csaf_redhat - rhsa-2016

rhsa-2016_1432

Vulnerability from csaf_redhat

Published

2016-07-18 19:41

Modified

2024-09-13 11:32

Summary

Red Hat Security Advisory: jboss-ec2-eap security, bug fix, and enhancement update

Notes

Topic

A jboss-ec2-eap update is now available for Red Hat JBoss Enterprise Application Platform 6.4.0 on Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the packages have been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.9. Security Fix(es): * It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks. (CVE-2016-2141) More information about this vulnerability is available at: https://access.redhat.com/articles/2360521 * A directory traversal flaw was found in Tomcat's and JBoss Web's RequestUtil.java. A remote, authenticated user could use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a '/..' in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. (CVE-2015-5174) The CVE-2016-2141 issue was discovered by Dennis Reed (Red Hat).

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Critical"
    },
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "A jboss-ec2-eap update is now available for Red Hat JBoss Enterprise Application Platform 6.4.0 on Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7.\n\nThe jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the packages have been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.9.\n\nSecurity Fix(es):\n\n* It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks. (CVE-2016-2141)\n\nMore information about this vulnerability is available at: https://access.redhat.com/articles/2360521\n\n* A directory traversal flaw was found in Tomcat\u0027s and JBoss Web\u0027s RequestUtil.java. A remote, authenticated user could use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a \u0027/..\u0027 in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. (CVE-2015-5174)\n\nThe CVE-2016-2141 issue was discovered by Dennis Reed (Red Hat).",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2016:1432",
        "url": "https://access.redhat.com/errata/RHSA-2016:1432"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#critical",
        "url": "https://access.redhat.com/security/updates/classification/#critical"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html",
        "url": "https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/articles/2360521",
        "url": "https://access.redhat.com/articles/2360521"
      },
      {
        "category": "external",
        "summary": "1265698",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1265698"
      },
      {
        "category": "external",
        "summary": "1313589",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1313589"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2016/rhsa-2016_1432.json"
      }
    ],
    "title": "Red Hat Security Advisory: jboss-ec2-eap security, bug fix, and enhancement update",
    "tracking": {
      "current_release_date": "2024-09-13T11:32:10+00:00",
      "generator": {
        "date": "2024-09-13T11:32:10+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "3.33.3"
        }
      },
      "id": "RHSA-2016:1432",
      "initial_release_date": "2016-07-18T19:41:10+00:00",
      "revision_history": [
        {
          "date": "2016-07-18T19:41:10+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2016-07-18T19:41:10+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-09-13T11:32:10+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server",
                "product": {
                  "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server",
                  "product_id": "6Server-JBEAP-6.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Enterprise Application Platform"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jboss-ec2-eap-samples-0:7.5.9-2.Final_redhat_2.ep6.el6.noarch",
                "product": {
                  "name": "jboss-ec2-eap-samples-0:7.5.9-2.Final_redhat_2.ep6.el6.noarch",
                  "product_id": "jboss-ec2-eap-samples-0:7.5.9-2.Final_redhat_2.ep6.el6.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jboss-ec2-eap-samples@7.5.9-2.Final_redhat_2.ep6.el6?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jboss-ec2-eap-0:7.5.9-2.Final_redhat_2.ep6.el6.noarch",
                "product": {
                  "name": "jboss-ec2-eap-0:7.5.9-2.Final_redhat_2.ep6.el6.noarch",
                  "product_id": "jboss-ec2-eap-0:7.5.9-2.Final_redhat_2.ep6.el6.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jboss-ec2-eap@7.5.9-2.Final_redhat_2.ep6.el6?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jboss-ec2-eap-0:7.5.9-2.Final_redhat_2.ep6.el6.src",
                "product": {
                  "name": "jboss-ec2-eap-0:7.5.9-2.Final_redhat_2.ep6.el6.src",
                  "product_id": "jboss-ec2-eap-0:7.5.9-2.Final_redhat_2.ep6.el6.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jboss-ec2-eap@7.5.9-2.Final_redhat_2.ep6.el6?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jboss-ec2-eap-0:7.5.9-2.Final_redhat_2.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server",
          "product_id": "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.9-2.Final_redhat_2.ep6.el6.noarch"
        },
        "product_reference": "jboss-ec2-eap-0:7.5.9-2.Final_redhat_2.ep6.el6.noarch",
        "relates_to_product_reference": "6Server-JBEAP-6.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jboss-ec2-eap-0:7.5.9-2.Final_redhat_2.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server",
          "product_id": "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.9-2.Final_redhat_2.ep6.el6.src"
