Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2016-0763

The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.

See the

CVE page on Mitre.org for more details.

References

BUGTRAQ: 20160222 [SECURITY] CV...
CONFIRM: http://tomcat.apache.o...
CONFIRM: http://tomcat.apache.o...
CONFIRM: http://tomcat.apache.o...
DEBIAN: DSA-3530
CONFIRM: https://h20566.www2.hp...
CONFIRM: https://h20566.www2.hp...
DEBIAN: DSA-3609
UBUNTU: USN-3024-1
DEBIAN: DSA-3552
CONFIRM: http://www.oracle.com/...
CONFIRM: https://h20566.www2.hp...
BID: 83326
REDHAT: RHSA-2016:1087
REDHAT: RHSA-2016:1088
REDHAT: RHSA-2016:1089
CONFIRM: https://bto.bluecoat.c...
FEDORA: FEDORA-2016-e6651efbaf
SUSE: SUSE-SU-2016:0769
SUSE: SUSE-SU-2016:0822
SUSE: openSUSE-SU-2016:0865
SECTRACK: 1035069
CONFIRM: http://svn.apache.org/...
CONFIRM: http://svn.apache.org/...
CONFIRM: http://svn.apache.org/...
GENTOO: GLSA-201705-09
CONFIRM: http://www.oracle.com/...
REDHAT: RHSA-2016:2599
REDHAT: RHSA-2016:2807
REDHAT: RHSA-2016:2808
CONFIRM: https://security.netap...
MLIST: [tomcat-dev] 20190319 ...
MLIST: [tomcat-dev] 20200213 ...

Launchpad.net

CVE 2016-0763

Related bugs

References