CVE-2016-0706 — Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat

Description

Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.

How to fix CVE-2016-0706

To remediate CVE-2016-0706, upgrade the affected package to a fixed version below.

—upgrade to 9.0.0.M2 or later

Is CVE-2016-0706 being exploited?

Low — EPSS is 1.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 9.0.0.M1, < 9.0.0.M2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (54)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-0706
PATCHgithub.com/apache/tomcat
WEBlists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html
WEBlists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html