CVE-2016-0714

NameCVE-2016-0714
DescriptionThe session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-435-1, DSA-3530-1, DSA-3552-1, DSA-3609-1
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat7 (PTS)stretch7.0.75-1fixed
tomcat8 (PTS)stretch8.5.54-0+deb9u1fixed
stretch (security)8.5.54-0+deb9u8fixed
tomcat9 (PTS)buster9.0.31-1~deb10u4fixed
buster (security)9.0.31-1~deb10u5fixed
bullseye9.0.43-1fixed
bullseye (security)9.0.43-2~deb11u1fixed
bookworm, sid9.0.43-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat6sourcesqueeze6.0.45-1~deb6u1DLA-435-1
tomcat6sourcewheezy6.0.45+dfsg-1~deb7u1DSA-3530-1
tomcat6source(unstable)6.0.41-3
tomcat7sourcewheezy7.0.28-4+deb7u4DSA-3552-1
tomcat7sourcejessie7.0.56-3+deb8u2DSA-3552-1
tomcat7source(unstable)7.0.68-1
tomcat8sourcejessie8.0.14-1+deb8u2DSA-3609-1
tomcat8source(unstable)8.0.32-1
tomcat9source(unstable)(not affected)

Notes

- tomcat9 <not-affected> (Fixed before initial upload to Debian)
Since 6.0.41-3, src:tomcat6 only builds a servlet and docs
Fixed in 6.0.45, 7.0.68, 8.0.32, 9.0.0.M3

Search for package or bug name: Reporting problems