Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).
CVE-2016-1240 — Improper Input Validation in Apache Tomcat
Severity
7.8HIGHNVD
EPSS
22.1%
top 4.20%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedOct 3
Latest updateMay 14
Description
The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and libtomcat6-java packages before 6.0.35-1ubuntu3.8 on Ubuntu 12.04 LTS, the tomcat7 and libtomcat7-java packages before 7.0.52-1ubuntu0.7 on Ubuntu 14.04 LTS, and tomcat8 and libtomcat8-java packages before 8.0.32-1ubuntu1.2 on Ubuntu 16.04 LTS allows local users with access to the tomcat account to gain root privileges via a symlink attack on the Ca…
CVSS vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9
Affected Packages1 packages
🔴Vulnerability Details
4💥Exploits & PoCs
1📋Vendor Advisories
4💬Community
3Bugzilla▶
CVE-2016-1240 tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation↗2016-09-16
Bugzilla▶
CVE-2016-1240 tomcat: Local privilege escalation via unsafe file handling in the Tomcat init script [epel-6]↗2016-09-16
Bugzilla▶
CVE-2016-1240 tomcat: Local privilege escalation via unsafe file handling in the Tomcat init script [fedora-all]↗2016-09-16