CVE Vulnerabilities

CVE-2016-0763

Published: Feb 25, 2016 | Modified: Dec 08, 2023
CVSS 3.x
6.3
MEDIUM
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CVSS 2.x
6.5 MEDIUM
AV:N/AC:L/Au:S/C:P/I:P/A:P
RedHat/V2
4.3 MODERATE
AV:A/AC:M/Au:N/C:P/I:P/A:N
RedHat/V3
6.3 MODERATE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Ubuntu
MEDIUM

The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.

Affected Software

Name Vendor Start Version End Version
Debian_linux Debian 7.0 (including) 7.0 (including)
Debian_linux Debian 8.0 (including) 8.0 (including)
Tomcat6 Ubuntu precise *
Tomcat6 Ubuntu trusty *
Tomcat6 Ubuntu upstream *
Tomcat6 Ubuntu wily *
Tomcat6 Ubuntu xenial *
Tomcat7 Ubuntu precise *
Tomcat7 Ubuntu trusty *
Tomcat7 Ubuntu upstream *
Tomcat7 Ubuntu wily *
Tomcat8 Ubuntu upstream *
Tomcat8 Ubuntu wily *
Red Hat Enterprise Linux 7 RedHat tomcat-0:7.0.69-10.el7 *
Red Hat JBoss Enterprise Web Server 2 for RHEL 6 RedHat tomcat7-0:7.0.54-23_patch_05.ep6.el6 *
Red Hat JBoss Enterprise Web Server 2 for RHEL 7 RedHat tomcat7-0:7.0.54-23_patch_05.ep6.el7 *
Red Hat JBoss Web Server 2.1 RedHat tomcat7 *
Red Hat JBoss Web Server 3.0 RedHat *
Red Hat JBoss Web Server 3 for RHEL 6 RedHat httpd24-0:2.4.6-61.ep7.el6 *
Red Hat JBoss Web Server 3 for RHEL 6 RedHat mod_security-jws3-0:2.8.0-7.GA.ep7.el6 *
Red Hat JBoss Web Server 3 for RHEL 6 RedHat tomcat7-0:7.0.59-50_patch_01.ep7.el6 *
Red Hat JBoss Web Server 3 for RHEL 6 RedHat tomcat8-0:8.0.18-61_patch_01.ep7.el6 *
Red Hat JBoss Web Server 3 for RHEL 7 RedHat httpd24-0:2.4.6-61.ep7.el7 *
Red Hat JBoss Web Server 3 for RHEL 7 RedHat mod_security-jws3-0:2.8.0-7.GA.ep7.el7 *
Red Hat JBoss Web Server 3 for RHEL 7 RedHat tomcat7-0:7.0.59-50_patch_01.ep7.el7 *
Red Hat JBoss Web Server 3 for RHEL 7 RedHat tomcat8-0:8.0.18-61_patch_01.ep7.el7 *

References