        },
        "product_reference": "jboss-ec2-eap-0:7.5.9-2.Final_redhat_2.ep6.el6.src",
        "relates_to_product_reference": "6Server-JBEAP-6.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jboss-ec2-eap-samples-0:7.5.9-2.Final_redhat_2.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server",
          "product_id": "6Server-JBEAP-6.4:jboss-ec2-eap-samples-0:7.5.9-2.Final_redhat_2.ep6.el6.noarch"
        },
        "product_reference": "jboss-ec2-eap-samples-0:7.5.9-2.Final_redhat_2.ep6.el6.noarch",
        "relates_to_product_reference": "6Server-JBEAP-6.4"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2015-5174",
      "discovery_date": "2015-08-09T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1265698"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A directory traversal flaw was found in Tomcat\u0027s RequestUtil.java. A remote, authenticated user could use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a \u0027/..\u0027 in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "tomcat: URL Normalization issue",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.9-2.Final_redhat_2.ep6.el6.noarch",
          "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.9-2.Final_redhat_2.ep6.el6.src",
          "6Server-JBEAP-6.4:jboss-ec2-eap-samples-0:7.5.9-2.Final_redhat_2.ep6.el6.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2015-5174"
        },
        {
          "category": "external",
          "summary": "RHBZ#1265698",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1265698"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2015-5174",
          "url": "https://www.cve.org/CVERecord?id=CVE-2015-5174"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-5174",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5174"
        },
        {
          "category": "external",
          "summary": "http://seclists.org/bugtraq/2016/Feb/149",
          "url": "http://seclists.org/bugtraq/2016/Feb/149"
        }
      ],
      "release_date": "2016-02-22T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nThe JBoss server process must be restarted for the update to take effect.",
          "product_ids": [
            "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.9-2.Final_redhat_2.ep6.el6.noarch",
            "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.9-2.Final_redhat_2.ep6.el6.src",
            "6Server-JBEAP-6.4:jboss-ec2-eap-samples-0:7.5.9-2.Final_redhat_2.ep6.el6.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2016:1432"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.9-2.Final_redhat_2.ep6.el6.noarch",
            "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.9-2.Final_redhat_2.ep6.el6.src",
            "6Server-JBEAP-6.4:jboss-ec2-eap-samples-0:7.5.9-2.Final_redhat_2.ep6.el6.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "tomcat: URL Normalization issue"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Dennis Reed"
          ],
          "organization": "Red Hat",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2016-2141",
      "discovery_date": "2015-11-16T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1313589"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "JGroups: Authorization bypass",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.9-2.Final_redhat_2.ep6.el6.noarch",
          "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.9-2.Final_redhat_2.ep6.el6.src",
          "6Server-JBEAP-6.4:jboss-ec2-eap-samples-0:7.5.9-2.Final_redhat_2.ep6.el6.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-2141"
        },
        {
          "category": "external",
          "summary": "RHBZ#1313589",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1313589"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-2141",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-2141"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-2141",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2141"
        }
      ],
      "release_date": "2016-06-23T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nThe JBoss server process must be restarted for the update to take effect.",
          "product_ids": [
            "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.9-2.Final_redhat_2.ep6.el6.noarch",
            "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.9-2.Final_redhat_2.ep6.el6.src",
            "6Server-JBEAP-6.4:jboss-ec2-eap-samples-0:7.5.9-2.Final_redhat_2.ep6.el6.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2016:1432"
        },
        {
          "category": "workaround",
          "details": "Please refer to https://access.redhat.com/articles/2360521 for more information.",
          "product_ids": [
            "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.9-2.Final_redhat_2.ep6.el6.noarch",
            "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.9-2.Final_redhat_2.ep6.el6.src",
            "6Server-JBEAP-6.4:jboss-ec2-eap-samples-0:7.5.9-2.Final_redhat_2.ep6.el6.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.9-2.Final_redhat_2.ep6.el6.noarch",
            "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.9-2.Final_redhat_2.ep6.el6.src",
            "6Server-JBEAP-6.4:jboss-ec2-eap-samples-0:7.5.9-2.Final_redhat_2.ep6.el6.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Critical"
        }
      ],
      "title": "JGroups: Authorization bypass"
    }
  ]
}

cve-2015-5174

Vulnerability from cvelistv5

Published

2016-02-25 01:00

Modified

2024-08-06 06:41

Severity

Summary

Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.

