Multiple vulnerabilities in Apache Tomcat versions < 6.0.45, 7.0.65, 8.0.27, 8.0.30, 9.0.0 M2, 7.0.66, 7.0.68, 8.0.31. Vulnerabilities include: Directory traversal allowing bypass of the SecurityManager Directory enumeration through redirection handling Session fixation CSRF bypass in Manager and HostManager Authorization bypass allowing authenticated users to access privileged information such as HTTP requests containing session-ids Arbitrary remote code execution via persistent session object Authorization bypass allowing read/write access to application data from an authenticated user NIST CVE links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5174 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5345 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5346 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5351 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0706 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0714 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0763 Reproducible: Always
6 has now been removed from the tree.
CVE-2016-0763 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0763): The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. CVE-2016-0714 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0714): The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. CVE-2016-0706 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0706): Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.
9.x is unstable.
This issue was resolved and addressed in GLSA 201705-09 at https://security.gentoo.org/glsa/201705-09 by GLSA coordinator Yury German (BlueKnight).
