Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/57776?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/57776?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@9.0.0.M1", "type": "maven", "namespace": "org.apache.tomcat", "name": "tomcat", "version": "9.0.0.M1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "9.0.0.M3", "latest_non_vulnerable_version": "11.0.18", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40903?format=api", "vulnerability_id": "VCID-1kgu-zupu-tydw", "summary": "Uncontrolled Resource Consumption\nThe HTTP/2 implementation in Apache Tomcat accepted streams with excessive numbers of `SETTINGS` frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.", "references": [ { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0199", "reference_id": "CVE-2019-0199", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0199" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/57779?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@9.0.16", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.16" } ], "aliases": [ "CVE-2019-0199" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1kgu-zupu-tydw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38548?format=api", "vulnerability_id": "VCID-3nsr-9s9y-ckft", "summary": "Improper Resource Shutdown or Release\nThe handling of an HTTP/2 `GOAWAY` frame for a connection did not close streams associated with that connection that were currently waiting for a `WINDOW_UPDATE` before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads.", "references": [ { "reference_url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/d24303fb095db072740d8154b0f0db3f2b8f67bc91a0562dbe89c738@%3Cannounce.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/d24303fb095db072740d8154b0f0db3f2b8f67bc91a0562dbe89c738@%3Cannounce.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://security.gentoo.org/glsa/201705-09", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/201705-09" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20180614-0001/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20180614-0001/" }, { "reference_url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html" }, { "reference_url": "http://www.securityfocus.com/bid/97531", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/97531" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5650", "reference_id": "CVE-2017-5650", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5650" }, { "reference_url": "https://github.com/advisories/GHSA-9785-w233-x6hv", "reference_id": "GHSA-9785-w233-x6hv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-9785-w233-x6hv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62426?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@9.0.0.M19", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.0.M19" } ], "aliases": [ "CVE-2017-5650", "GHSA-9785-w233-x6hv" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3nsr-9s9y-ckft" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38547?format=api", "vulnerability_id": "VCID-4nx6-t8vd-bqcu", "summary": "Information Exposure\nThe refactoring of the HTTP connectors introduced a regression in the send file processing. If the file processing completed quickly, it is possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up.", "references": [ { "reference_url": "https://bz.apache.org/bugzilla/show_bug.cgi?id=60918", "reference_id": "", "reference_type": "", "scores": [], "url": "https://bz.apache.org/bugzilla/show_bug.cgi?id=60918" }, { "reference_url": "https://github.com/apache/tomcat", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/tomcat" }, { "reference_url": "https://github.com/apache/tomcat/commit/494429ca210641b6b7affe89a2b0a6c0ff70109b", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/tomcat/commit/494429ca210641b6b7affe89a2b0a6c0ff70109b" }, { "reference_url": "https://github.com/apache/tomcat/commit/9233d9d6a018be4415d4d7d6cb4fe01176adf1a8", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/tomcat/commit/9233d9d6a018be4415d4d7d6cb4fe01176adf1a8" }, { "reference_url": "https://github.com/search?q=repo%3Aapache%2Ftomcat+apache.coyote+path%3A%2F%5Eres%5C%2Fbnd%5C%2F%2F&type=code", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/search?q=repo%3Aapache%2Ftomcat+apache.coyote+path%3A%2F%5Eres%5C%2Fbnd%5C%2F%2F&type=code" }, { "reference_url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/6694538826b87522fb723d2dcedd537e14ebe0a381d92e5525a531d8@%3Cannounce.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/6694538826b87522fb723d2dcedd537e14ebe0a381d92e5525a531d8@%3Cannounce.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/6694538826b87522fb723d2dcedd537e14ebe0a381d92e5525a531d8%40%3Cannounce.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/6694538826b87522fb723d2dcedd537e14ebe0a381d92e5525a531d8%40%3Cannounce.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://security.gentoo.org/glsa/201705-09", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/201705-09" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20180614-0001", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20180614-0001" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20180614-0001/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20180614-0001/" }, { "reference_url": "https://web.archive.org/web/20170417124228/http://www.securityfocus.com/bid/97544", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20170417124228/http://www.securityfocus.com/bid/97544" }, { "reference_url": "https://web.archive.org/web/20170420113605/http://www.securitytracker.com/id/1038219", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20170420113605/http://www.securitytracker.com/id/1038219" }, { "reference_url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html" }, { "reference_url": "http://www.securityfocus.com/bid/97544", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/97544" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5651", "reference_id": "CVE-2017-5651", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5651" }, { "reference_url": "https://github.com/advisories/GHSA-9hg2-395j-83rm", "reference_id": "GHSA-9hg2-395j-83rm", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-9hg2-395j-83rm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62426?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@9.0.0.M19", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.0.M19" } ], "aliases": [ "CVE-2017-5651", "GHSA-9hg2-395j-83rm" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4nx6-t8vd-bqcu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44045?format=api", "vulnerability_id": "VCID-5m85-3zyu-7qak", "summary": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')\nThe session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00082.