References

URL	Tags
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964	x_refsource_CONFIRM
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html	x_refsource_CONFIRM
https://security.gentoo.org/glsa/201705-09	vendor-advisory, x_refsource_GENTOO
http://svn.apache.org/viewvc?view=revision&revision=1700900	x_refsource_CONFIRM
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html	x_refsource_CONFIRM
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html	vendor-advisory, x_refsource_SUSE
http://www.ubuntu.com/usn/USN-3024-1	vendor-advisory, x_refsource_UBUNTU
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html	vendor-advisory, x_refsource_SUSE
http://rhn.redhat.com/errata/RHSA-2016-2045.html	vendor-advisory, x_refsource_REDHAT
http://www.debian.org/security/2016/dsa-3530	vendor-advisory, x_refsource_DEBIAN
http://tomcat.apache.org/security-7.html	x_refsource_CONFIRM
http://marc.info/?l=bugtraq&m=145974991225029&w=2	vendor-advisory, x_refsource_HP
http://svn.apache.org/viewvc?view=revision&revision=1696284	x_refsource_CONFIRM
http://tomcat.apache.org/security-8.html	x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2016:1434	vendor-advisory, x_refsource_REDHAT
http://svn.apache.org/viewvc?view=revision&revision=1700898	x_refsource_CONFIRM
http://www.securitytracker.com/id/1035070	vdb-entry, x_refsource_SECTRACK
https://bto.bluecoat.com/security-advisory/sa118	x_refsource_CONFIRM
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442	x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2016:1433	vendor-advisory, x_refsource_REDHAT
https://security.netapp.com/advisory/ntap-20180531-0001/	x_refsource_CONFIRM
http://tomcat.apache.org/security-6.html	x_refsource_CONFIRM
http://www.securityfocus.com/bid/83329	vdb-entry, x_refsource_BID
https://access.redhat.com/errata/RHSA-2016:1432	vendor-advisory, x_refsource_REDHAT
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html	vendor-advisory, x_refsource_SUSE
http://rhn.redhat.com/errata/RHSA-2016-2599.html	vendor-advisory, x_refsource_REDHAT
http://seclists.org/bugtraq/2016/Feb/149	mailing-list, x_refsource_BUGTRAQ
http://www.debian.org/security/2016/dsa-3609	vendor-advisory, x_refsource_DEBIAN
http://packetstormsecurity.com/files/135883/Apache-Tomcat-Limited-Directory-Traversal.html	x_refsource_MISC
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00082.html	vendor-advisory, x_refsource_SUSE
http://svn.apache.org/viewvc?view=revision&revision=1696281	x_refsource_CONFIRM
http://svn.apache.org/viewvc?view=revision&revision=1700897	x_refsource_CONFIRM
http://rhn.redhat.com/errata/RHSA-2016-1435.html	vendor-advisory, x_refsource_REDHAT
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626	x_refsource_CONFIRM
http://www.debian.org/security/2016/dsa-3552	vendor-advisory, x_refsource_DEBIAN
https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/rd4863c79bf729aabb95571fd845a9ea4ee3ae3fcee48f35aba007350%40%3Cusers.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r0b24f2c7507f702348e2c2d64e8a5de72bad6173658e8d8e45322ac2%40%3Cusers.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r15695e6203b026c9e9070ca9fa95fb17dd4cd88e5342a7dc5e1e7b85%40%3Cusers.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r409efdf706c2077ae5c37018a87da725a3ca89570a9530342cdc53e4%40%3Cusers.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r1c62634b7426bee5f553307063457b99c84af73b078ede4f2592b34e%40%3Cusers.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST

Impacted products

Vendor	Product
n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T06:41:07.953Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
          },
          {
            "name": "GLSA-201705-09",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/201705-09"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1700900"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html"
          },
          {
            "name": "openSUSE-SU-2016:0865",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html"
          },
          {
            "name": "USN-3024-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-3024-1"
          },
          {
            "name": "SUSE-SU-2016:0769",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html"
          },
          {
            "name": "RHSA-2016:2045",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-2045.html"
          },
          {
            "name": "DSA-3530",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2016/dsa-3530"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://tomcat.apache.org/security-7.html"
          },
          {
            "name": "HPSBUX03561",
            "tags": [
              "vendor-advisory",
              "x_refsource_HP",
              "x_transferred"
            ],
            "url": "http://marc.info/?l=bugtraq\u0026m=145974991225029\u0026w=2"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1696284"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://tomcat.apache.org/security-8.html"
          },
          {
            "name": "RHSA-2016:1434",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:1434"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1700898"
          },
          {
            "name": "1035070",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1035070"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bto.bluecoat.com/security-advisory/sa118"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442"
          },
          {
            "name": "RHSA-2016:1433",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:1433"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20180531-0001/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://tomcat.apache.org/security-6.html"
          },
          {
            "name": "83329",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/83329"
          },
          {
            "name": "RHSA-2016:1432",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:1432"
          },
          {
            "name": "SUSE-SU-2016:0822",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html"
          },
          {
            "name": "RHSA-2016:2599",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-2599.html"
          },
          {
            "name": "20160222 [SECURITY] CVE-2015-5174 Apache Tomcat Limited Directory Traversal",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://seclists.org/bugtraq/2016/Feb/149"
          },
          {
            "name": "DSA-3609",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2016/dsa-3609"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/135883/Apache-Tomcat-Limited-Directory-Traversal.html"
          },
          {
            "name": "SUSE-SU-2016:0839",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00082.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1696281"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1700897"
          },
          {
            "name": "RHSA-2016:1435",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-1435.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626"
          },
          {
            "name": "DSA-3552",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2016/dsa-3552"
          },
          {
            "name": "[tomcat-dev] 20190319 svn commit: r1855831 [23/30] - in /tomcat/site/trunk: ./ docs/ xdocs/",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-dev] 20190325 svn commit: r1856174 [21/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-dev] 20190413 svn commit: r1857494 [15/20] - in /tomcat/site/trunk: ./ docs/ xdocs/",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-dev] 20190415 svn commit: r1857582 [16/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-users] 20200130 7.0.59 to 7.0.99 upgrade, CVE-2015-5174 fix prevents us from accessing resources outside context",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rd4863c79bf729aabb95571fd845a9ea4ee3ae3fcee48f35aba007350%40%3Cusers.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-users] 20200130 Re: 7.0.59 to 7.0.99 upgrade, CVE-2015-5174 fix prevents us from accessing resources outside context",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r0b24f2c7507f702348e2c2d64e8a5de72bad6173658e8d8e45322ac2%40%3Cusers.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-users] 20200131 Re: 7.0.59 to 7.0.99 upgrade, CVE-2015-5174 fix prevents us from accessing resources outside context",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r15695e6203b026c9e9070ca9fa95fb17dd4cd88e5342a7dc5e1e7b85%40%3Cusers.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-dev] 20200203 svn commit: r1873527 [23/30] - /tomcat/site/trunk/docs/",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-users] 20200203 Re: 7.0.59 to 7.0.99 upgrade, CVE-2015-5174 fix prevents us from accessing resources outside context",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r409efdf706c2077ae5c37018a87da725a3ca89570a9530342cdc53e4%40%3Cusers.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-users] 20200204 Re: 7.0.59 to 7.0.99 upgrade, CVE-2015-5174 fix prevents us from accessing resources outside context",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r1c62634b7426bee5f553307063457b99c84af73b078ede4f2592b34e%40%3Cusers.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-dev] 20200213 svn commit: r1873980 [26/34] - /tomcat/site/trunk/docs/",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-02-22T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-02-13T16:09:39",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
        },
        {
          "name": "GLSA-201705-09",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/201705-09"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1700900"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html"
        },
        {
          "name": "openSUSE-SU-2016:0865",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html"
        },
        {
          "name": "USN-3024-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-3024-1"
        },
        {
          "name": "SUSE-SU-2016:0769",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html"
        },
        {
          "name": "RHSA-2016:2045",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-2045.html"
        },
        {
          "name": "DSA-3530",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2016/dsa-3530"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://tomcat.apache.org/security-7.html"
