FKIE_CVE-2016-0763

Vulnerability from fkie_nvd - Published: 2016-02-25 01:59 - Updated: 2025-04-12 10:46
Severity ?
6.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Summary
The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.
References
secalert@redhat.comhttp://lists.fedoraproject.org/pipermail/package-announce/2016-March/179356.html
secalert@redhat.comhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html
secalert@redhat.comhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html
secalert@redhat.comhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html
secalert@redhat.comhttp://rhn.redhat.com/errata/RHSA-2016-1089.html
secalert@redhat.comhttp://rhn.redhat.com/errata/RHSA-2016-2599.html
secalert@redhat.comhttp://rhn.redhat.com/errata/RHSA-2016-2807.html
secalert@redhat.comhttp://rhn.redhat.com/errata/RHSA-2016-2808.html
secalert@redhat.comhttp://seclists.org/bugtraq/2016/Feb/147
secalert@redhat.comhttp://svn.apache.org/viewvc?view=revision&revision=1725926
secalert@redhat.comhttp://svn.apache.org/viewvc?view=revision&revision=1725929
secalert@redhat.comhttp://svn.apache.org/viewvc?view=revision&revision=1725931
secalert@redhat.comhttp://tomcat.apache.org/security-7.htmlVendor Advisory
secalert@redhat.comhttp://tomcat.apache.org/security-8.htmlVendor Advisory
secalert@redhat.comhttp://tomcat.apache.org/security-9.htmlVendor Advisory
secalert@redhat.comhttp://www.debian.org/security/2016/dsa-3530
secalert@redhat.comhttp://www.debian.org/security/2016/dsa-3552
secalert@redhat.comhttp://www.debian.org/security/2016/dsa-3609
secalert@redhat.comhttp://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
secalert@redhat.comhttp://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
secalert@redhat.comhttp://www.securityfocus.com/bid/83326
secalert@redhat.comhttp://www.securitytracker.com/id/1035069
secalert@redhat.comhttp://www.ubuntu.com/usn/USN-3024-1
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2016:1087
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2016:1088
secalert@redhat.comhttps://bto.bluecoat.com/security-advisory/sa118
secalert@redhat.comhttps://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442
secalert@redhat.comhttps://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626
secalert@redhat.comhttps://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755
secalert@redhat.comhttps://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
secalert@redhat.comhttps://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
secalert@redhat.comhttps://security.gentoo.org/glsa/201705-09
secalert@redhat.comhttps://security.netapp.com/advisory/ntap-20180531-0001/
af854a3a-2127-422b-91ae-364da2661108http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179356.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html
af854a3a-2127-422b-91ae-364da2661108http://rhn.redhat.com/errata/RHSA-2016-1089.html
af854a3a-2127-422b-91ae-364da2661108http://rhn.redhat.com/errata/RHSA-2016-2599.html
af854a3a-2127-422b-91ae-364da2661108http://rhn.redhat.com/errata/RHSA-2016-2807.html
af854a3a-2127-422b-91ae-364da2661108http://rhn.redhat.com/errata/RHSA-2016-2808.html
af854a3a-2127-422b-91ae-364da2661108http://seclists.org/bugtraq/2016/Feb/147
af854a3a-2127-422b-91ae-364da2661108http://svn.apache.org/viewvc?view=revision&revision=1725926
af854a3a-2127-422b-91ae-364da2661108http://svn.apache.org/viewvc?view=revision&revision=1725929
af854a3a-2127-422b-91ae-364da2661108http://svn.apache.org/viewvc?view=revision&revision=1725931
af854a3a-2127-422b-91ae-364da2661108http://tomcat.apache.org/security-7.htmlVendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://tomcat.apache.org/security-8.htmlVendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://tomcat.apache.org/security-9.htmlVendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.debian.org/security/2016/dsa-3530
af854a3a-2127-422b-91ae-364da2661108http://www.debian.org/security/2016/dsa-3552
af854a3a-2127-422b-91ae-364da2661108http://www.debian.org/security/2016/dsa-3609
af854a3a-2127-422b-91ae-364da2661108http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
af854a3a-2127-422b-91ae-364da2661108http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/83326
af854a3a-2127-422b-91ae-364da2661108http://www.securitytracker.com/id/1035069
af854a3a-2127-422b-91ae-364da2661108http://www.ubuntu.com/usn/USN-3024-1
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2016:1087
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2016:1088
af854a3a-2127-422b-91ae-364da2661108https://bto.bluecoat.com/security-advisory/sa118
af854a3a-2127-422b-91ae-364da2661108https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442
af854a3a-2127-422b-91ae-364da2661108https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626
af854a3a-2127-422b-91ae-364da2661108https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://security.gentoo.org/glsa/201705-09
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20180531-0001/
Impacted products
Vendor Product Version
