Improper Authentication Affecting tomcat6 package, versions <0:6.0.24-98.el6_8


Severity

Recommended
high

Based on CentOS security rating.

Threat Intelligence

EPSS
0.27% (69th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Authentication vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-CENTOS6-TOMCAT6-2134806
  • published26 Jul 2021
  • disclosed22 Feb 2016

Introduced: 22 Feb 2016

CVE-2016-0706  (opens in a new tab)
CWE-287  (opens in a new tab)

How to fix?

Upgrade Centos:6 tomcat6 to version 0:6.0.24-98.el6_8 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream tomcat6 package and not the tomcat6 package as distributed by Centos. See How to fix? for Centos:6 relevant fixed versions and status.

Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.

References