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00082.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html" }, { "reference_url": "http://marc.info/?l=bugtraq&m=145974991225029&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=145974991225029&w=2" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2016-2045.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2016-2045.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2016-2599.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2016-2599.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2016-2807.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2016-2807.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2016-2808.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2016-2808.html" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2016:1087", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2016:1087" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2016:1088", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2016:1088" }, { "reference_url": "http://seclists.org/bugtraq/2016/Feb/145", "reference_id": "", "reference_type": "", "scores": [], "url": "http://seclists.org/bugtraq/2016/Feb/145" }, { "reference_url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964", "reference_id": "", "reference_type": "", "scores": [], "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964" }, { "reference_url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442", "reference_id": "", "reference_type": "", "scores": [], "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442" }, { "reference_url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626", "reference_id": "", "reference_type": "", "scores": [], "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626" }, { "reference_url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://security.gentoo.org/glsa/201705-09", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/201705-09" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20180531-0001/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20180531-0001/" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1725263", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1725263" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1725914", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1725914" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1726196", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1726196" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1726203", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1726203" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1726923", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1726923" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1727034", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1727034" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1727166", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1727166" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1727182", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1727182" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://tomcat.apache.org/security-7.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-7.html" }, { "reference_url": "http://tomcat.apache.org/security-8.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-8.html" }, { "reference_url": "http://tomcat.apache.org/security-9.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-9.html" }, { "reference_url": "http://www.debian.org/security/2016/dsa-3530", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2016/dsa-3530" }, { "reference_url": "http://www.debian.org/security/2016/dsa-3552", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2016/dsa-3552" }, { "reference_url": "http://www.debian.org/security/2016/dsa-3609", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2016/dsa-3609" }, { "reference_url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" }, { "reference_url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html" }, { "reference_url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" }, { "reference_url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html" }, { "reference_url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html" }, { "reference_url": "http://www.ubuntu.com/usn/USN-3024-1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.ubuntu.com/usn/USN-3024-1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0714", "reference_id": "CVE-2016-0714", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0714" }, { "reference_url": "https://github.com/advisories/GHSA-mv42-px54-87jw", "reference_id": "GHSA-mv42-px54-87jw", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-mv42-px54-87jw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62886?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@9.0.0.M2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-j1m6-79yt-f7h5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.0.M2" } ], "aliases": [ "CVE-2016-0714", "GHSA-mv42-px54-87jw" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5m85-3zyu-7qak" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43376?format=api", "vulnerability_id": "VCID-6umz-z8db-kqcy", "summary": "Improper Access Control\nRemote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.", "references": [ { "reference_url": "https://access.redhat.com/errata/RHSA-2017:0455", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:0455" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:0456", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:0456" }, { "reference_url": "https://github.com/apache/tomcat", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/tomcat" }, { "reference_url": "https://github.com/apache/tomcat80/commit/0f76016a4ec45635e450ada9c84ff7ee0c5f3799", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/tomcat80/commit/0f76016a4ec45635e450ada9c84ff7ee0c5f3799" }, { "reference_url": "https://github.com/apache/tomcat/commit/0e83ad3e547fc9a75a258799ef581249b40a82a6", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/tomcat/commit/0e83ad3e547fc9a75a258799ef581249b40a82a6" }, { "reference_url": "https://github.com/apache/tomcat/commit/292d6ccdc9edbf80859929b0af070b2ea99fa688", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/tomcat/commit/292d6ccdc9edbf80859929b0af070b2ea99fa688" }, { "reference_url": "https://github.com/apache/tomcat/commit/7e3a037055cca4a17e90b49399fb1bab4dd7c821", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/apache/tomcat/commit/7e3a037055cca4a17e90b49399fb1bab4dd7c821" }, { "reference_url": "https://github.com/search?q=repo%3Aapache%2Ftomcat+catalina.mbeans+path%3A%2F%5Eres%5C%2Fbnd%5C%2F%2F&type