Home

CVE-2016-6794

Description

When a SecurityManager is configured, a web applications ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.

Risk Information

Base Score
5.3
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score
Exploitation Probability
0.361

Associated Vulnerability

VulnerabilityOS Platform
Update Tomcat to 9.5.14Windows
Update Tomcat to 9.5.5Windows
Update Tomcat to 9.5.7Windows
Update Tomcat to 9.5.8Windows
Update Tomcat to 9.6.10Windows
Update Tomcat to 9.6.3Windows
Update Tomcat to 9.6.4Windows
Update Tomcat to 9.6.7Windows
Update Tomcat to 9.6.8Windows
Update Tomcat to 2.4.5Windows
Update Tomcat to 3.0.14Windows
Vulnerabilities CVE-2016-6794 are fixed in Apache - tomcat 6.0.47Windows
Vulnerabilities CVE-2016-6794,CVE-2016-6797,CVE-2016-0762 are fixed in Apache - tomcat 7.0.72Windows
Vulnerabilities CVE-2016-6794,CVE-2016-6796,CVE-2016-6797,CVE-2016-0762 are fixed in Apache - tomcat 8.0.37Windows
Vulnerabilities CVE-2016-6794,CVE-2016-6796,CVE-2016-6797,CVE-2016-0762 are fixed in Apache - tomcat 8.5.5Windows
Vulnerabilities CVE-2016-6794,CVE-2016-6796,CVE-2016-6797,CVE-2016-0762 are fixed in Apache - tomcat 9.0.0Windows
Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.1.0.3Windows
Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.0.3.4Windows
Servlet and JSP engine (USN-3081-1) tomcat8_8.0.32-1ubuntu1.3_all.debLinux
Servlet and JSP engine (USN-3081-1) libtomcat8-java_8.0.32-1ubuntu1.3_all.debLinux
Servlet and JSP engine (USN-3177-1) tomcat6_6.0.35-1ubuntu3.9_all.debLinux
Servlet and JSP engine (USN-3177-1) tomcat7_7.0.52-1ubuntu0.8_all.debLinux
Servlet and JSP engine (USN-3177-1) tomcat8_8.0.32-1ubuntu1.3_all.debLinux
Servlet and JSP engine (USN-3177-1) tomcat8_8.0.37-1ubuntu0.1_all.debLinux
Servlet and JSP engine (USN-3177-1) libtomcat6-java_6.0.35-1ubuntu3.9_all.debLinux
Servlet and JSP engine (USN-3177-1) libtomcat7-java_7.0.52-1ubuntu0.8_all.debLinux
Servlet and JSP engine (USN-3177-1) libtomcat8-java_8.0.32-1ubuntu1.3_all.debLinux
tomcat8 security update(DSA-3720-1) tomcat8_8.0.14-1+deb8u4_all.debLinux
tomcat7 security update(DSA-3721-1) tomcat7_7.0.56-3+deb8u5_all.debLinux
Update Tomcat to 9.5.14 (For Linux)Linux
Update Tomcat to 9.5.5 (For Linux)Linux
Update Tomcat to 9.5.7 (For Linux)Linux
Update Tomcat to 9.5.8 (For Linux)Linux
Update Tomcat to 9.6.10 (For Linux)Linux
Update Tomcat to 9.6.3 (For Linux)Linux
Update Tomcat to 9.6.4 (For Linux)Linux
Update Tomcat to 9.6.7 (For Linux)Linux
Update Tomcat to 9.6.8 (For Linux)Linux
Update Tomcat to 2.4.5 (For Linux)Linux
Update Tomcat to 3.0.14 (For Linux)Linux
Servlet and JSP engine (USN-4557-1) libservlet2.5-java_6.0.45+dfsg-1ubuntu0.1_all.debLinux
Vulnerabilities CVE-2016-6794 are fixed in Apache - tomcat for Linux 6.0.47Linux
Vulnerabilities CVE-2016-6794,CVE-2016-6797,CVE-2016-0762 are fixed in Apache - tomcat for Linux 7.0.72Linux
Vulnerabilities CVE-2016-6794,CVE-2016-6796,CVE-2016-6797,CVE-2016-0762 are fixed in Apache - tomcat for Linux 8.0.37Linux
Vulnerabilities CVE-2016-6794,CVE-2016-6796,CVE-2016-6797,CVE-2016-0762 are fixed in Apache - tomcat for Linux 8.5.5Linux
Vulnerabilities CVE-2016-6794,CVE-2016-6796,CVE-2016-6797,CVE-2016-0762 are fixed in Apache - tomcat for Linux 9.0.0Linux
CVE-2016-6794NCM

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234