Skip to main content

CVE-2016-0763

Severity

6.3

Description

The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.

Mitigation

We recommend upgrading to a version of this component that is not vulnerable to this specific issue and using the Security Manager.

Related links:

Project

Apache Tomcat

Apache TomEE

Category
n/a
Tags
data
Date Disclosed

2016-02-24

Date Discovered

2015-12-16

Apache Tomcat 6.0.x

First release:
2007-02-28
First release:
2016-12-31
CVEs:
50
Support Lifecycle:
Namespace:
javax
6.0.136.0.146.0.166.0.186.0.206.0.246.0.266.0.286.0.296.0.306.0.326.0.336.0.356.0.366.0.376.0.396.0.416.0.436.0.44

Apache TomEE 1.7.x

First release:
2014-08-09
CVEs:
95
Support Lifecycle:
Namespace:
javax
1.7.01.7.11.7.21.7.3

Apache TomEE 1.6.x

First release:
2013-11-17
CVEs:
108
Support Lifecycle:
Namespace:
javax
1.6.01.6.0.11.6.0.2

Apache TomEE 1.5.x

First release:
2012-09-28
CVEs:
119
Support Lifecycle:
Namespace:
javax
1.5.01.5.11.5.2

Apache TomEE 1.0.x

First release:
2012-04-27
CVEs:
130
Support Lifecycle:
Namespace:
javax
1.0.0
Feel Vulnerable? 

Contact us so we can help you.

* These fields are required.