Описание
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.
It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss BRMS 5 | jbossweb | Will not fix | ||
| Red Hat JBoss Data Grid 6 | jbossweb | Affected | ||
| Red Hat JBoss Enterprise Application Platform 4 | jbossweb | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 5 | jbossweb | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 6 | jbossweb | Not affected | ||
| Red Hat JBoss Fuse Service Works 6 | jbossweb | Will not fix | ||
| Red Hat JBoss Operations Network 3 | jbossweb | Affected | ||
| Red Hat JBoss Portal 6 | jbossweb | Affected | ||
| Red Hat Enterprise Linux 6 | tomcat6 | Fixed | RHSA-2016:2045 | 10.10.2016 |
| Red Hat Enterprise Linux 7 | tomcat | Fixed | RHSA-2016:2599 | 03.11.2016 |
Показывать по
Дополнительная информация
Статус:
4.3 Medium
CVSS3
2.9 Low
CVSS2
Связанные уязвимости
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, ...
Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
Уязвимость сервера приложений Apache Tomcat, позволяющая нарушителю обойти ограничения доступа и выполнить чтение произвольных HTTP-запросов
4.3 Medium
CVSS3
2.9 Low
CVSS2