Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2016-6797

Опубликовано: 10 авг. 2017
Источник: debian

Описание

The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
tomcat8fixed8.0.37-1package
tomcat7fixed7.0.72-1package
tomcat6fixed6.0.41-3package

Примечания

  • Since 6.0.41-3, src:tomcat6 only builds a servlet and docs in Jessie

  • http://markmail.org/message/wrku5orwxfpt5mzl?q=list:org.apache.tomcat.announce/

  • Fixed by: http://svn.apache.org/r1757273 (8.0.x)

  • Fixed by: http://svn.apache.org/r1757275 (7.0.x)

  • Fixed by: https://svn.apache.org/viewvc?view=revision&revision=1757285 (6.0.x)

Связанные уязвимости

ubuntu логотип

CVE-2016-6797

CVSS3: 7.5
ubuntu
около 8 лет назад

The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.

redhat логотип

CVE-2016-6797

CVSS3: 3.7
redhat
около 9 лет назад

The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.

nvd логотип

CVE-2016-6797

CVSS3: 7.5
nvd
около 8 лет назад

The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.

github логотип

GHSA-q6x7-f33r-3wxx

CVSS3: 7.5
github
больше 3 лет назад

Incorrect Authorization in Apache Tomcat

oracle-oval логотип

ELSA-2017-2247

oracle-oval
больше 8 лет назад

ELSA-2017-2247: tomcat security, bug fix, and enhancement update (LOW)