Description

Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.

Remediation

References

CVE-2016-0706

Related Vulnerabilities

WordPress Plugin Profile Extra Fields by BestWebSoft Cross-Site Scripting (1.0.7)

WordPress Plugin Paid Membership, Ecommerce, Registration Form, Login Form, User Profile & Restrict Content-ProfilePress Cross-Site Scripting (1.9.18)

WordPress Plugin Visitor Traffic Real Time Statistics SQL Injection (3.8)

WebLogic CVE-2016-3416 Vulnerability (CVE-2016-3416)

WordPress Plugin Ninja Forms Contact Form-The Drag and Drop Form Builder for WordPress Cross-Site Scripting (3.6.6)

Severity

Medium

Classification

CVE-2016-0706 CWE-200 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities