CVE-2016-0763

The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.
Severity
MEDIUM
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Atk. Vector
NETWORK
Atk. Complexity
LOW
Priv. Required
LOW
Base Score
CVSS 3.x
EPSS Score
Percentile: 71%
VendorProductVersion
debiandebian_linux
7.0
debiandebian_linux
8.0
apachetomcat
7.0.0
apachetomcat
7.0.2
apachetomcat
7.0.4
apachetomcat
7.0.5
apachetomcat
7.0.6
apachetomcat
7.0.10
apachetomcat
7.0.11
apachetomcat
7.0.12
apachetomcat
7.0.14
apachetomcat
7.0.16
apachetomcat
7.0.19
apachetomcat
7.0.20
apachetomcat
7.0.21
apachetomcat
7.0.22
apachetomcat
7.0.23
apachetomcat
7.0.25
apachetomcat
7.0.26
apachetomcat
7.0.27
apachetomcat
7.0.28
apachetomcat
7.0.29
apachetomcat
7.0.30
apachetomcat
7.0.32
apachetomcat
7.0.33
apachetomcat
7.0.34
apachetomcat
7.0.35
apachetomcat
7.0.37
apachetomcat
7.0.39
apachetomcat
7.0.40
apachetomcat
7.0.41
apachetomcat
7.0.42
apachetomcat
7.0.47
apachetomcat
7.0.50
apachetomcat
7.0.52
apachetomcat
7.0.53
apachetomcat
7.0.54
apachetomcat
7.0.55
apachetomcat
7.0.56
apachetomcat
7.0.57
apachetomcat
7.0.59
apachetomcat
7.0.61
apachetomcat
7.0.62
apachetomcat
7.0.63
apachetomcat
7.0.64
apachetomcat
7.0.65
apachetomcat
7.0.67
apachetomcat
8.0.0
apachetomcat
8.0.0
apachetomcat
8.0.0
apachetomcat
8.0.0
apachetomcat
8.0.1
apachetomcat
8.0.3
apachetomcat
8.0.11
apachetomcat
8.0.12
apachetomcat
8.0.14
apachetomcat
8.0.15
apachetomcat
8.0.17
apachetomcat
8.0.18
apachetomcat
8.0.20
apachetomcat
8.0.21
apachetomcat
8.0.22
apachetomcat
8.0.23
apachetomcat
8.0.24
apachetomcat
8.0.26
apachetomcat
8.0.27
apachetomcat
8.0.28
apachetomcat
8.0.29
apachetomcat
8.0.30
apachetomcat
9.0.0
canonicalubuntu_linux
12.04
canonicalubuntu_linux
14.04
canonicalubuntu_linux
15.10
canonicalubuntu_linux
16.04
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
tomcat9
bullseye (security)
9.0.43-2~deb11u10
fixed
bullseye
9.0.43-2~deb11u10
fixed
bookworm
9.0.70-2
fixed
sid
9.0.95-1
fixed
trixie
9.0.95-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
tomcat6
bionic
dne
artful
dne
zesty
dne
yakkety
dne
xenial
Fixed 6.0.45+dfsg-1
released
wily
ignored
trusty
Fixed 6.0.39-1ubuntu0.1
released
precise
Fixed 6.0.35-1ubuntu3.7
released
tomcat7
bionic
not-affected
artful
not-affected
zesty
not-affected
yakkety
not-affected
xenial
not-affected
wily
Fixed 7.0.64-1ubuntu0.3
released
trusty
Fixed 7.0.52-1ubuntu0.6
released
precise
ignored
tomcat8
bionic
not-affected
artful
not-affected
zesty
not-affected
yakkety
not-affected
xenial
not-affected
wily
ignored
trusty
dne
precise
dne
Common Weakness Enumeration
References