=code", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/search?q=repo%3Aapache%2Ftomcat+catalina.mbeans+path%3A%2F%5Eres%5C%2Fbnd%5C%2F%2F&type=code" }, { "reference_url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20180607-0001", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20180607-0001" }, { "reference_url": "https://usn.ubuntu.com/4557-1", "reference_id": "", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/4557-1" }, { "reference_url": "https://web.archive.org/web/20170423095340/http://www.securityfocus.com/bid/94463", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20170423095340/http://www.securityfocus.com/bid/94463" }, { "reference_url": "https://web.archive.org/web/20170928203901/http://www.securitytracker.com/id/1037331", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20170928203901/http://www.securitytracker.com/id/1037331" }, { "reference_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-8735", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-8735" }, { "reference_url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" }, { "reference_url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8735", "reference_id": "CVE-2016-8735", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8735" }, { "reference_url": "https://github.com/advisories/GHSA-cw54-59pw-4g8c", "reference_id": "GHSA-cw54-59pw-4g8c", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-cw54-59pw-4g8c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62178?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@9.0.0.M12", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.0.M12" } ], "aliases": [ "CVE-2016-8735", "GHSA-cw54-59pw-4g8c" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6umz-z8db-kqcy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38760?format=api", "vulnerability_id": "VCID-axzz-cadr-b7fv", "summary": "Information Exposure\nWhen a `SecurityManager` is configured, a web application's ability to read system properties should be controlled by the `SecurityManager`. In Apache Tomcat, the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.", "references": [ { "reference_url": "http://rhn.redhat.com/errata/RHSA-2017-0457.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2017-0457.html" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:0455", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:0455" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:0456", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:0456" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:2247", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:2247" }, { "reference_url": "https://lists.apache.org/thread.html/09d2f2c65ac4ff5da42f15dc2b0f78b655e50f1a42e8a9784134a9eb@%3Cannounce.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/09d2f2c65ac4ff5da42f15dc2b0f78b655e50f1a42e8a9784134a9eb@%3Cannounce.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20180605-0001/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20180605-0001/" }, { "reference_url": "https://usn.ubuntu.com/4557-1/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/4557-1/" }, { "reference_url": "https://www.oracle.com/security-alerts/cpuoct2021.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "reference_url": "http://www.debian.org/security/2016/dsa-3720", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2016/dsa-3720" }, { "reference_url": "http://www.securityfocus.com/bid/93943", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/93943" }, { "reference_url": "http://www.securitytracker.com/id/1037143", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securitytracker.com/id/1037143" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6794", "reference_id": "CVE-2016-6794", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6794" }, { "reference_url": "https://github.com/advisories/GHSA-2rvf-329f-p99g", "reference_id": "GHSA-2rvf-329f-p99g", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2rvf-329f-p99g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62100?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@9.0.0.M10", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.0.M10" } ], "aliases": [ "CVE-2016-6794", "GHSA-2rvf-329f-p99g" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-axzz-cadr-b7fv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38763?format=api", "vulnerability_id": "VCID-dast-z2hv-2yfe", "summary": "Path Traversal\nThe HTTP/2 implementation in Tomcat bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using a specially crafted URL.", "references": [ { "reference_url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/5f8ab8a02f3610bd56ea2b0d69af25cbde451d79c46276c350e05a15@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/5f8ab8a02f3610bd56ea2b0d69af25cbde451d79c46276c350e05a15@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/d3a5818e8af731bde6a05ef031ed3acc093c6dd7c4bfcc4936eafd6c@%3Cannounce.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/d3a5818e8af731bde6a05ef031ed3acc093c6dd7c4bfcc4936eafd6c@%3Cannounce.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20180614-0003/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20180614-0003/" }, { "reference_url": "http://www.debian.org/security/2017/dsa-3974", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2017/dsa-3974" }, { "reference_url": "http://www.securityfocus.com/bid/100256", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/100256" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7675", "reference_id": "CVE-2017-7675", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7675" }, { "reference_url": "https://github.com/advisories/GHSA-68g5-8q7f-m384", "reference_id": "GHSA-68g5-8q7f-m384", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-68g5-8q7f-m384" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63365?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@9.0.0.M22", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.0.M22" } ], "aliases": [ "CVE-2017-7675", "GHSA-68g5-8q7f-m384" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dast-z2hv-2yfe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43792?format=api", "vulnerability_id": "VCID-e2gy-1c6a-6fdf", "summary": "Improper Neutralization of Input During Web Page Generation in Apache Tomcat\nSession fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html" }, { "reference_url": "http://packetstormsecurity.com/files/135890/Apache-Tomcat-Session-Fixation.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://packetstormsecurity.com/files/135890/Apache-Tomcat-Session-Fixation.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2016-1089.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2016-1089.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2016-2046.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2016-2046.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2016-2807.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2016-2807.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2016-2808.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2016-2808.html" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2016:1087", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2016:1087" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2016:1088", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2016:1088" }, { "reference_url": "https://bto.bluecoat.com/security-advisory/sa118", "reference_id": "", "reference_type": "", "scores": [], "url": "https://bto.bluecoat.com/security-advisory/sa118" }, { "reference_url": "https://bz.apache.org/bugzilla/show_bug.cgi?id=58809", "reference_id": "", "reference_type": "", "scores": [], "url": "https://bz.apache.org/bugzilla/show_bug.cgi?id=58809" }, { "reference_url": "http://seclists.org/bugtraq/2016/Feb/143", "reference_id": "", "reference_type": "", "scores": [], "url": "http://seclists.org/bugtraq/2016/Feb/143" }, { "reference_url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442", "reference_id": "", "reference_type": "", "scores": [], "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442" }, { "reference_url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626", "reference_id": "", "reference_type": "", "scores": [], "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626" }, { "reference_url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://security.gentoo.org/glsa/201705-09", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/201705-09" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20180531-0001/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20180531-0001/" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1713184", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1713184" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1713185", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1713185" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1713187", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1713187" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1723414", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1723414" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1723506", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1723506" }, { "reference_url": "http://tomcat.apache.org/security-7.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-7.html" }, { "reference_url": "http://tomcat.apache.org/security-8.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-8.html" }, { "reference_url": "http://tomcat.apache.org/security-9.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-9.html" }, { "reference_url": "http://www.debian.org/security/2016/dsa-3530", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2016/dsa-3530" }, { "reference_url": "http://www.debian.org/security/2016/dsa-3552", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2016/dsa-3552" }, { "reference_url": "http://www.debian.org/security/2016/dsa-3609", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2016/dsa-3609" }, { "reference_url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" }, { "reference_url": "http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html" }, { "reference_url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html" }, { "reference_url": "http://www.ubuntu.com/usn/USN-3024-1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.ubuntu.com/usn/USN-3024-1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5346", "reference_id": "CVE-2015-5346", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5346" }, { "reference_url": "https://github.com/advisories/GHSA-jrcp-c39h-r29x", "reference_id": "GHSA-jrcp-c39h-r29x", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-jrcp-c39h-r29x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62886?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@9.0.0.M2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-j1m6-79yt-f7h5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.0.M2" } ], "aliases": [ "CVE-2015-5346", "GHSA-jrcp-c39h-r29x" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e2gy-1c6a-6fdf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38644?format=api", "vulnerability_id": "VCID-gmjm-6ck2-skgu", "summary": "Improper Handling of Exceptional Conditions\nThe error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. The Default Servlet in Apache Tomcat does not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method.", "references": [ { "reference_url": "https://access.redhat.com/errata/RHSA-2017:1801", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:1801" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:1802", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:1802" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:1809", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:1809" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:2493", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:2493" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:2494", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:2494" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:2633", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:2633" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:2635", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:2635" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:2636", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:2636" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:2637", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:2637" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:2638", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:2638" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:3080", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:3080" }, { "reference_url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/a42c48e37398d76334e17089e43ccab945238b8b7896538478d76066@%3Cannounce.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/a42c48e37398d76334e17089e43ccab945238b8b7896538478d76066@%3Cannounce.