        },
        {
          "name": "HPSBUX03561",
          "tags": [
            "vendor-advisory",
            "x_refsource_HP"
          ],
          "url": "http://marc.info/?l=bugtraq\u0026m=145974991225029\u0026w=2"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1696284"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://tomcat.apache.org/security-8.html"
        },
        {
          "name": "RHSA-2016:1434",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:1434"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1700898"
        },
        {
          "name": "1035070",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1035070"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bto.bluecoat.com/security-advisory/sa118"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442"
        },
        {
          "name": "RHSA-2016:1433",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:1433"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20180531-0001/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://tomcat.apache.org/security-6.html"
        },
        {
          "name": "83329",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/83329"
        },
        {
          "name": "RHSA-2016:1432",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:1432"
        },
        {
          "name": "SUSE-SU-2016:0822",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html"
        },
        {
          "name": "RHSA-2016:2599",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-2599.html"
        },
        {
          "name": "20160222 [SECURITY] CVE-2015-5174 Apache Tomcat Limited Directory Traversal",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://seclists.org/bugtraq/2016/Feb/149"
        },
        {
          "name": "DSA-3609",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2016/dsa-3609"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/135883/Apache-Tomcat-Limited-Directory-Traversal.html"
        },
        {
          "name": "SUSE-SU-2016:0839",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00082.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1696281"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1700897"
        },
        {
          "name": "RHSA-2016:1435",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-1435.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626"
        },
        {
          "name": "DSA-3552",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2016/dsa-3552"
        },
        {
          "name": "[tomcat-dev] 20190319 svn commit: r1855831 [23/30] - in /tomcat/site/trunk: ./ docs/ xdocs/",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-dev] 20190325 svn commit: r1856174 [21/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-dev] 20190413 svn commit: r1857494 [15/20] - in /tomcat/site/trunk: ./ docs/ xdocs/",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-dev] 20190415 svn commit: r1857582 [16/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-users] 20200130 7.0.59 to 7.0.99 upgrade, CVE-2015-5174 fix prevents us from accessing resources outside context",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rd4863c79bf729aabb95571fd845a9ea4ee3ae3fcee48f35aba007350%40%3Cusers.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-users] 20200130 Re: 7.0.59 to 7.0.99 upgrade, CVE-2015-5174 fix prevents us from accessing resources outside context",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r0b24f2c7507f702348e2c2d64e8a5de72bad6173658e8d8e45322ac2%40%3Cusers.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-users] 20200131 Re: 7.0.59 to 7.0.99 upgrade, CVE-2015-5174 fix prevents us from accessing resources outside context",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r15695e6203b026c9e9070ca9fa95fb17dd4cd88e5342a7dc5e1e7b85%40%3Cusers.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-dev] 20200203 svn commit: r1873527 [23/30] - /tomcat/site/trunk/docs/",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-users] 20200203 Re: 7.0.59 to 7.0.99 upgrade, CVE-2015-5174 fix prevents us from accessing resources outside context",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r409efdf706c2077ae5c37018a87da725a3ca89570a9530342cdc53e4%40%3Cusers.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-users] 20200204 Re: 7.0.59 to 7.0.99 upgrade, CVE-2015-5174 fix prevents us from accessing resources outside context",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r1c62634b7426bee5f553307063457b99c84af73b078ede4f2592b34e%40%3Cusers.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-dev] 20200213 svn commit: r1873980 [26/34] - /tomcat/site/trunk/docs/",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2015-5174",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964",
              "refsource": "CONFIRM",
              "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964"
            },
            {
              "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html",
              "refsource": "CONFIRM",
              "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
            },
            {
              "name": "GLSA-201705-09",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/201705-09"
            },
            {
              "name": "http://svn.apache.org/viewvc?view=revision\u0026revision=1700900",
              "refsource": "CONFIRM",
              "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1700900"
            },
            {
              "name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html",
              "refsource": "CONFIRM",
              "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html"
            },
            {
              "name": "openSUSE-SU-2016:0865",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html"
            },
            {
              "name": "USN-3024-1",
              "refsource": "UBUNTU",
              "url": "http://www.ubuntu.com/usn/USN-3024-1"
            },
            {
              "name": "SUSE-SU-2016:0769",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html"
            },
            {
              "name": "RHSA-2016:2045",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-2045.html"
            },
            {
              "name": "DSA-3530",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2016/dsa-3530"
            },
            {
              "name": "http://tomcat.apache.org/security-7.html",
              "refsource": "CONFIRM",
              "url": "http://tomcat.apache.org/security-7.html"
            },
            {
              "name": "HPSBUX03561",
              "refsource": "HP",
              "url": "http://marc.info/?l=bugtraq\u0026m=145974991225029\u0026w=2"
            },
            {
