CVE Vulnerabilities

CVE-2016-6325

Published: Oct 13, 2016 | Modified: Feb 12, 2023
CVSS 3.x
7.8
HIGH
Source:
NVD
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
7.2 HIGH
AV:L/AC:L/Au:N/C:C/I:C/A:C
RedHat/V2
6.9 IMPORTANT
AV:L/AC:M/Au:N/C:C/I:C/A:C
RedHat/V3
7.8 IMPORTANT
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Ubuntu
MEDIUM

The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.

Affected Software

Name Vendor Start Version End Version
Tomcat Apache - (including) - (including)
Red Hat Enterprise Linux 6 RedHat tomcat6-0:6.0.24-98.el6_8 *
Red Hat Enterprise Linux 7 RedHat tomcat-0:7.0.54-8.el7_2 *
Red Hat JBoss Web Server 3.1 RedHat *
Red Hat JBoss Web Server 3 for RHEL 6 RedHat hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6 *
Red Hat JBoss Web Server 3 for RHEL 6 RedHat jbcs-httpd24-0:1-3.jbcs.el6 *
Red Hat JBoss Web Server 3 for RHEL 6 RedHat jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6 *
Red Hat JBoss Web Server 3 for RHEL 6 RedHat jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6 *
Red Hat JBoss Web Server 3 for RHEL 6 RedHat mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6 *
Red Hat JBoss Web Server 3 for RHEL 6 RedHat tomcat7-0:7.0.70-16.ep7.el6 *
Red Hat JBoss Web Server 3 for RHEL 6 RedHat tomcat8-0:8.0.36-17.ep7.el6 *
Red Hat JBoss Web Server 3 for RHEL 6 RedHat tomcat-native-0:1.2.8-9.redhat_9.ep7.el6 *
Red Hat JBoss Web Server 3 for RHEL 6 RedHat tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6 *
Red Hat JBoss Web Server 3 for RHEL 7 RedHat hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7 *
Red Hat JBoss Web Server 3 for RHEL 7 RedHat jbcs-httpd24-0:1-3.jbcs.el7 *
Red Hat JBoss Web Server 3 for RHEL 7 RedHat jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7 *
Red Hat JBoss Web Server 3 for RHEL 7 RedHat jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7 *
Red Hat JBoss Web Server 3 for RHEL 7 RedHat mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7 *
Red Hat JBoss Web Server 3 for RHEL 7 RedHat tomcat7-0:7.0.70-16.ep7.el7 *
Red Hat JBoss Web Server 3 for RHEL 7 RedHat tomcat8-0:8.0.36-17.ep7.el7 *
Red Hat JBoss Web Server 3 for RHEL 7 RedHat tomcat-native-0:1.2.8-9.redhat_9.ep7.el7 *
Red Hat JBoss Web Server 3 for RHEL 7 RedHat tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7 *

References