CVE-2016-0714
Improper Access Control in Apache Tomcat
8.8
HIGH
CVSS 3.1
EPSS 7.8%
Description
The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.
How to fix CVE-2016-0714
To remediate CVE-2016-0714, upgrade the affected package to a fixed version below.
- —upgrade to 9.0.0.M2 or later
Is CVE-2016-0714 being exploited?
Moderate — EPSS is 7.8%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (1)
- >= 9.0.0.M1, < 9.0.0.M2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |