Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-5m85-3zyu-7qak

Summary

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.

Aliases

alias	CVE-2016-0714

alias	GHSA-mv42-px54-87jw

Fixed_packages

url	pkg:maven/org.apache.tomcat/tomcat@6.0.46
purl	pkg:maven/org.apache.tomcat/tomcat@6.0.46
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.46

url pkg:maven/org.apache.tomcat/tomcat@7.0.70

purl pkg:maven/org.apache.tomcat/tomcat@7.0.70

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-s37s-p75k-27e6

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.70

url	pkg:maven/org.apache.tomcat/tomcat@8.0.32
purl	pkg:maven/org.apache.tomcat/tomcat@8.0.32
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@8.0.32

url pkg:maven/org.apache.tomcat/tomcat@9.0.0.M2

purl pkg:maven/org.apache.tomcat/tomcat@9.0.0.M2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-j1m6-79yt-f7h5

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.0.M2

Affected_packages

url pkg:maven/org.apache.tomcat/tomcat@6.0.0

purl pkg:maven/org.apache.tomcat/tomcat@6.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2kjh-4r2g-rqe6

vulnerability	VCID-46sr-9kr3-1ubw

vulnerability	VCID-4t2h-jjhm-y7fq

vulnerability	VCID-5m85-3zyu-7qak

vulnerability	VCID-6uuq-2a39-yubx

vulnerability	VCID-74c7-a56p-kufz

vulnerability	VCID-7787-4bwm-efgq

vulnerability	VCID-89e9-m968-vfhe

vulnerability	VCID-9hm5-e4dw-6ffe

vulnerability	VCID-9j31-459b-4qbm

vulnerability	VCID-aar2-398x-p3d8

vulnerability	VCID-atus-ryef-17h1

vulnerability	VCID-axzz-cadr-b7fv

vulnerability	VCID-crhe-rt8j-wycu

vulnerability	VCID-eawm-8v9w-yfap

vulnerability	VCID-eygg-nt7y-qubh

vulnerability	VCID-f4ka-47dk-zffs

vulnerability	VCID-fu9h-e3jx-abe2

vulnerability	VCID-fuxz-fqw3-ufa9

vulnerability	VCID-hmqa-jhuf-hfe2

vulnerability	VCID-hqzu-shyu-j3hp

vulnerability	VCID-jw6e-g8z9-43ej

vulnerability	VCID-kxc3-vz2c-wqca

vulnerability	VCID-n4zk-mdyw-3fcz

vulnerability	VCID-pq53-6deg-abfx

vulnerability	VCID-pzkk-4e94-aqag

vulnerability	VCID-qz87-x4zb-rud7

vulnerability	VCID-qzyq-d6qk-67ag

vulnerability	VCID-rdr4-db3y-p3cz

vulnerability	VCID-redv-2x5y-8khx

vulnerability	VCID-s37s-p75k-27e6

vulnerability	VCID-t3ya-1w1r-h3dv

vulnerability	VCID-t4mh-zvhq-27du

vulnerability	VCID-tcmv-6ftg-fqen

vulnerability	VCID-vsta-e8jg-4qa8

vulnerability	VCID-w8uj-zy2r-fyca

vulnerability	VCID-wg7f-pjmn-uudk

vulnerability	VCID-wtke-y2cx-x3et

vulnerability	VCID-y9yv-u4jh-mqew

vulnerability	VCID-yswq-hnqg-sycs

vulnerability	VCID-yvcg-96dp-r7e6

vulnerability	VCID-zm75-zwps-h3fv

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.0

url pkg:maven/org.apache.tomcat/tomcat@7.0.0

purl pkg:maven/org.apache.tomcat/tomcat@7.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1a1b-3pdg-jbfq