debian debian_linux 7.0
debian debian_linux 8.0
apache tomcat 7.0.0
apache tomcat 7.0.2
apache tomcat 7.0.4
apache tomcat 7.0.5
apache tomcat 7.0.6
apache tomcat 7.0.10
apache tomcat 7.0.11
apache tomcat 7.0.12
apache tomcat 7.0.14
apache tomcat 7.0.16
apache tomcat 7.0.19
apache tomcat 7.0.20
apache tomcat 7.0.21
apache tomcat 7.0.22
apache tomcat 7.0.23
apache tomcat 7.0.25
apache tomcat 7.0.26
apache tomcat 7.0.27
apache tomcat 7.0.28
apache tomcat 7.0.29
apache tomcat 7.0.30
apache tomcat 7.0.32
apache tomcat 7.0.33
apache tomcat 7.0.34
apache tomcat 7.0.35
apache tomcat 7.0.37
apache tomcat 7.0.39
apache tomcat 7.0.40
apache tomcat 7.0.41
apache tomcat 7.0.42
apache tomcat 7.0.47
apache tomcat 7.0.50
apache tomcat 7.0.52
apache tomcat 7.0.53
apache tomcat 7.0.54
apache tomcat 7.0.55
apache tomcat 7.0.56
apache tomcat 7.0.57
apache tomcat 7.0.59
apache tomcat 7.0.61
apache tomcat 7.0.62
apache tomcat 7.0.63
apache tomcat 7.0.64
apache tomcat 7.0.65
apache tomcat 7.0.67
apache tomcat 8.0.0
apache tomcat 8.0.0
apache tomcat 8.0.0
apache tomcat 8.0.0
apache tomcat 8.0.1
apache tomcat 8.0.3
apache tomcat 8.0.11
apache tomcat 8.0.12
apache tomcat 8.0.14
apache tomcat 8.0.15
apache tomcat 8.0.17
apache tomcat 8.0.18
apache tomcat 8.0.20
apache tomcat 8.0.21
apache tomcat 8.0.22
apache tomcat 8.0.23
apache tomcat 8.0.24
apache tomcat 8.0.26
apache tomcat 8.0.27
apache tomcat 8.0.28
apache tomcat 8.0.29
apache tomcat 8.0.30
apache tomcat 9.0.0
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.04
canonical ubuntu_linux 15.10
canonical ubuntu_linux 16.04
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*",
              "matchCriteriaId": "33E9607B-4D28-460D-896B-E4B7FA22441E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*",
              "matchCriteriaId": "81A31CA0-A209-4C49-AA06-C38E165E5B68",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*",
              "matchCriteriaId": "0AA563BF-A67A-477D-956A-167ABEF885C5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.5:beta:*:*:*:*:*:*",
              "matchCriteriaId": "6F1B937B-57E0-4E88-9E39-39012A924525",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "8980E61E-27BE-4858-82B3-C0E8128AF521",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "A9731BAA-4C6C-4259-B786-F577D8A90FA1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "1F74A421-D019-4248-84B8-C70D4D9A8A95",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "2BA27FF9-4C66-4E17-95C0-1CB2DAA6AFC8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*",
              "matchCriteriaId": "305688F2-50A6-41FB-8614-BC589DB9A789",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*",
              "matchCriteriaId": "25966344-15D5-4101-9346-B06BFD2DFFF5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*",
              "matchCriteriaId": "0D4F710E-06EA-48F4-AC6A-6F143950F015",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*",
              "matchCriteriaId": "2C4936C2-0B2D-4C44-98C3-443090965F5E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*",
              "matchCriteriaId": "48453405-2319-4327-9F4C-6F70B49452C6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*",
              "matchCriteriaId": "49DD9544-6424-41A6-AEC0-EC19B8A10E71",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*",
              "matchCriteriaId": "E4670E65-2E11-49A4-B661-57C2F60D411F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*",
              "matchCriteriaId": "31002A23-4788-4BC7-AE11-A3C2AA31716D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*",
              "matchCriteriaId": "7144EDDF-8265-4642-8EEB-ED52527E0A26",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*",
              "matchCriteriaId": "DF06B5C1-B9DD-4673-A101-56E1E593ACDD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*",
              "matchCriteriaId": "7D731065-626B-4425-8E49-F708DD457824",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*",
              "matchCriteriaId": "B3D850EA-E537-42C8-93B9-96E15CB26747",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*",
              "matchCriteriaId": "E037DA05-2BEF-4F64-B8BB-307247B6A05C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*",
              "matchCriteriaId": "D395D95B-1F4A-420E-A0F6-609360AF7B69",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*",
              "matchCriteriaId": "9BD221BA-0AB6-4972-8AD9-5D37AC07762F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*",
              "matchCriteriaId": "E55B6565-96CB-4F6A-9A80-C3FB82F30546",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*",
              "matchCriteriaId": "D3300AFE-49A4-4904-B9A0-5679F09FA01E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*",
              "matchCriteriaId": "7BD93669-1B30-4BF8-AD7D-F60DD8D63CC8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*",
              "matchCriteriaId": "B8C8C97F-6C9D-4647-AB8A-ADAA5536DDE2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*",
              "matchCriteriaId": "2C6109D1-BC36-40C5-A02A-7AEBC949BAC0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*",
              "matchCriteriaId": "DA8A7333-B4C3-4876-AE01-62F2FD315504",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*",
              "matchCriteriaId": "92993E23-D805-407B-8B87-11CEEE8B212F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*",
              "matchCriteriaId": "6AA28D3A-3EE5-4F90-B8F5-4943F7607DA6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*",
              "matchCriteriaId": "C947E549-2459-4AFB-84A7-36BDA30B5F29",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*",
              "matchCriteriaId": "5D55DF79-F9BE-4907-A4D8-96C4B11189ED",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*",
              "matchCriteriaId": "14AB5787-82D7-4F78-BE93-4556AB7A7D0E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*",
              "matchCriteriaId": "F8E9453E-BC9B-4F77-85FA-BA15AC55C245",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*",
              "matchCriteriaId": "A7EF0518-73F9-47DB-8946-A8334936BEFF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*",
              "matchCriteriaId": "95AA8778-7833-4572-A71B-5FD89938CE94",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*",
              "matchCriteriaId": "242E47CE-EF69-4F8F-AB40-5AF2811674CE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*",
              "matchCriteriaId": "CDA1555C-E55A-4E14-B786-BFEE3F09220B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*",
              "matchCriteriaId": "F8075E9A-DA7F-4A0B-8B4D-0CD951369111",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*",
              "matchCriteriaId": "335A5320-6086-4B45-9903-82F6F92A584F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*",
              "matchCriteriaId": "46B33408-C2E2-4E7C-9334-6AB98F13468C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*",
              "matchCriteriaId": "9F036676-9EFB-4A92-828E-A38905D594E2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*",
              "matchCriteriaId": "E9728EE8-6029-4DF3-942E-E4ACC09111A3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:*",
              "matchCriteriaId": "34E7DAC8-8419-45D1-A28F-14CF2FE1B6EE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "4752862B-7D26-4285-B8A0-CF082C758353",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*",
              "matchCriteriaId": "58EA7199-3373-4F97-9907-3A479A02155E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "F963D737-2E95-4D7C-92C7-DACF3F36D1E8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "2BBBC5EA-012C-4C5D-A61B-BAF134B300DA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "2A358FDF-C249-4D7A-9445-8B9E7D9D40AF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:8.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "AFF96F96-34DB-4EB3-BF59-11220673FA26",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:8.0.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "701424A2-BB06-44B5-B468-7164E4F95529",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:8.0.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "1BA6388C-5B6E-4651-8AE3-EBCCF61C27E7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:8.0.14:*:*:*:*:*:*:*",
              "matchCriteriaId": "8F9A5B7E-33A9-4651-9BE1-371A0064B661",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:8.0.15:*:*:*:*:*:*:*",
              "matchCriteriaId": "F99252E8-A59C-48E1-B251-718D7FB3E399",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:8.0.17:*:*:*:*:*:*:*",
              "matchCriteriaId": "4E0DDEF6-A8EE-46C4-A046-A1F26E7C4E87",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:8.0.18:*:*:*:*:*:*:*",
              "matchCriteriaId": "14B38892-9C00-4510-B7BA-F2A8F2CACCAE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:8.0.20:*:*:*:*:*:*:*",
              "matchCriteriaId": "7409B064-D43E-489E-AEC6-0A767FB21737",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:8.0.21:*:*:*:*:*:*:*",
              "matchCriteriaId": "F019268F-80C4-48FE-8164-E9DA0A3BAFF6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:8.0.22:*:*:*:*:*:*:*",
              "matchCriteriaId": "1EFBD214-FCFE-4F04-A903-66EFDA764B9A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:8.0.23:*:*:*:*:*:*:*",
              "matchCriteriaId": "425D86B3-6BB9-410D-8125-F7CF87290AD6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:8.0.24:*:*:*:*:*:*:*",
              "matchCriteriaId": "3EE3BB0D-1002-41E4-9BE8-875D97330057",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:8.0.26:*:*:*:*:*:*:*",
              "matchCriteriaId": "6622472B-8644-4D45-A54B-A215C3D64B83",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:8.0.27:*:*:*:*:*:*:*",
              "matchCriteriaId": "B338F95B-2924-435B-827F-E64420A93244",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:8.0.28:*:*:*:*:*:*:*",
              "matchCriteriaId": "209D1349-7740-4DBE-80A5-E6343C62BAB5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:8.0.29:*:*:*:*:*:*:*",
