CVE-2016-6797

CWE-863Incorrect Authorization12 documents8 sources
Severity
7.5HIGH
EPSS
0.3%
top 43.30%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
12
Apache TomcatOracle Tekelec Platform DistributionApache Software Foundation Apache Tomcat+9 more
Timeline
PublishedAug 10
Latest updateMay 13

Description

The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages11 packages

Mavenorg.apache.tomcat:tomcat9.0.0.M19.0.0.M10+3
NVDapache/tomcat6.0.06.0.45+4
Ubuntutomcat7< 7.0.52-1ubuntu0.8+1
Ubuntutomcat6< 6.0.45+dfsg-1ubuntu0.1

Also affects: Debian Linux 8.0, Ubuntu Linux 16.04, Enterprise Linux 7.4, 7.5, 7.6, 7.7

Patches

Patch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
OSV
Incorrect Authorization in Apache Tomcat2022-05-13
GHSA
Incorrect Authorization in Apache Tomcat2022-05-13
CVEList
CVE-2016-6797: The ResourceLinkFactory implementation in Apache Tomcat 92017-08-10
OSV
CVE-2016-6797: The ResourceLinkFactory implementation in Apache Tomcat 92016-10-28

📋Vendor Advisories

4
Ubuntu
Tomcat vulnerabilities2020-09-30
Ubuntu
Tomcat vulnerabilities2017-01-23
Red Hat
tomcat: unrestricted access to global resources2016-10-27
Apache
Apache tomcat: CVE-2016-6797

💬Community

3
Bugzilla
CVE-2016-0762 CVE-2016-5018 CVE-2016-6794 CVE-2016-6796 CVE-2016-6797 tomcat: various flaws [epel-6]2016-11-01
Bugzilla
CVE-2016-6797 tomcat: unrestricted access to global resources2016-11-01
Bugzilla
CVE-2016-0762 CVE-2016-5018 CVE-2016-6794 CVE-2016-6796 CVE-2016-6797 tomcat: various flaws [fedora-all]2016-11-01