Home > Vulnerability Database > CVE-2016-0763

Mend.io Vulnerability Database

CVE-2016-0763

Good to know:

Date: February 24, 2016

The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.

Language: Java

Severity Score

6.3

Related Resources (45)

Url: http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html

Url: https://github.com/apache/tomcat80/commit/0531f7aeff1999d362e0a68512a3517f2cf1a6ae

Url: https://web.archive.org/web/20160314101138/http://www.securityfocus.com/bid/83326

Url: http://www.debian.org/security/2016/dsa-3609

Url: http://rhn.redhat.com/errata/RHSA-2016-2599.html

Url: https://security.netapp.com/advisory/ntap-20180531-0001

Url: https://github.com/apache/tomcat

Url: http://tomcat.apache.org/security-8.html

Url: http://www.securitytracker.com/id/1035069

Url: https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626

Url: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

Url: https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442

Url: http://svn.apache.org/viewvc?view=revision&revision=1725929

Url: http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html

Url: http://svn.apache.org/viewvc?view=revision&revision=1725926

Url: https://bto.bluecoat.com/security-advisory/sa118

Url: http://www.ubuntu.com/usn/USN-3024-1

Url: https://web.archive.org/web/20160404202803/http://www.securitytracker.com/id/1035069

Url: https://access.redhat.com/errata/RHSA-2016:1088

Url: https://security.netapp.com/advisory/ntap-20180531-0001/

Url: https://security.gentoo.org/glsa/201705-09

Url: https://github.com/apache/tomcat/commit/c08641da04d31f730b56b8675301e55db97dfe88

Url: http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

Url: http://tomcat.apache.org/security-7.html

Url: http://seclists.org/bugtraq/2016/Feb/147

Url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

Url: https://access.redhat.com/errata/RHSA-2016:1087

Url: http://www.debian.org/security/2016/dsa-3530

Url: http://www.debian.org/security/2016/dsa-3552

Url: http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html

Url: http://rhn.redhat.com/errata/RHSA-2016-2807.html

Url: https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E

Url: http://svn.apache.org/viewvc?view=revision&revision=1725931

Url: https://access.redhat.com/security/cve/CVE-2016-0763

Url: http://rhn.redhat.com/errata/RHSA-2016-1089.html

Url: http://tomcat.apache.org/security-9.html

Url: http://www.securityfocus.com/bid/83326

Url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E

Url: https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755

Url: http://rhn.redhat.com/errata/RHSA-2016-2808.html

Url: https://nvd.nist.gov/vuln/detail/CVE-2016-0763

Url: http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179356.html

Url: https://github.com/apache/tomcat/commit/76ebc9007567c8326217dd94844540e1e27d8468

Url: https://www.mend.io/vulnerability-database/CVE-2016-0763

Severity Score

6.3

Weakness Type (CWE)

Permissions, Privileges, and Access Control

CWE-264

Improper Verification of Source of a Communication Channel

CWE-940

Top Fix

Upgrade Version

Upgrade to version org.apache.tomcat:tomcat:7.0.68;org.apache.tomcat:tomcat:8.0.32;org.apache.tomcat:tomcat:9.0.0.M3

Learn More

CVSS v3.1

Base Score:	6.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

CVSS v2

Base Score:	6.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	SINGLE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2016-0763

Good to know:

Date: February 24, 2016

Language: Java

Severity Score

Related Resources (45)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?