CVE-2016-6816
tomcat8 - security update
7.1
HIGH
CVSS 3.1
EPSS 3.3%
Description
The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.
How to fix CVE-2016-6816
To remediate CVE-2016-6816, upgrade the affected package to a fixed version below.
- —upgrade to 7.0.56-3+deb8u6 or later
- —upgrade to 8.0.14-1+deb8u5 or later
- —upgrade to 9.0.0.M12 or later
Is CVE-2016-6816 being exploited?
Low — EPSS is 3.3%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 7.0.56-3+deb8u6
- from 0, < 8.0.14-1+deb8u5
- >= 9.0.0.M1, < 9.0.0.M12
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.1 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L |