CVE-2016-8735
Apache Tomcat Improper Access Control vulnerability
9.8
CRITICAL
CVSS 3.1
⚠ KEVEPSS 93.8%
Description
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
How to fix CVE-2016-8735
To remediate CVE-2016-8735, upgrade the affected package to a fixed version below.
- —upgrade to 6.0.48 or later
- —upgrade to 6.0.48 or later
Is CVE-2016-8735 being exploited?
Yes — CVE-2016-8735 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.
Affected packages (2)
- from 0, < 6.0.48
- from 0, < 6.0.48
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H |