Description
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
Remediation
References
Related Vulnerabilities
Invision Power Board version 3.3.4 unserialize PHP code execution
WebLogic CVE-2023-22072 Vulnerability (CVE-2023-22072)
Chamilo Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2023-4224)
WordPress Plugin BruteBank-WP Security & Firewall Cross-Site Request Forgery (1.8)
WordPress Deserialization of Untrusted Data Vulnerability (CVE-2020-36326)