Описание
The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.
It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss BRMS 5 | jbossweb | Will not fix | ||
| Red Hat JBoss Data Grid 6 | jbossweb | Affected | ||
| Red Hat JBoss Enterprise Application Platform 4 | jbossweb | Will not fix | ||
| Red Hat JBoss Enterprise Application Platform 5 | jbossweb | Will not fix | ||
| Red Hat JBoss Enterprise Application Platform 6 | jbossweb | Will not fix | ||
| Red Hat JBoss Fuse Service Works 6 | jbossweb | Will not fix | ||
| Red Hat JBoss Operations Network 3 | jbossweb | Affected | ||
| Red Hat JBoss Portal 6 | jbossweb | Affected | ||
| Red Hat Enterprise Linux 6 | tomcat6 | Fixed | RHSA-2016:2045 | 10.10.2016 |
| Red Hat Enterprise Linux 7 | tomcat | Fixed | RHSA-2016:2599 | 03.11.2016 |
Показывать по
Дополнительная информация
Статус:
EPSS
8.8 High
CVSS3
6.8 Medium
CVSS2
Связанные уязвимости
The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.
The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.
The session-persistence implementation in Apache Tomcat 6.x before 6.0 ...
Уязвимость сервера приложений Apache Tomcat, позволяющая нарушителю выполнить произвольный код в привилегированном контексте
EPSS
8.8 High
CVSS3
6.8 Medium
CVSS2