vulnerability	VCID-2kjh-4r2g-rqe6

vulnerability	VCID-3txt-1psa-5kf5

vulnerability	VCID-46sr-9kr3-1ubw

vulnerability	VCID-4qcn-52ug-mbd5

vulnerability	VCID-4t2h-jjhm-y7fq

vulnerability	VCID-59dd-qzpt-aucm

vulnerability	VCID-5m85-3zyu-7qak

vulnerability	VCID-5udv-rheh-kqfy

vulnerability	VCID-6umz-z8db-kqcy

vulnerability	VCID-6uuq-2a39-yubx

vulnerability	VCID-74c7-a56p-kufz

vulnerability	VCID-89e9-m968-vfhe

vulnerability	VCID-937w-2w2q-7fdy

vulnerability	VCID-9hm5-e4dw-6ffe

vulnerability	VCID-aar2-398x-p3d8

vulnerability	VCID-atus-ryef-17h1

vulnerability	VCID-axzz-cadr-b7fv

vulnerability	VCID-dk58-p9py-rka9

vulnerability	VCID-e2gy-1c6a-6fdf

vulnerability	VCID-e72e-axdj-7qfw

vulnerability	VCID-f4ka-47dk-zffs

vulnerability	VCID-fu9h-e3jx-abe2

vulnerability	VCID-g3vd-74yh-s7bn

vulnerability	VCID-gmjm-6ck2-skgu

vulnerability	VCID-hqzu-shyu-j3hp

vulnerability	VCID-j1m6-79yt-f7h5

vulnerability	VCID-jw6e-g8z9-43ej

vulnerability	VCID-jzta-navk-87bn

vulnerability	VCID-nnye-4xbb-kuf5

vulnerability	VCID-nxb3-55eu-auhp

vulnerability	VCID-pq53-6deg-abfx

vulnerability	VCID-qhqg-ekuv-z7fc

vulnerability	VCID-redv-2x5y-8khx

vulnerability	VCID-s37s-p75k-27e6

vulnerability	VCID-se44-f85s-xyex

vulnerability	VCID-sk1w-8yt4-93cv

vulnerability	VCID-tcmv-6ftg-fqen

vulnerability	VCID-vsta-e8jg-4qa8

vulnerability	VCID-wtke-y2cx-x3et

vulnerability	VCID-xjj5-fy4e-e7ha

vulnerability	VCID-y9hs-ymcm-3ucx

vulnerability	VCID-yusx-ncpv-sfhg

vulnerability	VCID-yvcg-96dp-r7e6

vulnerability	VCID-zm75-zwps-h3fv

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.0

url pkg:maven/org.apache.tomcat/tomcat@8.0.0.RC1

purl pkg:maven/org.apache.tomcat/tomcat@8.0.0.RC1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-5m85-3zyu-7qak

vulnerability	VCID-e2gy-1c6a-6fdf

vulnerability	VCID-n4zk-mdyw-3fcz

vulnerability	VCID-s37s-p75k-27e6

vulnerability	VCID-tcmv-6ftg-fqen

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@8.0.0.RC1

url pkg:maven/org.apache.tomcat/tomcat@9.0.0.M1

purl pkg:maven/org.apache.tomcat/tomcat@9.0.0.M1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1kgu-zupu-tydw

vulnerability	VCID-3nsr-9s9y-ckft

vulnerability	VCID-4nx6-t8vd-bqcu

vulnerability	VCID-5m85-3zyu-7qak

vulnerability	VCID-6umz-z8db-kqcy

vulnerability	VCID-axzz-cadr-b7fv

vulnerability	VCID-dast-z2hv-2yfe

vulnerability	VCID-e2gy-1c6a-6fdf

vulnerability	VCID-gmjm-6ck2-skgu

vulnerability	VCID-hqzu-shyu-j3hp

vulnerability	VCID-jzta-navk-87bn

vulnerability	VCID-n4zk-mdyw-3fcz

vulnerability	VCID-s37s-p75k-27e6

vulnerability	VCID-se44-f85s-xyex

vulnerability	VCID-y9hs-ymcm-3ucx

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.0.M1

References

reference_url	http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html
reference_id
reference_type
scores
url	http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html

reference_url	http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html
reference_id
reference_type
scores
url	http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html

reference_url	http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00082.html
reference_id
reference_type
scores
url	http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00082.html

reference_url	http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html
reference_id
reference_type
scores
url	http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html

reference_url	http://marc.info/?l=bugtraq&m=145974991225029&w=2
reference_id
reference_type
scores
url	http://marc.info/?l=bugtraq&m=145974991225029&w=2

reference_url	http://rhn.redhat.com/errata/RHSA-2016-2045.html
reference_id
reference_type
scores
url	http://rhn.redhat.com/errata/RHSA-2016-2045.html

reference_url	http://rhn.redhat.com/errata/RHSA-2016-2599.html
reference_id
reference_type
scores
url	http://rhn.redhat.com/errata/RHSA-2016-2599.html

reference_url	http://rhn.redhat.com/errata/RHSA-2016-2807.html
reference_id
reference_type
scores
url	http://rhn.redhat.com/errata/RHSA-2016-2807.html

reference_url	http://rhn.redhat.com/errata/RHSA-2016-2808.html
reference_id
reference_type
scores
url	http://rhn.redhat.com/errata/RHSA-2016-2808.html

