Описание
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.
| Релиз | Статус | Примечание |
|---|---|---|
| artful | DNE | |
| bionic | DNE | |
| devel | DNE | |
| esm-apps/xenial | released | 6.0.45+dfsg-1 |
| esm-infra-legacy/trusty | not-affected | 6.0.39-1ubuntu0.1 |
| precise | released | 6.0.35-1ubuntu3.7 |
| precise/esm | not-affected | 6.0.35-1ubuntu3.7 |
| trusty | released | 6.0.39-1ubuntu0.1 |
| trusty/esm | not-affected | 6.0.39-1ubuntu0.1 |
| upstream | released | 6.0.45 |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| artful | not-affected | 7.0.68-1 |
| bionic | not-affected | 7.0.68-1 |
| devel | not-affected | 7.0.68-1 |
| esm-apps/bionic | not-affected | 7.0.68-1 |
| esm-apps/xenial | not-affected | 7.0.68-1 |
| esm-infra-legacy/trusty | not-affected | 7.0.52-1ubuntu0.6 |
| precise | ignored | end of life |
| precise/esm | DNE | precise was needed |
| trusty | released | 7.0.52-1ubuntu0.6 |
| trusty/esm | not-affected | 7.0.52-1ubuntu0.6 |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| artful | not-affected | 8.0.32-1ubuntu1 |
| bionic | not-affected | 8.0.32-1ubuntu1 |
| devel | not-affected | 8.0.32-1ubuntu1 |
| esm-apps/bionic | not-affected | 8.0.32-1ubuntu1 |
| esm-infra-legacy/trusty | DNE | |
| esm-infra/xenial | not-affected | 8.0.32-1ubuntu1 |
| precise | DNE | |
| precise/esm | DNE | |
| trusty | DNE | |
| trusty/esm | DNE |
Показывать по
EPSS
4 Medium
CVSS2
4.3 Medium
CVSS3
Связанные уязвимости
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, ...
Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
Уязвимость сервера приложений Apache Tomcat, позволяющая нарушителю обойти ограничения доступа и выполнить чтение произвольных HTTP-запросов
EPSS
4 Medium
CVSS2
4.3 Medium
CVSS3