              "name": "http://svn.apache.org/viewvc?view=revision\u0026revision=1696284",
              "refsource": "CONFIRM",
              "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1696284"
            },
            {
              "name": "http://tomcat.apache.org/security-8.html",
              "refsource": "CONFIRM",
              "url": "http://tomcat.apache.org/security-8.html"
            },
            {
              "name": "RHSA-2016:1434",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2016:1434"
            },
            {
              "name": "http://svn.apache.org/viewvc?view=revision\u0026revision=1700898",
              "refsource": "CONFIRM",
              "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1700898"
            },
            {
              "name": "1035070",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1035070"
            },
            {
              "name": "https://bto.bluecoat.com/security-advisory/sa118",
              "refsource": "CONFIRM",
              "url": "https://bto.bluecoat.com/security-advisory/sa118"
            },
            {
              "name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442",
              "refsource": "CONFIRM",
              "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442"
            },
            {
              "name": "RHSA-2016:1433",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2016:1433"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20180531-0001/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20180531-0001/"
            },
            {
              "name": "http://tomcat.apache.org/security-6.html",
              "refsource": "CONFIRM",
              "url": "http://tomcat.apache.org/security-6.html"
            },
            {
              "name": "83329",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/83329"
            },
            {
              "name": "RHSA-2016:1432",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2016:1432"
            },
            {
              "name": "SUSE-SU-2016:0822",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html"
            },
            {
              "name": "RHSA-2016:2599",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-2599.html"
            },
            {
              "name": "20160222 [SECURITY] CVE-2015-5174 Apache Tomcat Limited Directory Traversal",
              "refsource": "BUGTRAQ",
              "url": "http://seclists.org/bugtraq/2016/Feb/149"
            },
            {
              "name": "DSA-3609",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2016/dsa-3609"
            },
            {
              "name": "http://packetstormsecurity.com/files/135883/Apache-Tomcat-Limited-Directory-Traversal.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/135883/Apache-Tomcat-Limited-Directory-Traversal.html"
            },
            {
              "name": "SUSE-SU-2016:0839",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00082.html"
            },
            {
              "name": "http://svn.apache.org/viewvc?view=revision\u0026revision=1696281",
              "refsource": "CONFIRM",
              "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1696281"
            },
            {
              "name": "http://svn.apache.org/viewvc?view=revision\u0026revision=1700897",
              "refsource": "CONFIRM",
              "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1700897"
            },
            {
              "name": "RHSA-2016:1435",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-1435.html"
            },
            {
              "name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626",
              "refsource": "CONFIRM",
              "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626"
            },
            {
              "name": "DSA-3552",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2016/dsa-3552"
            },
            {
              "name": "[tomcat-dev] 20190319 svn commit: r1855831 [23/30] - in /tomcat/site/trunk: ./ docs/ xdocs/",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E"
            },
            {
              "name": "[tomcat-dev] 20190325 svn commit: r1856174 [21/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E"
            },
            {
              "name": "[tomcat-dev] 20190413 svn commit: r1857494 [15/20] - in /tomcat/site/trunk: ./ docs/ xdocs/",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E"
            },
            {
              "name": "[tomcat-dev] 20190415 svn commit: r1857582 [16/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E"
            },
            {
              "name": "[tomcat-users] 20200130 7.0.59 to 7.0.99 upgrade, CVE-2015-5174 fix prevents us from accessing resources outside context",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rd4863c79bf729aabb95571fd845a9ea4ee3ae3fcee48f35aba007350@%3Cusers.tomcat.apache.org%3E"
            },
            {
              "name": "[tomcat-users] 20200130 Re: 7.0.59 to 7.0.99 upgrade, CVE-2015-5174 fix prevents us from accessing resources outside context",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r0b24f2c7507f702348e2c2d64e8a5de72bad6173658e8d8e45322ac2@%3Cusers.tomcat.apache.org%3E"
            },
            {
              "name": "[tomcat-users] 20200131 Re: 7.0.59 to 7.0.99 upgrade, CVE-2015-5174 fix prevents us from accessing resources outside context",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r15695e6203b026c9e9070ca9fa95fb17dd4cd88e5342a7dc5e1e7b85@%3Cusers.tomcat.apache.org%3E"
            },
            {
              "name": "[tomcat-dev] 20200203 svn commit: r1873527 [23/30] - /tomcat/site/trunk/docs/",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E"
            },
            {
              "name": "[tomcat-users] 20200203 Re: 7.0.59 to 7.0.99 upgrade, CVE-2015-5174 fix prevents us from accessing resources outside context",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r409efdf706c2077ae5c37018a87da725a3ca89570a9530342cdc53e4@%3Cusers.tomcat.apache.org%3E"
            },
            {
              "name": "[tomcat-users] 20200204 Re: 7.0.59 to 7.0.99 upgrade, CVE-2015-5174 fix prevents us from accessing resources outside context",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r1c62634b7426bee5f553307063457b99c84af73b078ede4f2592b34e@%3Cusers.tomcat.apache.org%3E"
            },
            {
              "name": "[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E"
            },
            {
              "name": "[tomcat-dev] 20200213 svn commit: r1873980 [26/34] - /tomcat/site/trunk/docs/",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2015-5174",
    "datePublished": "2016-02-25T01:00:00",
    "dateReserved": "2015-07-01T00:00:00",
    "dateUpdated": "2024-08-06T06:41:07.953Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2016-2141