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20171019-0002/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20171019-0002/" }, { "reference_url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03828en_us", "reference_id": "", "reference_type": "", "scores": [], "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03828en_us" }, { "reference_url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" }, { "reference_url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "reference_url": "http://www.debian.org/security/2017/dsa-3891", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2017/dsa-3891" }, { "reference_url": "http://www.debian.org/security/2017/dsa-3892", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2017/dsa-3892" }, { "reference_url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html" }, { "reference_url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html" }, { "reference_url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" }, { "reference_url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" }, { "reference_url": "http://www.securityfocus.com/bid/98888", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/98888" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5664", "reference_id": "CVE-2017-5664", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5664" }, { "reference_url": "https://github.com/advisories/GHSA-jmvv-524f-hj5j", "reference_id": "GHSA-jmvv-524f-hj5j", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-jmvv-524f-hj5j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62559?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@9.0.0.M21", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dast-z2hv-2yfe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.0.M21" } ], "aliases": [ "CVE-2017-5664", "GHSA-jmvv-524f-hj5j" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gmjm-6ck2-skgu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38546?format=api", "vulnerability_id": "VCID-hqzu-shyu-j3hp", "summary": "Information Exposure\nWhen \"send file\" is used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.", "references": [ { "reference_url": "https://access.redhat.com/errata/RHSA-2017:1801", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:1801" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:1802", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:1802" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:2493", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:2493" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:2494", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:2494" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:3080", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:3080" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:3081", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:3081" }, { "reference_url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03730en_us", "reference_id": "", "reference_type": "", "scores": [], "url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03730en_us" }, { "reference_url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/5796678c5a773c6f3ff57c178ac247d85ceca0dee9190ba48171451a@%3Cusers.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/5796678c5a773c6f3ff57c178ac247d85ceca0dee9190ba48171451a@%3Cusers.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://security.gentoo.org/glsa/201705-09", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/201705-09" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20180614-0001/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20180614-0001/" }, { "reference_url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "reference_url": "http://www.arubanetworks.com/assets/alert/HPESBHF03730.txt", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.arubanetworks.com/assets/alert/HPESBHF03730.txt" }, { "reference_url": "http://www.debian.org/security/2017/dsa-3842", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2017/dsa-3842" }, { "reference_url": "http://www.debian.org/security/2017/dsa-3843", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2017/dsa-3843" }, { "reference_url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html" }, { "reference_url": "http://www.securitytracker.com/id/1038218", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securitytracker.com/id/1038218" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5647", "reference_id": "CVE-2017-5647", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5647" }, { "reference_url": "https://github.com/advisories/GHSA-3gv7-3h64-78cm", "reference_id": "GHSA-3gv7-3h64-78cm", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3gv7-3h64-78cm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62426?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@9.0.0.M19", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.0.M19" } ], "aliases": [ "CVE-2017-5647", "GHSA-3gv7-3h64-78cm" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hqzu-shyu-j3hp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43691?format=api", "vulnerability_id": "VCID-jzta-navk-87bn", "summary": "Incorrect Authorization\nThe ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 does not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.", "references": [ { "reference_url": "http://rhn.redhat.com/errata/RHSA-2017-0457.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2017-0457.html" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:0455", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:0455" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:0456", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:0456" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:2247", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:2247" }, { "reference_url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/9325837eb00cba5752c092047433c7f0415134d16e7f391447ff4352@%3Cannounce.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/9325837eb00cba5752c092047433c7f0415134d16e7f391447ff4352@%3Cannounce.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20180605-0001/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20180605-0001/" }, { "reference_url": "https://usn.ubuntu.com/4557-1/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/4557-1/" }, { "reference_url": "https://web.archive.org/web/20170320064509/http://www.securitytracker.com/id/1037145", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20170320064509/http://www.securitytracker.com/id/1037145" }, { "reference_url": "https://web.archive.org/web/20170423095945/http://www.securityfocus.com/bid/93940", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20170423095945/http://www.securityfocus.com/bid/93940" }, { "reference_url": "https://www.oracle.com/security-alerts/cpuoct2021.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "reference_url": "http://www.debian.org/security/2016/dsa-3720", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2016/dsa-3720" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6797", "reference_id": "CVE-2016-6797", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6797" }, { "reference_url": "https://github.com/advisories/GHSA-q6x7-f33r-3wxx", "reference_id": "GHSA-q6x7-f33r-3wxx", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-q6x7-f33r-3wxx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62100?