomcat8fixed8.0.37-1package
tomcat7fixed7.0.72-1package
tomcat6fixed6.0.41-3package

Примечания

  • Since 6.0.41-3, src:tomcat6 only builds a servlet and docs in Jessie

  • http://markmail.org/message/zk7w6yly5mviocci?q=list:org.apache.tomcat.announce/

  • Fixed by: http://svn.apache.org/r1754727 (8.0.x)

  • Fixed by: http://svn.apache.org/r1754728 (7.0.x)

  • Fixed by: https://svn.apache.org/viewvc?view=revision&revision=1754733 (6.0.x)

Связанные уязвимости

ubuntu логотип

CVE-2016-6794

CVSS3: 5.3
ubuntu
почти 8 лет назад

When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.

redhat логотип

CVE-2016-6794

CVSS3: 3.1
redhat
больше 8 лет назад

When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.

nvd логотип

CVE-2016-6794

CVSS3: 5.3
nvd
почти 8 лет назад

When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.

github логотип

GHSA-2rvf-329f-p99g

CVSS3: 5.3
github
около 3 лет назад

System Property Disclosure in Apache Tomcat

oracle-oval логотип

ELSA-2017-2247

oracle-oval
почти 8 лет назад

ELSA-2017-2247: tomcat security, bug fix, and enhancement update (LOW)