              "matchCriteriaId": "09E77C24-C265-403D-A193-B3739713F6B6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:8.0.30:*:*:*:*:*:*:*",
              "matchCriteriaId": "28616FA3-9A98-4AAE-9F94-3E77A14156EA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*",
              "matchCriteriaId": "9D0689FE-4BC0-4F53-8C79-34B21F9B86C2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*",
              "matchCriteriaId": "B6B7CAD7-9D4E-4FDB-88E3-1E583210A01F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
              "matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "E88A537F-F4D0-46B9-9E37-965233C2A355",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
              "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context."
    },
    {
      "lang": "es",
      "value": "El m\u00e9todo setGlobalContext en org/apache/naming/factory/ResourceLinkFactory.java en Apache Tomcat 7.x en versiones anteriores a 7.0.68, 8.x en versiones anteriores a 8.0.31 y 9.x en versiones anteriores a 9.0.0.M3 no considera si los que llaman a ResourceLinkFactory.setGlobalContext est\u00e1n autorizados, lo que permite a usuarios remotos autenticados eludir las restricciones de SecurityManager previstas y leer o escribir a datos de aplicaci\u00f3n arbitrarios, o provocar una denegaci\u00f3n de servicio (interrupci\u00f3n de aplicaci\u00f3n), a trav\u00e9s de una aplicaci\u00f3n web que establece un contexto global manipulado."
    }
  ],
  "id": "CVE-2016-0763",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2016-02-25T01:59:06.280",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179356.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-1089.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-2599.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-2807.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-2808.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://seclists.org/bugtraq/2016/Feb/147"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1725926"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1725929"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1725931"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://tomcat.apache.org/security-7.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://tomcat.apache.org/security-8.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://tomcat.apache.org/security-9.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.debian.org/security/2016/dsa-3530"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.debian.org/security/2016/dsa-3552"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.debian.org/security/2016/dsa-3609"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.securityfocus.com/bid/83326"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.securitytracker.com/id/1035069"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.ubuntu.com/usn/USN-3024-1"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2016:1087"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2016:1088"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://bto.bluecoat.com/security-advisory/sa118"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://security.gentoo.org/glsa/201705-09"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://security.netapp.com/advisory/ntap-20180531-0001/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179356.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-1089.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-2599.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-2807.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-2808.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://seclists.org/bugtraq/2016/Feb/147"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1725926"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1725929"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1725931"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://tomcat.apache.org/security-7.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://tomcat.apache.org/security-8.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://tomcat.apache.org/security-9.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2016/dsa-3530"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2016/dsa-3552"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2016/dsa-3609"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/83326"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id/1035069"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.ubuntu.com/usn/USN-3024-1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2016:1087"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2016:1088"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://bto.bluecoat.com/security-advisory/sa118"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://security.gentoo.org/glsa/201705-09"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://security.netapp.com/advisory/ntap-20180531-0001/"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-264"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.