The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
08 Dec 2023, 16:41
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:* | |
References |
|
|
Information
Published : 2016-02-25 01:59
Updated : 2024-02-04 18:53
NVD link : CVE-2016-0714
Mitre link : CVE-2016-0714
CVE.ORG link : CVE-2016-0714
JSON object : View
Products Affected
canonical
- ubuntu_linux
apache
- tomcat
debian
- debian_linux
CWE
CWE-264
Permissions, Privileges, and Access Controls