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@9.0.0.M10", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.0.M10" } ], "aliases": [ "CVE-2016-6797", "GHSA-q6x7-f33r-3wxx" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jzta-navk-87bn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43964?format=api", "vulnerability_id": "VCID-n4zk-mdyw-3fcz", "summary": "Exposure of Sensitive Information to an Unauthorized Actor\nApache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00082.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00082.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html" }, { "reference_url": "http://marc.info/?l=bugtraq&m=145974991225029&w=2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://marc.info/?l=bugtraq&m=145974991225029&w=2" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2016-2045.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2016-2045.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2016-2599.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2016-2599.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2016-2807.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2016-2807.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2016-2808.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2016-2808.html" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2016:1087", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2016:1087" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2016:1088", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2016:1088" }, { "reference_url": "http://seclists.org/bugtraq/2016/Feb/144", "reference_id": "", "reference_type": "", "scores": [], "url": "http://seclists.org/bugtraq/2016/Feb/144" }, { "reference_url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964", "reference_id": "", "reference_type": "", "scores": [], "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964" }, { "reference_url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442", "reference_id": "", "reference_type": "", "scores": [], "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442" }, { "reference_url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626", "reference_id": "", "reference_type": "", "scores": [], "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626" }, { "reference_url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://security.gentoo.org/glsa/201705-09", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/201705-09" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20180531-0001/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20180531-0001/" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1722799", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1722799" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1722800", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1722800" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1722801", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1722801" }, { "reference_url": "http://svn.apache.org/viewvc?view=revision&revision=1722802", "reference_id": "", "reference_type": "", "scores": [], "url": "http://svn.apache.org/viewvc?view=revision&revision=1722802" }, { "reference_url": "http://tomcat.apache.org/security-6.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-6.html" }, { "reference_url": "http://tomcat.apache.org/security-7.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-7.html" }, { "reference_url": "http://tomcat.apache.org/security-8.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-8.html" }, { "reference_url": "http://tomcat.apache.org/security-9.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://tomcat.apache.org/security-9.html" }, { "reference_url": "http://www.debian.org/security/2016/dsa-3530", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2016/dsa-3530" }, { "reference_url": "http://www.debian.org/security/2016/dsa-3552", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2016/dsa-3552" }, { "reference_url": "http://www.debian.org/security/2016/dsa-3609", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2016/dsa-3609" }, { "reference_url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" }, { "reference_url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html" }, { "reference_url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" }, { "reference_url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html" }, { "reference_url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html" }, { "reference_url": "http://www.ubuntu.com/usn/USN-3024-1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.ubuntu.com/usn/USN-3024-1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0706", "reference_id": "CVE-2016-0706", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0706" }, { "reference_url": "https://github.com/advisories/GHSA-6vx3-hr43-cfrh", "reference_id": "GHSA-6vx3-hr43-cfrh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6vx3-hr43-cfrh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62886?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@9.0.0.M2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-j1m6-79yt-f7h5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.0.M2" } ], "aliases": [ "CVE-2016-0706", "GHSA-6vx3-hr43-cfrh" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n4zk-mdyw-3fcz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43772?format=api", "vulnerability_id": "VCID-s37s-p75k-27e6", "summary": "Apache Tomcat vulnerable to SecurityManager bypass\nA malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-3mjp-p938-4329", "reference_id": "GHSA-3mjp-p938-4329", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3mjp-p938-4329" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62100?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@9.0.0.M10", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.0.M10" } ], "aliases": [ "CVE-2016-6796", "GHSA-3mjp-p938-4329" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s37s-p75k-27e6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38545?format=api", "vulnerability_id": "VCID-se44-f85s-xyex", "summary": "Exposure of Resource to Wrong Sphere\nSome calls to application listeners in Apache Tomcat did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.", "references": [ { "reference_url": "https://access.redhat.com/errata/RHSA-2017:1801", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:1801" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:1802", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:1802" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:1809", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:1809" }, { "reference_url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600@%3Cannounce.