CVE-2016-0762
Published: 28 October 2016
The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.
Notes
| Author | Note |
|---|---|
| mdeslaur | tomcat7 in trusty doesn't look vulnerable |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
tomcat6 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| cosmic |
Does not exist
|
|
| focal |
Does not exist
|
|
| precise |
Released
(6.0.35-1ubuntu3.9)
|
|
| trusty |
Released
(6.0.39-1ubuntu0.1)
|
|
| upstream |
Released
(6.0.41-3)
|
|
| xenial |
Released
(6.0.45+dfsg-1ubuntu0.1)
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
Patches: upstream: https://svn.apache.org/viewvc?view=revision&revision=1758506 |
||
|
tomcat7 Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
| bionic |
Not vulnerable
|
|
| cosmic |
Not vulnerable
|
|
| focal |
Does not exist
|
|
| precise |
Ignored
(end of life)
|
|
| trusty |
Not vulnerable
(7.0.52-1ubuntu0.7)
|
|
| upstream |
Released
(7.0.72)
|
|
| xenial |
Released
(7.0.68-1ubuntu0.3)
|
|
| yakkety |
Ignored
(end of life)
|
|
| zesty |
Ignored
(end of life)
|
|
|
Patches: upstream: https://svn.apache.org/viewvc?view=revision&revision=1758502 |
||
|
tomcat8 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(8.0.38-2)
|
| bionic |
Not vulnerable
(8.0.38-2)
|
|
| cosmic |
Not vulnerable
(8.0.38-2)
|
|
| focal |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(8.0.37)
|
|
| xenial |
Released
(8.0.32-1ubuntu1.3)
|
|
| yakkety |
Not vulnerable
(8.0.37-1)
|
|
| zesty |
Not vulnerable
(8.0.38-2)
|
|
|
Patches: upstream: https://svn.apache.org/viewvc?view=revision&revision=1758501 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.9 |
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |