CVE-2016-0706

NameCVE-2016-0706
DescriptionApache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-435-1, DSA-3530-1, DSA-3552-1, DSA-3609-1
NVD severitymedium (attack range: remote)
Debian Bugs802312

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat6 (PTS)wheezy6.0.45+dfsg-1~deb7u1fixed
wheezy (security)6.0.45+dfsg-1~deb7u5fixed
jessie (security), jessie6.0.45+dfsg-1~deb8u1fixed
tomcat7 (PTS)wheezy7.0.28-4+deb7u4fixed
wheezy (security)7.0.28-4+deb7u15fixed
jessie (security), jessie7.0.56-3+deb8u11fixed
stretch7.0.75-1fixed
buster, sid7.0.78-1fixed
tomcat8 (PTS)jessie8.0.14-1+deb8u10fixed
jessie (security)8.0.14-1+deb8u11fixed
stretch (security), stretch8.5.14-1+deb9u2fixed
buster, sid8.5.23-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat6source(unstable)6.0.41-3medium
tomcat6sourcesqueeze6.0.45-1~deb6u1mediumDLA-435-1
tomcat6sourcewheezy6.0.45+dfsg-1~deb7u1mediumDSA-3530-1
tomcat7source(unstable)7.0.68-1medium
tomcat7sourcejessie7.0.56-3+deb8u2mediumDSA-3552-1
tomcat7sourcewheezy7.0.28-4+deb7u4mediumDSA-3552-1
tomcat8source(unstable)8.0.32-1medium
tomcat8sourcejessie8.0.14-1+deb8u2mediumDSA-3609-1
tomcat9ITP802312

Notes

Since 6.0.41-3, src:tomcat6 only builds a servlet and docs
Fixed in 6.0.45, 7.0.68, 8.0.32, 9.0.0.M3

Search for package or bug name: Reporting problems