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600@%3Cannounce.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://security.gentoo.org/glsa/201705-09", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/201705-09" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20180614-0001/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20180614-0001/" }, { "reference_url": "http://www.debian.org/security/2017/dsa-3842", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2017/dsa-3842" }, { "reference_url": "http://www.debian.org/security/2017/dsa-3843", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2017/dsa-3843" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2020/07/20/8", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2020/07/20/8" }, { "reference_url": "http://www.securityfocus.com/bid/97530", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/97530" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5648", "reference_id": "CVE-2017-5648", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5648" }, { "reference_url": "https://github.com/advisories/GHSA-3vx3-xf6q-r5xp", "reference_id": "GHSA-3vx3-xf6q-r5xp", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3vx3-xf6q-r5xp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62424?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@9.0.0.M18", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3nsr-9s9y-ckft" }, { "vulnerability": "VCID-4nx6-t8vd-bqcu" }, { "vulnerability": "VCID-hqzu-shyu-j3hp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.0.M18" } ], "aliases": [ "CVE-2017-5648", "GHSA-3vx3-xf6q-r5xp" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-se44-f85s-xyex" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43389?format=api", "vulnerability_id": "VCID-y9hs-ymcm-3ucx", "summary": "Improper Input Validation\nThe code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.", "references": [ { "reference_url": "http://rhn.redhat.com/errata/RHSA-2017-0244.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2017-0244.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2017-0245.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2017-0245.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2017-0246.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2017-0246.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2017-0247.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2017-0247.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2017-0250.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2017-0250.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2017-0457.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2017-0457.html" }, { "reference_url": "http://rhn.redhat.com/errata/RHSA-2017-0527.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://rhn.redhat.com/errata/RHSA-2017-0527.html" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:0455", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:0455" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:0456", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:0456" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2017:0935", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2017:0935" }, { "reference_url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20180607-0001/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20180607-0001/" }, { "reference_url": "https://svn.apache.org/viewvc?view=revision&revision=1767641", "reference_id": "", "reference_type": "", "scores": [], "url": "https://svn.apache.org/viewvc?view=revision&revision=1767641" }, { "reference_url": "https://svn.apache.org/viewvc?view=revision&revision=1767645", "reference_id": "", "reference_type": "", "scores": [], "url": "https://svn.apache.org/viewvc?view=revision&revision=1767645" }, { "reference_url": "https://svn.apache.org/viewvc?view=revision&revision=1767653", "reference_id": "", "reference_type": "", "scores": [], "url": "https://svn.apache.org/viewvc?view=revision&revision=1767653" }, { "reference_url": "https://svn.apache.org/viewvc?view=revision&revision=1767675", "reference_id": "", "reference_type": "", "scores": [], "url": "https://svn.apache.org/viewvc?view=revision&revision=1767675" }, { "reference_url": "https://svn.apache.org/viewvc?view=revision&revision=1767683", "reference_id": "", "reference_type": "", "scores": [], "url": "https://svn.apache.org/viewvc?view=revision&revision=1767683" }, { "reference_url": "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", "reference_id": "", "reference_type": "", "scores": [], "url": "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48" }, { "reference_url": "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", "reference_id": "", "reference_type": "", "scores": [], "url": "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73" }, { "reference_url": "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", "reference_id": "", "reference_type": "", "scores": [], "url": "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39" }, { "reference_url": "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", "reference_id": "", "reference_type": "", "scores": [], "url": "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8" }, { "reference_url": "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.0.M13", "reference_id": "", "reference_type": "", "scores": [], "url": "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.0.M13" }, { "reference_url": "https://usn.ubuntu.com/4557-1/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/4557-1/" }, { "reference_url": "https://www.exploit-db.com/exploits/41783/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.exploit-db.com/exploits/41783/" }, { "reference_url": "http://www.debian.org/security/2016/dsa-3738", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2016/dsa-3738" }, { "reference_url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6816", "reference_id": "CVE-2016-6816", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6816" }, { "reference_url": "https://github.com/advisories/GHSA-jc7p-5r39-9477", "reference_id": "GHSA-jc7p-5r39-9477", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-jc7p-5r39-9477" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62178?format=api", "purl": "pkg:maven/org.apache.tomcat/tomcat@9.0.0.M12", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.0.M12" } ], "aliases": [ "CVE-2016-6816", "GHSA-jc7p-5r39-9477" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y9hs-ymcm-3ucx" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.0.M1" }