The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
Configuration 6 (hide)
|
History
08 Dec 2023, 16:41
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:apache:tomcat:9.0.0:m1:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:9.0.0:m3:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:9.0.0:m7:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:9.0.0:m5:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:9.0.0:m8:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:9.0.0:m4:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:9.0.0:m2:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:9.0.0:m9:*:*:*:*:*:* |
cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:* |
07 Nov 2023, 02:29
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
18 Apr 2022, 17:57
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory | |
References | (UBUNTU) https://usn.ubuntu.com/4557-1/ - Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E - Mailing List, Patch, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E - Mailing List, Patch, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E - Mailing List, Patch, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E - Mailing List, Patch, Vendor Advisory | |
References | (CONFIRM) https://security.netapp.com/advisory/ntap-20180605-0001/ - Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E - Mailing List, Patch, Vendor Advisory | |
References | (N/A) https://www.oracle.com//security-alerts/cpujul2021.html - Patch, Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E - Mailing List, Patch, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E - Mailing List, Patch, Vendor Advisory | |
References | (REDHAT) http://rhn.redhat.com/errata/RHSA-2017-0457.html - Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E - Mailing List, Patch, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E - Mailing List, Patch, Vendor Advisory | |
References | (REDHAT) https://access.redhat.com/errata/RHSA-2017:0456 - Third Party Advisory | |
References | (REDHAT) https://access.redhat.com/errata/RHSA-2017:2247 - Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E - Mailing List, Patch, Vendor Advisory | |
References | (DEBIAN) http://www.debian.org/security/2016/dsa-3720 - Third Party Advisory | |
References | (BID) http://www.securityfocus.com/bid/93939 - Broken Link | |
References | (MLIST) https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E - Mailing List, Patch, Vendor Advisory | |
References | (SECTRACK) http://www.securitytracker.com/id/1037144 - Broken Link | |
References | (REDHAT) https://access.redhat.com/errata/RHSA-2017:0455 - Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E - Mailing List, Patch, Vendor Advisory | |
First Time |
Netapp snap Creator Framework
Debian debian Linux Oracle communications Diameter Signaling Router Redhat enterprise Linux Desktop Netapp oncommand Shift Redhat enterprise Linux Server Oracle Redhat enterprise Linux Eus Redhat enterprise Linux Server Tus Redhat jboss Enterprise Web Server Netapp Canonical ubuntu Linux Redhat enterprise Linux Server Aus Oracle tekelec Platform Distribution Canonical Debian Netapp oncommand Insight Redhat enterprise Linux Workstation Redhat |
|
CPE | cpe:2.3:a:apache:tomcat:6.0.35:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.32:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.21:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.27:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.36:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.35:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.39:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.19:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.14:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.9:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.38:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.40:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.31:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.11:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.5.4:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.31:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.34:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.33:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.42:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.37:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.24:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.21:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.38:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.5.3:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.10:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.24:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.26:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.30:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.68:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.29:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.26:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.15:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.25:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.44:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.28:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.30:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.19:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.5.1:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.12:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.0:rc3:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.60:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.33:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.24:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.28:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.70:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.3:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.69:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.43:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.27:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.18:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.31:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.45:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.22:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.36:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.58:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.17:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.25:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.41:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.34:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.23:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.20:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.66:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.4:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.13:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.22:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.16:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.0.23:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.32:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.36:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:6.0.29:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:* |
cpe:2.3:o:redhat:enterprise_linux_eus:7.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:* cpe:2.3:a:netapp:oncommand_shift:-:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:tekelec_platform_distribution:*:*:*:*:*:*:*:* cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:* cpe:2.3:a:redhat:jboss_enterprise_web_server:3.0.0:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_eus:7.6:*:*:*:*:*:*:* cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_eus:7.7:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_eus:7.5:*:*:*:*:*:*:* |
CWE | CWE-203 |
20 Oct 2021, 11:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
Information
Published : 2017-08-10 16:29
Updated : 2023-12-10 12:15
NVD link : CVE-2016-0762
Mitre link : CVE-2016-0762
CVE.ORG link : CVE-2016-0762
JSON object : View
Products Affected
debian
- debian_linux
netapp
- oncommand_shift
- snap_creator_framework
- oncommand_insight
apache
- tomcat
redhat
- jboss_enterprise_web_server
- enterprise_linux_server_aus
- enterprise_linux_server_tus
- enterprise_linux_server
- enterprise_linux_workstation
- enterprise_linux_desktop
- enterprise_linux_eus
oracle
- tekelec_platform_distribution
- communications_diameter_signaling_router
canonical
- ubuntu_linux
CWE
CWE-203
Observable Discrepancy