Critical severity9.1NVD Advisory· Published Aug 10, 2017· Updated May 13, 2026
CVE-2016-5018
CVE-2016-5018
Description
In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcat-jasperMaven | >= 9.0.0.M1, < 9.0.0.M10 | 9.0.0.M10 |
org.apache.tomcat:tomcat-jasperMaven | >= 8.5.0, < 8.5.5 | 8.5.5 |
org.apache.tomcat:tomcat-jasperMaven | >= 8.0.0RC1, < 8.0.37 | 8.0.37 |
org.apache.tomcat:tomcat-jasperMaven | >= 7.0.0, < 7.0.72 | 7.0.72 |
org.apache.tomcat:jasperMaven | >= 6.0.0, < 6.0.47 | 6.0.47 |
org.apache.tomcat.embed:tomcat-embed-jasperMaven | >= 9.0.0.M1, < 9.0.0.M10 | 9.0.0.M10 |
org.apache.tomcat.embed:tomcat-embed-jasperMaven | >= 8.5.0, < 8.5.5 | 8.5.5 |
org.apache.tomcat.embed:tomcat-embed-jasperMaven | >= 8.0.0RC1, < 8.0.37 | 8.0.37 |
org.apache.tomcat.embed:tomcat-embed-jasperMaven | >= 7.0.0, < 7.0.72 | 7.0.72 |
org.apache.tomcat.embed:tomcat-embed-jasperMaven | >= 6.0.0, < 6.0.47 | 6.0.47 |
Affected products
1- Apache Software Foundation/Apache Tomcatv5Range: 9.0.0.M1 to 9.0.0.M9
Patches
31 file changed · +1 −58
java/org/apache/jasper/runtime/JspRuntimeLibrary.java+1 −58 modified@@ -14,7 +14,6 @@ * See the License for the specific language governing permissions and * limitations under the License. */ - package org.apache.jasper.runtime; import java.beans.PropertyEditor; @@ -23,9 +22,6 @@ import java.io.IOException; import java.io.OutputStreamWriter; import java.lang.reflect.Method; -import java.security.AccessController; -import java.security.PrivilegedActionException; -import java.security.PrivilegedExceptionAction; import java.util.Enumeration; import javax.servlet.RequestDispatcher; @@ -37,7 +33,6 @@ import javax.servlet.jsp.PageContext; import javax.servlet.jsp.tagext.BodyContent; -import org.apache.jasper.Constants; import org.apache.jasper.JasperException; import org.apache.jasper.compiler.Localizer; import org.apache.jasper.util.ExceptionUtils; @@ -56,36 +51,6 @@ */ public class JspRuntimeLibrary { - protected static class PrivilegedIntrospectHelper - implements PrivilegedExceptionAction<Void> { - - private Object bean; - private String prop; - private String value; - private ServletRequest request; - private String param; - private boolean ignoreMethodNF; - - PrivilegedIntrospectHelper(Object bean, String prop, - String value, ServletRequest request, - String param, boolean ignoreMethodNF) - { - this.bean = bean; - this.prop = prop; - this.value = value; - this.request = request; - this.param = param; - this.ignoreMethodNF = ignoreMethodNF; - } - - @Override - public Void run() throws JasperException { - internalIntrospecthelper( - bean,prop,value,request,param,ignoreMethodNF); - return null; - } - } - /** * Returns the value of the javax.servlet.error.exception request * attribute value, if present, otherwise the value of the @@ -290,29 +255,7 @@ public static void introspect(Object bean, ServletRequest request) public static void introspecthelper(Object bean, String prop, String value, ServletRequest request, String param, boolean ignoreMethodNF) - throws JasperException - { - if( Constants.IS_SECURITY_ENABLED ) { - try { - PrivilegedIntrospectHelper dp = - new PrivilegedIntrospectHelper( - bean,prop,value,request,param,ignoreMethodNF); - AccessController.doPrivileged(dp); - } catch( PrivilegedActionException pe) { - Exception e = pe.getException(); - throw (JasperException)e; - } - } else { - internalIntrospecthelper( - bean,prop,value,request,param,ignoreMethodNF); - } - } - - private static void internalIntrospecthelper(Object bean, String prop, - String value, ServletRequest request, - String param, boolean ignoreMethodNF) - throws JasperException - { + throws JasperException { Method method = null; Class<?> type = null; Class<?> propertyEditorClass = null;
1 file changed · +1 −58
