CVE-2016-0762
Description
The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.
Risk Information
Base Score
5.9
MODERATE
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score
Exploitation Probability
1.077
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Update Tomcat to 9.5.14 | Windows |
| Update Tomcat to 9.5.5 | Windows |
| Update Tomcat to 9.5.7 | Windows |
| Update Tomcat to 9.5.8 | Windows |
| Update Tomcat to 9.6.10 | Windows |
| Update Tomcat to 9.6.3 | Windows |
| Update Tomcat to 9.6.4 | Windows |
| Update Tomcat to 9.6.7 | Windows |
| Update Tomcat to 9.6.8 | Windows |
| Update Tomcat to 2.4.5 | Windows |
| Update Tomcat to 3.0.14 | Windows |
| Vulnerabilities CVE-2016-0714,CVE-2016-6796,CVE-2016-0762 are fixed in Apache - tomcat 6.0.46 | Windows |
| Vulnerabilities CVE-2016-6794,CVE-2016-6797,CVE-2016-0762 are fixed in Apache - tomcat 7.0.72 | Windows |
| Vulnerabilities CVE-2016-6794,CVE-2016-6796,CVE-2016-6797,CVE-2016-0762 are fixed in Apache - tomcat 8.0.37 | Windows |
| Vulnerabilities CVE-2016-6794,CVE-2016-6796,CVE-2016-6797,CVE-2016-0762 are fixed in Apache - tomcat 8.5.5 | Windows |
| Vulnerabilities CVE-2016-6794,CVE-2016-6796,CVE-2016-6797,CVE-2016-0762 are fixed in Apache - tomcat 9.0.0 | Windows |
| Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.1.0.3 | Windows |
| Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.0.3.4 | Windows |
| Servlet and JSP engine (USN-3081-1) tomcat8_8.0.32-1ubuntu1.3_all.deb | Linux |
| Servlet and JSP engine (USN-3081-1) libtomcat8-java_8.0.32-1ubuntu1.3_all.deb | Linux |
| Servlet and JSP engine (USN-3177-1) tomcat6_6.0.35-1ubuntu3.9_all.deb | Linux |
| Servlet and JSP engine (USN-3177-1) tomcat7_7.0.52-1ubuntu0.8_all.deb | Linux |
| Servlet and JSP engine (USN-3177-1) tomcat8_8.0.32-1ubuntu1.3_all.deb | Linux |
| Servlet and JSP engine (USN-3177-1) tomcat8_8.0.37-1ubuntu0.1_all.deb | Linux |
| Servlet and JSP engine (USN-3177-1) libtomcat6-java_6.0.35-1ubuntu3.9_all.deb | Linux |
| Servlet and JSP engine (USN-3177-1) libtomcat7-java_7.0.52-1ubuntu0.8_all.deb | Linux |
| Servlet and JSP engine (USN-3177-1) libtomcat8-java_8.0.32-1ubuntu1.3_all.deb | Linux |
| Servlet and JSP engine (USN-3177-2) tomcat6_6.0.35-1ubuntu3.10_all.deb | Linux |
| Servlet and JSP engine (USN-3177-2) tomcat7_7.0.52-1ubuntu0.9_all.deb | Linux |
| Servlet and JSP engine (USN-3177-2) libtomcat6-java_6.0.35-1ubuntu3.10_all.deb | Linux |
| Servlet and JSP engine (USN-3177-2) libtomcat7-java_7.0.52-1ubuntu0.9_all.deb | Linux |
| tomcat8 security update(DSA-3720-1) tomcat8_8.0.14-1+deb8u4_all.deb | Linux |
| tomcat7 security update(DSA-3721-1) tomcat7_7.0.56-3+deb8u5_all.deb | Linux |
| Update Tomcat to 9.5.14 (For Linux) | Linux |
| Update Tomcat to 9.5.5 (For Linux) | Linux |
| Update Tomcat to 9.5.7 (For Linux) | Linux |
| Update Tomcat to 9.5.8 (For Linux) | Linux |
| Update Tomcat to 9.6.10 (For Linux) | Linux |
| Update Tomcat to 9.6.3 (For Linux) | Linux |
| Update Tomcat to 9.6.4 (For Linux) | Linux |
| Update Tomcat to 9.6.7 (For Linux) | Linux |
| Update Tomcat to 9.6.8 (For Linux) | Linux |
| Update Tomcat to 2.4.5 (For Linux) | Linux |
| Update Tomcat to 3.0.14 (For Linux) | Linux |
| Servlet and JSP engine (USN-4557-1) libservlet2.5-java_6.0.45+dfsg-1ubuntu0.1_all.deb | Linux |
| Vulnerabilities CVE-2016-0714,CVE-2016-6796,CVE-2016-0762 are fixed in Apache - tomcat for Linux 6.0.46 | Linux |
| Vulnerabilities CVE-2016-6794,CVE-2016-6797,CVE-2016-0762 are fixed in Apache - tomcat for Linux 7.0.72 | Linux |
| Vulnerabilities CVE-2016-6794,CVE-2016-6796,CVE-2016-6797,CVE-2016-0762 are fixed in Apache - tomcat for Linux 8.0.37 | Linux |
| Vulnerabilities CVE-2016-6794,CVE-2016-6796,CVE-2016-6797,CVE-2016-0762 are fixed in Apache - tomcat for Linux 8.5.5 | Linux |
| Vulnerabilities CVE-2016-6794,CVE-2016-6796,CVE-2016-6797,CVE-2016-0762 are fixed in Apache - tomcat for Linux 9.0.0 | Linux |
| Observable Discrepancy Vulnerability (CVE-2016-0762) | NCM |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234