VulnerableCode Package Details - pkg:apache/tomcat@7.0.67

Search for packages

Vulnerability	Summary	Fixed by
VCID-1k8f-vsg1-k3d6 Aliases: CVE-2016-0706 GHSA-6vx3-hr43-cfrh	Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.	7.0.68 Affected by 0 other vulnerabilities. 8.0.32 Affected by 0 other vulnerabilities. 9.0.0+M3 Affected by 0 other vulnerabilities.
VCID-68fk-4g86-ekbp Aliases: CVE-2015-5345 GHSA-rh8q-vjgf-gf74	The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character.	7.0.68 Affected by 0 other vulnerabilities. 8.0.30 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 9.0.0+M3 Affected by 0 other vulnerabilities.
VCID-9exq-fhv6-bbea Aliases: CVE-2016-0763 GHSA-9hjv-9h75-xmpp	The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.	7.0.68 Affected by 0 other vulnerabilities. 8.0.32 Affected by 0 other vulnerabilities. 9.0.0+M3 Affected by 0 other vulnerabilities.
VCID-tfrs-d458-tfaq Aliases: CVE-2016-0714 GHSA-mv42-px54-87jw	The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.	7.0.68 Affected by 0 other vulnerabilities. 8.0.32 Affected by 0 other vulnerabilities. 9.0.0+M3 Affected by 0 other vulnerabilities.
VCID-vhjj-dnft-kkf4 Aliases: CVE-2015-5351 GHSA-w7cg-5969-678w	The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.	7.0.68 Affected by 0 other vulnerabilities. 8.0.32 Affected by 0 other vulnerabilities. 9.0.0+M3 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-1k8f-vsg1-k3d6
Aliases:
CVE-2016-0706
GHSA-6vx3-hr43-cfrh

Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.

7.0.68
Affected by 0 other vulnerabilities.

8.0.32
Affected by 0 other vulnerabilities.