FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2016-0706

This CVE name corresponds to:

Entered	Topic
2016-02-28	tomcat -- multiple vulnerabilities

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2016-0706 at cve.mitre.org

Details

Type	Candidate
Name	CVE-2016-0706
Phase	Assigned(20151216)

Description

Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.

References

Source	Reference
BUGTRAQ	20160222 [SECURITY] CVE-2016-0706 Apache Tomcat Security Manager bypass
CONFIRM	http://svn.apache.org/viewvc?view=revision&revision=1722799
CONFIRM	http://svn.apache.org/viewvc?view=revision&revision=1722800
CONFIRM	http://svn.apache.org/viewvc?view=revision&revision=1722801
CONFIRM	http://svn.apache.org/viewvc?view=revision&revision=1722802
CONFIRM	http://tomcat.apache.org/security-6.html
CONFIRM	http://tomcat.apache.org/security-7.html
CONFIRM	http://tomcat.apache.org/security-8.html
CONFIRM	http://tomcat.apache.org/security-9.html
CONFIRM	https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442
CONFIRM	https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626
CONFIRM	https://h20565.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442
CONFIRM	https://h20565.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626
DEBIAN	DSA-3530
DEBIAN	DSA-3609
DEBIAN	DSA-3552
UBUNTU	USN-3024-1