rpm package
suse/tomcat&distro=SUSE Linux Enterprise Server 12
pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2016-0763 | Med | 6.3 | < 7.0.68-7.6.1 | 7.0.68-7.6.1 | Feb 25, 2016 | The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticate | |
| CVE-2016-0714 | Hig | 8.8 | < 7.0.68-7.6.1 | 7.0.68-7.6.1 | Feb 25, 2016 | The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary co | |
| CVE-2016-0706 | Med | 4.3 | < 7.0.68-7.6.1 | 7.0.68-7.6.1 | Feb 25, 2016 | Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass int | |
| CVE-2015-5351 | Hig | 8.8 | < 7.0.68-7.6.1 | 7.0.68-7.6.1 | Feb 25, 2016 | The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a toke | |
| CVE-2015-5346 | Hig | 8.1 | < 7.0.68-7.6.1 | 7.0.68-7.6.1 | Feb 25, 2016 | Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leverag | |
| CVE-2015-5345 | Med | 5.3 | < 7.0.68-7.6.1 | 7.0.68-7.6.1 | Feb 25, 2016 | The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that l | |
| CVE-2015-5174 | Med | 4.3 | < 7.0.68-7.6.1 | 7.0.68-7.6.1 | Feb 25, 2016 | Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname | |
| CVE-2014-7810 | — | < 7.0.55-8.2 | 7.0.55-8.2 | Jun 7, 2015 | The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager |
- affected < 7.0.68-7.6.1fixed 7.0.68-7.6.1
The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticate
- affected < 7.0.68-7.6.1fixed 7.0.68-7.6.1
The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary co
- affected < 7.0.68-7.6.1fixed 7.0.68-7.6.1
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass int
- affected < 7.0.68-7.6.1fixed 7.0.68-7.6.1
The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a toke
- affected < 7.0.68-7.6.1fixed 7.0.68-7.6.1
Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leverag
- affected < 7.0.68-7.6.1fixed 7.0.68-7.6.1
The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that l
- affected < 7.0.68-7.6.1fixed 7.0.68-7.6.1
Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname
- CVE-2014-7810Jun 7, 2015affected < 7.0.55-8.2fixed 7.0.55-8.2
The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager