Π›ΠΎΠ³ΠΎΡ‚ΠΈΠΏ exploitDog
Консоль
Π›ΠΎΠ³ΠΎΡ‚ΠΈΠΏ exploitDog

exploitDog

redhat Π»ΠΎΠ³ΠΎΡ‚ΠΈΠΏ

CVE-2016-0763

ΠžΠΏΡƒΠ±Π»ΠΈΠΊΠΎΠ²Π°Π½ΠΎ: 22 Ρ„Π΅Π². 2016
Π˜ΡΡ‚ΠΎΡ‡Π½ΠΈΠΊ: redhat
CVSS3: 6.3
CVSS2: 4.3

ОписаниС

The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.

A security manager bypass flaw was found in Tomcat that could allow remote, authenticated users to access arbitrary application data, potentially resulting in a denial of service.

Π—Π°Ρ‚Ρ€ΠΎΠ½ΡƒΡ‚Ρ‹Π΅ ΠΏΠ°ΠΊΠ΅Ρ‚Ρ‹

ΠŸΠ»Π°Ρ‚Ρ„ΠΎΡ€ΠΌΠ°ΠŸΠ°ΠΊΠ΅Ρ‚Π‘ΠΎΡΡ‚ΠΎΡΠ½ΠΈΠ΅Π Π΅ΠΊΠΎΠΌΠ΅Π½Π΄Π°Ρ†ΠΈΡΠ Π΅Π»ΠΈΠ·
Red Hat Enterprise Linux 6tomcat6Not affected
Red Hat JBoss BRMS 5jbosswebWill not fix
Red Hat JBoss Data Grid 6jbosswebAffected
Red Hat JBoss Enterprise Application Platform 4jbosswebWill not fix
Red Hat JBoss Enterprise Application Platform 5jbosswebWill not fix
Red Hat JBoss Enterprise Application Platform 6jbosswebWill not fix
Red Hat JBoss Fuse Service Works 6jbosswebWill not fix
Red Hat JBoss Operations Network 3jbosswebAffected
Red Hat JBoss Portal 6jbosswebAffected
Red Hat Enterprise Linux 7tomcatFixedRHSA-2016:259903.11.2016

ΠŸΠΎΠΊΠ°Π·Ρ‹Π²Π°Ρ‚ΡŒ ΠΏΠΎ

Бсылки Π½Π° источники

Π”ΠΎΠΏΠΎΠ»Π½ΠΈΡ‚Π΅Π»ΡŒΠ½Π°Ρ информация

Бтатус:

Moderate
Π”Π΅Ρ„Π΅ΠΊΡ‚:
CWE-287
https://bugzilla.redhat.com/show_bug.cgi?id=1311093tomcat: security manager bypass via setGlobalContext()

6.3 Medium

CVSS3

4.3 Medium

CVSS2

БвязанныС уязвимости

ubuntu Π»ΠΎΠ³ΠΎΡ‚ΠΈΠΏ

CVE-2016-0763

CVSS3: 6.3
ubuntu
ΠΎΠΊΠΎΠ»ΠΎ 10 Π»Π΅Ρ‚ Π½Π°Π·Π°Π΄

The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.

nvd Π»ΠΎΠ³ΠΎΡ‚ΠΈΠΏ

CVE-2016-0763

CVSS3: 6.3
nvd
ΠΎΠΊΠΎΠ»ΠΎ 10 Π»Π΅Ρ‚ Π½Π°Π·Π°Π΄

The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.

debian Π»ΠΎΠ³ΠΎΡ‚ΠΈΠΏ

CVE-2016-0763

CVSS3: 6.3
debian
ΠΎΠΊΠΎΠ»ΠΎ 10 Π»Π΅Ρ‚ Π½Π°Π·Π°Π΄

The setGlobalContext method in org/apache/naming/factory/ResourceLinkF ...

github Π»ΠΎΠ³ΠΎΡ‚ΠΈΠΏ

GHSA-9hjv-9h75-xmpp

CVSS3: 6.3
github
ΠΏΠΎΡ‡Ρ‚ΠΈ 4 Π³ΠΎΠ΄Π° Π½Π°Π·Π°Π΄

Improper Verification of Source of a Communication Channel in Apache Tomcat

fstec Π»ΠΎΠ³ΠΎΡ‚ΠΈΠΏ

BDU:2016-00616

fstec
ΠΎΠΊΠΎΠ»ΠΎ 10 Π»Π΅Ρ‚ Π½Π°Π·Π°Π΄

Π£ΡΠ·Π²ΠΈΠΌΠΎΡΡ‚ΡŒ сСрвСра ΠΏΡ€ΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠΉ Apache Tomcat, ΠΏΠΎΠ·Π²ΠΎΠ»ΡΡŽΡ‰Π°Ρ Π½Π°Ρ€ΡƒΡˆΠΈΡ‚Π΅Π»ΡŽ Π²Ρ‹Π·Π²Π°Ρ‚ΡŒ ΠΎΡ‚ΠΊΠ°Π· Π² обслуТивании

6.3 Medium

CVSS3

4.3 Medium

CVSS2

Π£ΡΠ·Π²ΠΈΠΌΠΎΡΡ‚ΡŒ CVE-2016-0763