Home

CVE-2019-12418

Description

When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.

Risk Information

Base Score
7.0
MODERATE
Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
0.473

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2019-17563,CVE-2019-12418,CVE-2019-2684 are fixed in 17 December 2019 Fixed in Apache Tomcat 7.0.99Windows
Vulnerabilities CVE-2019-12418,CVE-2019-2684 are fixed in 21 November 2019 Fixed in Apache Tomcat 8.5.49Windows
Vulnerabilities CVE-2019-12418,CVE-2019-2684 are fixed in 21 November 2019 Fixed in Apache Tomcat 9.0.29Windows
Vulnerabilities CVE-2019-12418,CVE-2019-17563 are fixed in Apache - tomcat-embed-core 7.0.99Windows
Vulnerabilities CVE-2019-12418 are fixed in Apache - tomcat-embed-core 8.5.49Windows
Vulnerabilities CVE-2019-12418 are fixed in Apache - tomcat-embed-core 9.0.29Windows
Multiple Vulnerabilities are affected in IBM Tivoli Application Dependency Discovery Manager 7.3.0Windows
tomcat8 security update(DSA-4596-1) tomcat8_8.5.50-0+deb9u1_all.debLinux
Servlet and JSP engine (USN-4251-1) tomcat8_8.0.32-1ubuntu1.11_all.debLinux
Servlet and JSP engine (USN-4251-1) libtomcat8-java_8.0.32-1ubuntu1.11_all.debLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP4 ) tomcat-9.0.31-3.25.1.noarch.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-9.0.31-3.25.1.noarch_SP5.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP4 ) tomcat-admin-webapps-9.0.31-3.25.1.noarch.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP4 ) tomcat-docs-webapp-9.0.31-3.25.1.noarch.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-admin-webapps-9.0.31-3.25.1.noarch_SP5.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP4 ) tomcat-el-3_0-api-9.0.31-3.25.1.noarch.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-docs-webapp-9.0.31-3.25.1.noarch_SP5.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP4 ) tomcat-javadoc-9.0.31-3.25.1.noarch.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-el-3_0-api-9.0.31-3.25.1.noarch_SP5.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP4 ) tomcat-jsp-2_3-api-9.0.31-3.25.1.noarch.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-javadoc-9.0.31-3.25.1.noarch_SP5.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP4 ) tomcat-lib-9.0.31-3.25.1.noarch.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-jsp-2_3-api-9.0.31-3.25.1.noarch_SP5.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP4 ) tomcat-servlet-4_0-api-9.0.31-3.25.1.noarch.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-lib-9.0.31-3.25.1.noarch_SP5.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP4 ) tomcat-webapps-9.0.31-3.25.1.noarch.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-servlet-4_0-api-9.0.31-3.25.1.noarch_SP5.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-webapps-9.0.31-3.25.1.noarch_SP5.rpmLinux
tomcat9 security update(DSA-4680-1) tomcat9_9.0.31-1~deb10u1_all.debLinux
Vulnerabilities CVE-2019-17563,CVE-2019-12418,CVE-2019-2684 are fixed in 17 December 2019 Fixed in Apache Tomcat 7.0.99 (For Linux)Linux
Vulnerabilities CVE-2019-12418,CVE-2019-2684 are fixed in 21 November 2019 Fixed in Apache Tomcat 8.5.49 (For Linux)Linux
Vulnerabilities CVE-2019-12418,CVE-2019-2684 are fixed in 21 November 2019 Fixed in Apache Tomcat 9.0.29 (For Linux)Linux
Vulnerabilities CVE-2019-12418,CVE-2019-17563 are fixed in Apache - tomcat-embed-core for Linux 7.0.99Linux
Vulnerabilities CVE-2019-12418 are fixed in Apache - tomcat-embed-core for Linux 8.5.49Linux
Vulnerabilities CVE-2019-12418 are fixed in Apache - tomcat-embed-core for Linux 9.0.29Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234