Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2016-0762

Опубликовано: 27 окт. 2016
Источник: redhat
CVSS3: 3.7
CVSS2: 2.6
EPSS Низкий

Описание

The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.

The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 5tomcat5Will not fix
Red Hat Enterprise Linux 6tomcat6Will not fix
Red Hat JBoss BRMS 5jbosswebOut of support scope
Red Hat JBoss Data Grid 6jbosswebOut of support scope
Red Hat JBoss Data Virtualization 6jbosswebOut of support scope
Red Hat JBoss Enterprise Application Platform 5jbosswebNot affected
Red Hat JBoss Enterprise Application Platform 6jbosswebNot affected
Red Hat JBoss Enterprise Web Server 2tomcat6Will not fix
Red Hat JBoss Enterprise Web Server 2tomcat7Will not fix
Red Hat JBoss Enterprise Web Server 3tomcat7Fix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low
https://bugzilla.redhat.com/show_bug.cgi?id=1390526tomcat: timing attack in Realm implementation

EPSS

Процентиль: 71%
0.00682
Низкий

3.7 Low

CVSS3

2.6 Low

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2016-0762

CVSS3: 5.9
ubuntu
почти 8 лет назад

The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.

nvd логотип

CVE-2016-0762

CVSS3: 5.9
nvd
почти 8 лет назад

The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.

debian логотип

CVE-2016-0762

CVSS3: 5.9
debian
почти 8 лет назад

The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0. ...

github логотип

GHSA-wxcp-f2c8-x6xv

CVSS3: 5.9
github
около 3 лет назад

Observable Discrepancy in Apache Tomcat

fstec логотип

BDU:2022-04494

CVSS3: 5.9
fstec
больше 9 лет назад

Уязвимость реализации Realm сервера приложений Apache Tomcat, связанная с раскрытием информации через несоответствие, позволяющая нарушителю определить все существующие имена пользователей

EPSS

Процентиль: 71%
0.00682
Низкий

3.7 Low

CVSS3

2.6 Low

CVSS2