Main Vulnerability Database Vulnerabilities #VU263

#VU263 Security Manager bypass in Oracle products - CVE-2016-0706

Published: August 5, 2016 / Updated: January 11, 2017

Vulnerability identifier: #VU263

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2016-0706

CWE-ID: CWE-200

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Apache Tomcat
Oracle Solaris
Oracle Linux
Oracle Transportation Management
Virtual Desktop Infrastructure

Software vendor:
Apache Foundation
Oracle

Description

The vulnerability allows a local attacker to obtain potentially sensitive information.

A local attacker, who controls web application, can use StatusManagerServlet, when a security manager was configured, to obtain potentially sensitive information, which belongs to other users. The attacker will be able to obtain a list of all deployed applications and a list of the HTTP request lines for all requests currently being processed. This could have exposed sensitive information from other web applications, such as session IDs, to the web application.

Successful exploitation of the vulnerability may allow a local attacker to gain access to potentially sensitive information.

Remediation

Install the latest version Apache Tomcat 6.0.45, 7.0.68, 8.0.32 or 9.0.0.M3

#VU263 Security Manager bypass in Oracle products - CVE-2016-0706

Description

Remediation

External links