java/org/apache/jasper/runtime/JspRuntimeLibrary.java+1 −58 modified@@ -14,7 +14,6 @@ * See the License for the specific language governing permissions and * limitations under the License. */ - package org.apache.jasper.runtime; import java.beans.PropertyEditor; @@ -23,9 +22,6 @@ import java.io.IOException; import java.io.OutputStreamWriter; import java.lang.reflect.Method; -import java.security.AccessController; -import java.security.PrivilegedActionException; -import java.security.PrivilegedExceptionAction; import java.util.Enumeration; import javax.servlet.RequestDispatcher; @@ -37,7 +33,6 @@ import javax.servlet.jsp.PageContext; import javax.servlet.jsp.tagext.BodyContent; -import org.apache.jasper.Constants; import org.apache.jasper.JasperException; import org.apache.jasper.compiler.Localizer; import org.apache.jasper.util.ExceptionUtils; @@ -56,36 +51,6 @@ */ public class JspRuntimeLibrary { - protected static class PrivilegedIntrospectHelper - implements PrivilegedExceptionAction<Void> { - - private final Object bean; - private final String prop; - private final String value; - private final ServletRequest request; - private final String param; - private final boolean ignoreMethodNF; - - PrivilegedIntrospectHelper(Object bean, String prop, - String value, ServletRequest request, - String param, boolean ignoreMethodNF) - { - this.bean = bean; - this.prop = prop; - this.value = value; - this.request = request; - this.param = param; - this.ignoreMethodNF = ignoreMethodNF; - } - - @Override - public Void run() throws JasperException { - internalIntrospecthelper( - bean,prop,value,request,param,ignoreMethodNF); - return null; - } - } - /** * Returns the value of the javax.servlet.error.exception request * attribute value, if present, otherwise the value of the @@ -294,29 +259,7 @@ public static void introspect(Object bean, ServletRequest request) public static void introspecthelper(Object bean, String prop, String value, ServletRequest request, String param, boolean ignoreMethodNF) - throws JasperException - { - if( Constants.IS_SECURITY_ENABLED ) { - try { - PrivilegedIntrospectHelper dp = - new PrivilegedIntrospectHelper( - bean,prop,value,request,param,ignoreMethodNF); - AccessController.doPrivileged(dp); - } catch( PrivilegedActionException pe) { - Exception e = pe.getException(); - throw (JasperException)e; - } - } else { - internalIntrospecthelper( - bean,prop,value,request,param,ignoreMethodNF); - } - } - - private static void internalIntrospecthelper(Object bean, String prop, - String value, ServletRequest request, - String param, boolean ignoreMethodNF) - throws JasperException - { + throws JasperException { Method method = null; Class<?> type = null; Class<?> propertyEditorClass = null;
1 file changed · +1 −58
java/org/apache/jasper/runtime/JspRuntimeLibrary.java+1 −58 modified@@ -14,7 +14,6 @@ * See the License for the specific language governing permissions and * limitations under the License. */ - package org.apache.jasper.runtime; import java.beans.PropertyEditor; @@ -23,9 +22,6 @@ import java.io.IOException; import java.io.OutputStreamWriter; import java.lang.reflect.Method; -import java.security.AccessController; -import java.security.PrivilegedActionException; -import java.security.PrivilegedExceptionAction; import java.util.Enumeration; import javax.servlet.RequestDispatcher; @@ -37,7 +33,6 @@ import javax.servlet.jsp.PageContext; import javax.servlet.jsp.tagext.BodyContent; -import org.apache.jasper.Constants; import org.apache.jasper.JasperException; import org.apache.jasper.compiler.Localizer; import org.apache.jasper.util.ExceptionUtils; @@ -56,36 +51,6 @@ */ public class JspRuntimeLibrary { - protected static class PrivilegedIntrospectHelper - implements PrivilegedExceptionAction<Void> { - - private final Object bean; - private final String prop; - private final String value; - private final ServletRequest request; - private