All errata/sisyphus/ALT-PU-2016-1193-2
ALT-PU-2016-1193-2

Package update tomcat in branch sisyphus

Version8.0.32-alt1_4jpp8
Task#160581
Published2026-02-04
Max severityHIGH
Severity:

Closed issues (21)

BDU:2016-00541
MEDIUM4.0

Уязвимость сервера приложений Apache Tomcat, позволяющая нарушителю обойти ограничения проверки подлинности

Published: 2016-03-11Modified: 2021-03-23
CVSS 2.0MEDIUM 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N
References
BDU:2016-00611
MEDIUM5.0

Уязвимость сервера приложений Apache Tomcat, позволяющая нарушителю определить существование каталога

Published: 2016-03-17Modified: 2021-03-23
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
References
BDU:2016-00612
MEDIUM6.8

Уязвимость сервера приложений Apache Tomcat, позволяющая нарушителю получить доступ к веб-сессиям

Published: 2016-03-17Modified: 2021-03-23
CVSS 2.0MEDIUM 6.8
CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P
References
BDU:2016-00613
MEDIUM6.8

Уязвимость сервера приложений Apache Tomcat, позволяющая нарушителю обойти механизм защиты CSRF

Published: 2016-03-17Modified: 2021-03-23
CVSS 2.0MEDIUM 6.8
CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P
References
BDU:2016-00614
MEDIUM4.0

Уязвимость сервера приложений Apache Tomcat, позволяющая нарушителю обойти ограничения доступа и выполнить чтение произвольных HTTP-запросов

Published: 2016-03-17Modified: 2021-03-23
CVSS 2.0MEDIUM 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N
References
BDU:2016-00615
MEDIUM6.5

Уязвимость сервера приложений Apache Tomcat, позволяющая нарушителю выполнить произвольный код в привилегированном контексте

Published: 2016-03-17Modified: 2021-03-23
CVSS 2.0MEDIUM 6.5
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P
References
BDU:2016-00616
MEDIUM6.5

Уязвимость сервера приложений Apache Tomcat, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2016-03-17Modified: 2021-03-23
CVSS 2.0MEDIUM 6.5
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P
References
CVE-2015-5174
MEDIUM4.3

Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.

Published: 2016-02-25Modified: 2025-04-12
CVSS 2.0MEDIUM 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS 3.xMEDIUM 4.3
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
References
CVE-2015-5345
MEDIUM5.3

The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character.

Published: 2016-02-25Modified: 2025-04-12
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References
CVE-2015-5346
HIGH8.1

Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.

Published: 2016-02-25Modified: 2025-04-12
CVSS 2.0MEDIUM 6.8
CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS 3.xHIGH 8.1
CVSS:3.x/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References
CVE-2015-5351
HIGH8.8

The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.

Published: 2016-02-25Modified: 2025-04-12
CVSS 2.0MEDIUM 6.8
CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS 3.xHIGH 8.8
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References
CVE-2016-0706
MEDIUM4.3

Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.

Published: 2016-02-25Modified: 2025-04-12
CVSS 2.0MEDIUM 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS 3.xMEDIUM 4.3
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
References
CVE-2016-0714
HIGH8.8

The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.

Published: 2016-02-25Modified: 2025-04-12
CVSS 2.0MEDIUM 6.5
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS 3.xHIGH 8.8
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References
CVE-2016-0763
MEDIUM6.3

The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.

Published: 2016-02-25Modified: 2025-04-12
CVSS 2.0MEDIUM 6.5
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS 3.xMEDIUM 6.3
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
References
GHSA-6qr6-x7jm-x2q6
MEDIUM4.3

Improper Limitation of a Pathname to a Restricted Directory in Apache Tomcat

Published: 2022-05-14Modified: 2025-08-28
CVSS 3.xMEDIUM 4.3
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
References
GHSA-6vx3-hr43-cfrh
MEDIUM4.3

Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat

Published: 2022-05-14Modified: 2023-12-08
CVSS 3.xMEDIUM 4.3
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
References
GHSA-9hjv-9h75-xmpp
MEDIUM6.3

Improper Verification of Source of a Communication Channel in Apache Tomcat

Published: 2022-05-14Modified: 2024-02-22
CVSS 3.xMEDIUM 6.3
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
References
GHSA-jrcp-c39h-r29x
HIGH8.1

Improper Neutralization of Input During Web Page Generation in Apache Tomcat

Published: 2022-05-14Modified: 2024-02-22
CVSS 3.xHIGH 8.1
CVSS:3.x/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References
GHSA-mv42-px54-87jw
HIGH8.8

Improper Access Control in Apache Tomcat

Published: 2022-05-14Modified: 2024-03-01
CVSS 3.xHIGH 8.8
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References
GHSA-rh8q-vjgf-gf74
MEDIUM5.3

Improper Limitation of a Pathname to a Restricted Directory in Apache Tomcat

Published: 2022-05-14Modified: 2025-08-28
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References
GHSA-w7cg-5969-678w
HIGH8.8

Apache Tomcat allows remote attackers to bypass a CSRF protection mechanism by using a token

Published: 2022-05-14Modified: 2023-12-09
CVSS 3.xHIGH 8.8
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References