Vulnerability from cvelistv5

Published

2016-06-30 00:00

Modified

2024-08-05 23:17

Severity

Summary

It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks.

References

URL	Tags
https://access.redhat.com/errata/RHSA-2016:1347	vendor-advisory
http://rhn.redhat.com/errata/RHSA-2016-2035.html	vendor-advisory
https://access.redhat.com/errata/RHSA-2016:1389	vendor-advisory
https://access.redhat.com/errata/RHSA-2016:1345	vendor-advisory
https://access.redhat.com/errata/RHSA-2016:1376	vendor-advisory
https://rhn.redhat.com/errata/RHSA-2016-1330.html	vendor-advisory
http://rhn.redhat.com/errata/RHSA-2016-1439.html	vendor-advisory
https://rhn.redhat.com/errata/RHSA-2016-1331.html	vendor-advisory
http://www.securityfocus.com/bid/91481	vdb-entry
https://access.redhat.com/errata/RHSA-2016:1434	vendor-advisory
https://rhn.redhat.com/errata/RHSA-2016-1328.html	vendor-advisory
https://access.redhat.com/errata/RHSA-2016:1433	vendor-advisory
https://issues.jboss.org/browse/JGRP-2021
https://access.redhat.com/errata/RHSA-2016:1374	vendor-advisory
https://access.redhat.com/errata/RHSA-2016:1432	vendor-advisory
https://access.redhat.com/errata/RHSA-2016:1346	vendor-advisory
https://rhn.redhat.com/errata/RHSA-2016-1334.html	vendor-advisory
https://rhn.redhat.com/errata/RHSA-2016-1333.html	vendor-advisory
https://rhn.redhat.com/errata/RHSA-2016-1329.html	vendor-advisory
https://rhn.redhat.com/errata/RHSA-2016-1332.html	vendor-advisory
http://rhn.redhat.com/errata/RHSA-2016-1435.html	vendor-advisory
http://www.securitytracker.com/id/1036165	vdb-entry
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://lists.apache.org/thread.html/ra18cac97416abc2958db0b107877c31da28d884fa6e70fd89c87384a%40%3Cdev.geode.apache.org%3E	mailing-list
https://lists.apache.org/thread.html/rb37cc937d4fc026fb56de4b4ec0d054aa4083c1a4edd0d8360c068a0%40%3Cdev.geode.apache.org%3E	mailing-list