final String param; - private final boolean ignoreMethodNF; - - PrivilegedIntrospectHelper(Object bean, String prop, - String value, ServletRequest request, - String param, boolean ignoreMethodNF) - { - this.bean = bean; - this.prop = prop; - this.value = value; - this.request = request; - this.param = param; - this.ignoreMethodNF = ignoreMethodNF; - } - - @Override - public Void run() throws JasperException { - internalIntrospecthelper( - bean,prop,value,request,param,ignoreMethodNF); - return null; - } - } - /** * Returns the value of the javax.servlet.error.exception request * attribute value, if present, otherwise the value of the @@ -294,29 +259,7 @@ public static void introspect(Object bean, ServletRequest request) public static void introspecthelper(Object bean, String prop, String value, ServletRequest request, String param, boolean ignoreMethodNF) - throws JasperException - { - if( Constants.IS_SECURITY_ENABLED ) { - try { - PrivilegedIntrospectHelper dp = - new PrivilegedIntrospectHelper( - bean,prop,value,request,param,ignoreMethodNF); - AccessController.doPrivileged(dp); - } catch( PrivilegedActionException pe) { - Exception e = pe.getException(); - throw (JasperException)e; - } - } else { - internalIntrospecthelper( - bean,prop,value,request,param,ignoreMethodNF); - } - } - - private static void internalIntrospecthelper(Object bean, String prop, - String value, ServletRequest request, - String param, boolean ignoreMethodNF) - throws JasperException - { + throws JasperException { Method method = null; Class<?> type = null; Class<?> propertyEditorClass = null;
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
53- www.oracle.com/security-alerts/cpuoct2021.htmlnvdPatchThird Party AdvisoryWEB
- packetstormsecurity.com/files/155873/Tomcat-9.0.0.M1-Sandbox-Escape.htmlnvdExploitThird Party AdvisoryVDB EntryWEB
- rhn.redhat.com/errata/RHSA-2017-0457.htmlnvdThird Party AdvisoryWEB
- rhn.redhat.com/errata/RHSA-2017-1551.htmlnvdThird Party AdvisoryWEB
- www.debian.org/security/2016/dsa-3720nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2017:0455nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2017:0456nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2017:1548nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2017:1549nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2017:1550nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2017:1552nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2017:2247nvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-4v3g-g84w-hv7rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-5018ghsaADVISORY
- security.netapp.com/advisory/ntap-20180605-0001/nvdThird Party Advisory
- usn.ubuntu.com/4557-1/nvdThird Party Advisory
- www.securityfocus.com/bid/93942nvdBroken Link
- www.securitytracker.com/id/1037142nvdBroken Link
- www.securitytracker.com/id/1038757nvdBroken Link
- github.com/apache/tomcat/commit/648122fef84d3b43223e0b5ae668f84719dada0aghsaWEB
- github.com/apache/tomcat/commit/890a2f681ed2f3461b27983d7da9737375ff2ae4ghsaWEB
- github.com/apache/tomcat/commit/a6b1ebc246b91b854237e5aad3dfd2b5460ea282ghsaWEB
- lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/9b3a63a20c87179815fdea14f6766853bafe79a0042dc0b4aa878a9e%40%3Cannounce.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/9b3a63a20c87179815fdea14f6766853bafe79a0042dc0b4aa878a9e@%3Cannounce.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3EghsaWEB
- security.netapp.com/advisory/ntap-20180605-0001ghsaWEB
- usn.ubuntu.com/4557-1ghsaWEB
- web.archive.org/web/20161125134649/http://www.securityfocus.com/bid/93942ghsaWEB
- web.archive.org/web/20170908024318/http://www.securitytracker.com/id/1037142ghsaWEB
- web.archive.org/web/20171012232225/http://www.securitytracker.com/id/1038757ghsaWEB
News mentions
0No linked articles in our index yet.