CVE-2016-5018

In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.

Affected Software

Name	Vendor	Start Version	End Version
Tomcat	Apache	6.0.0 (including)	6.0.45 (including)
Tomcat	Apache	7.0.0 (including)	7.0.70 (including)
Tomcat	Apache	8.0 (including)	8.0.36 (including)
Tomcat	Apache	8.5.0 (including)	8.5.4 (including)
Tomcat	Apache	9.0.0-milestone1 (including)	9.0.0-milestone1 (including)
Tomcat	Apache	9.0.0-milestone2 (including)	9.0.0-milestone2 (including)
Tomcat	Apache	9.0.0-milestone3 (including)	9.0.0-milestone3 (including)
Tomcat	Apache	9.0.0-milestone4 (including)	9.0.0-milestone4 (including)
Tomcat	Apache	9.0.0-milestone5 (including)	9.0.0-milestone5 (including)
Tomcat	Apache	9.0.0-milestone6 (including)	9.0.0-milestone6 (including)
Tomcat	Apache	9.0.0-milestone7 (including)	9.0.0-milestone7 (including)
Tomcat	Apache	9.0.0-milestone8 (including)	9.0.0-milestone8 (including)
Tomcat	Apache	9.0.0-milestone9 (including)	9.0.0-milestone9 (including)

NVD	https://nvd.nist.gov/vuln/detail/CVE-2016-5018
CWE	https://cwe.mitre.org/data/definitions/.html

Affected Software

References