Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
Moderate severity
GitHub Reviewed
Published
May 14, 2022
to the GitHub Advisory Database
•
Updated Dec 8, 2023
Package
Affected versions
= 9.0.0.M1
>= 8.0.0.RC1, <= 8.0.30
>= 6.0.0, <= 6.0.44
Patched versions
9.0.0.M2
8.0.31
6.0.45
Description
Published by the National Vulnerability Database
Feb 25, 2016
Published to the GitHub Advisory Database
May 14, 2022
Reviewed
Jul 6, 2022
Last updated
Dec 8, 2023
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.
References