Impacted products

Vendor	Product
n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T23:17:50.610Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2016:1347",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:1347"
          },
          {
            "name": "RHSA-2016:2035",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-2035.html"
          },
          {
            "name": "RHSA-2016:1389",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:1389"
          },
          {
            "name": "RHSA-2016:1345",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:1345"
          },
          {
            "name": "RHSA-2016:1376",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:1376"
          },
          {
            "name": "RHSA-2016:1330",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://rhn.redhat.com/errata/RHSA-2016-1330.html"
          },
          {
            "name": "RHSA-2016:1439",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-1439.html"
          },
          {
            "name": "RHSA-2016:1331",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://rhn.redhat.com/errata/RHSA-2016-1331.html"
          },
          {
            "name": "91481",
            "tags": [
              "vdb-entry",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/91481"
          },
          {
            "name": "RHSA-2016:1434",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:1434"
          },
          {
            "name": "RHSA-2016:1328",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://rhn.redhat.com/errata/RHSA-2016-1328.html"
          },
          {
            "name": "RHSA-2016:1433",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:1433"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://issues.jboss.org/browse/JGRP-2021"
          },
          {
            "name": "RHSA-2016:1374",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:1374"
          },
          {
            "name": "RHSA-2016:1432",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:1432"
          },
          {
            "name": "RHSA-2016:1346",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:1346"
          },
          {
            "name": "RHSA-2016:1334",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://rhn.redhat.com/errata/RHSA-2016-1334.html"
          },
          {
            "name": "RHSA-2016:1333",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://rhn.redhat.com/errata/RHSA-2016-1333.html"
          },
          {
            "name": "RHSA-2016:1329",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://rhn.redhat.com/errata/RHSA-2016-1329.html"
          },
          {
            "name": "RHSA-2016:1332",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://rhn.redhat.com/errata/RHSA-2016-1332.html"
          },
          {
            "name": "RHSA-2016:1435",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-1435.html"
          },
          {
            "name": "1036165",
            "tags": [
              "vdb-entry",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1036165"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
          },
          {
            "name": "[geode-dev] 20200407 JGroups vulnerabilty",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/ra18cac97416abc2958db0b107877c31da28d884fa6e70fd89c87384a%40%3Cdev.geode.apache.org%3E"
          },
          {
            "name": "[geode-dev] 20200407 Re: JGroups vulnerabilty",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rb37cc937d4fc026fb56de4b4ec0d054aa4083c1a4edd0d8360c068a0%40%3Cdev.geode.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-06-23T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-26T00:00:00",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2016:1347",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:1347"
        },
        {
          "name": "RHSA-2016:2035",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-2035.html"
        },
        {
          "name": "RHSA-2016:1389",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:1389"
        },
        {
          "name": "RHSA-2016:1345",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:1345"
        },
        {
          "name": "RHSA-2016:1376",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:1376"
        },
        {
          "name": "RHSA-2016:1330",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://rhn.redhat.com/errata/RHSA-2016-1330.html"
        },
        {
          "name": "RHSA-2016:1439",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-1439.html"
        },
        {
          "name": "RHSA-2016:1331",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://rhn.redhat.com/errata/RHSA-2016-1331.html"
        },
        {
          "name": "91481",
          "tags": [
            "vdb-entry"
          ],
          "url": "http://www.securityfocus.com/bid/91481"
        },
        {
          "name": "RHSA-2016:1434",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:1434"
        },
        {
          "name": "RHSA-2016:1328",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://rhn.redhat.com/errata/RHSA-2016-1328.html"
        },
        {
          "name": "RHSA-2016:1433",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:1433"
        },
        {
          "url": "https://issues.jboss.org/browse/JGRP-2021"
        },
        {
          "name": "RHSA-2016:1374",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:1374"
        },
        {
          "name": "RHSA-2016:1432",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:1432"
        },
        {
          "name": "RHSA-2016:1346",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:1346"
        },
        {
          "name": "RHSA-2016:1334",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://rhn.redhat.com/errata/RHSA-2016-1334.html"
        },
        {
          "name": "RHSA-2016:1333",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://rhn.redhat.com/errata/RHSA-2016-1333.html"
        },
        {
          "name": "RHSA-2016:1329",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://rhn.redhat.com/errata/RHSA-2016-1329.html"
        },
        {
          "name": "RHSA-2016:1332",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://rhn.redhat.com/errata/RHSA-2016-1332.html"
        },
        {
          "name": "RHSA-2016:1435",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-1435.html"
        },
        {
          "name": "1036165",
          "tags": [
            "vdb-entry"
          ],
          "url": "http://www.securitytracker.com/id/1036165"
        },
        {
          "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
        },
        {
          "name": "[geode-dev] 20200407 JGroups vulnerabilty",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/ra18cac97416abc2958db0b107877c31da28d884fa6e70fd89c87384a%40%3Cdev.geode.apache.org%3E"
        },
        {
          "name": "[geode-dev] 20200407 Re: JGroups vulnerabilty",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/rb37cc937d4fc026fb56de4b4ec0d054aa4083c1a4edd0d8360c068a0%40%3Cdev.geode.apache.org%3E"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2016-2141",
    "datePublished": "2016-06-30T00:00:00",
    "dateReserved": "2016-01-29T00:00:00",
    "dateUpdated": "2024-08-05T23:17:50.610Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Action not permitted

rhsa-2016_1432

Vulnerability from csaf_redhat

cve-2015-5174

Vulnerability from cvelistv5

cve-2016-2141

Vulnerability from cvelistv5

Tags