reference_url	https://access.redhat.com/errata/RHSA-2016:1087
reference_id
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2016:1087

reference_url	https://access.redhat.com/errata/RHSA-2016:1088
reference_id
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2016:1088

reference_url	http://seclists.org/bugtraq/2016/Feb/145
reference_id
reference_type
scores
url	http://seclists.org/bugtraq/2016/Feb/145

reference_url	https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964
reference_id
reference_type
scores
url	https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964

reference_url	https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442
reference_id
reference_type
scores
url	https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442

reference_url	https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626
reference_id
reference_type
scores
url	https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626

reference_url	https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E

reference_url	https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E

reference_url	https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E

reference_url	https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E

reference_url	https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E

reference_url	https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E

reference_url	https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E

reference_url	https://security.gentoo.org/glsa/201705-09
reference_id
reference_type
scores
url	https://security.gentoo.org/glsa/201705-09

reference_url	https://security.netapp.com/advisory/ntap-20180531-0001/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20180531-0001/

reference_url	http://svn.apache.org/viewvc?view=revision&revision=1725263
reference_id
reference_type
scores
url	http://svn.apache.org/viewvc?view=revision&revision=1725263

reference_url	http://svn.apache.org/viewvc?view=revision&revision=1725914
reference_id
reference_type
scores
url	http://svn.apache.org/viewvc?view=revision&revision=1725914

reference_url	http://svn.apache.org/viewvc?view=revision&revision=1726196
reference_id
reference_type
scores
url	http://svn.apache.org/viewvc?view=revision&revision=1726196

reference_url	http://svn.apache.org/viewvc?view=revision&revision=1726203
reference_id
reference_type
scores
url	http://svn.apache.org/viewvc?view=revision&revision=1726203

reference_url	http://svn.apache.org/viewvc?view=revision&revision=1726923
reference_id
reference_type
scores
url	http://svn.apache.org/viewvc?view=revision&revision=1726923

reference_url	http://svn.apache.org/viewvc?view=revision&revision=1727034
reference_id
reference_type
scores
url	http://svn.apache.org/viewvc?view=revision&revision=1727034

reference_url	http://svn.apache.org/viewvc?view=revision&revision=1727166
reference_id
reference_type
scores
url	http://svn.apache.org/viewvc?view=revision&revision=1727166

reference_url	http://svn.apache.org/viewvc?view=revision&revision=1727182
reference_id
reference_type
scores
url	http://svn.apache.org/viewvc?view=revision&revision=1727182

reference_url	http://tomcat.apache.org/security-6.html
reference_id
reference_type
scores
url	http://tomcat.apache.org/security-6.html

reference_url	http://tomcat.apache.org/security-7.html
reference_id
reference_type
scores
url	http://tomcat.apache.org/security-7.html

reference_url	http://tomcat.apache.org/security-8.html
reference_id
reference_type
scores
url	http://tomcat.apache.org/security-8.html

reference_url	http://tomcat.apache.org/security-9.html
reference_id
reference_type
scores
url	http://tomcat.apache.org/security-9.html

reference_url	http://www.debian.org/security/2016/dsa-3530
reference_id
reference_type
scores
url	http://www.debian.org/security/2016/dsa-3530

reference_url	http://www.debian.org/security/2016/dsa-3552
reference_id
reference_type
scores
url	http://www.debian.org/security/2016/dsa-3552

reference_url	http://www.debian.org/security/2016/dsa-3609
reference_id
reference_type
scores
url	http://www.debian.org/security/2016/dsa-3609

reference_url	http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
reference_id
reference_type
scores
url	http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

reference_url	http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
reference_id
reference_type
scores
url	http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

reference_url	http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
reference_id
reference_type
scores
url	http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

reference_url	http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
reference_id
reference_type
scores
url	http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

reference_url	http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
reference_id
reference_type
scores
url	http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html

reference_url	http://www.ubuntu.com/usn/USN-3024-1
reference_id
reference_type
scores
url	http://www.ubuntu.com/usn/USN-3024-1

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2016-0714
reference_id	CVE-2016-0714
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2016-0714

reference_url	https://github.com/advisories/GHSA-mv42-px54-87jw
reference_id	GHSA-mv42-px54-87jw
reference_type
scores
url	https://github.com/advisories/GHSA-mv42-px54-87jw

Weaknesses

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

cwe_id	264
name	Permissions, Privileges, and Access Controls
description	Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

cwe_id	78
name	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
description	The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

Exploits

Severity_range_score null

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5m85-3zyu-7qak

Vulnerability Instance