GHSA-4v3g-g84w-hv7r

Source

https://github.com/advisories/GHSA-4v3g-g84w-hv7r

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4v3g-g84w-hv7r/GHSA-4v3g-g84w-hv7r.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4v3g-g84w-hv7r

Aliases

CVE-2016-5018

Published

2022-05-13T01:02:15Z

Modified

2024-04-18T17:16:41.995093Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Authentication Bypass Using an Alternate Path or Channel in Apache Tomcat

Details

In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.

References

Affected packages

Maven / org.apache.tomcat:tomcat-jasper

Package

Name: org.apache.tomcat:tomcat-jasper; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat-jasper

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.0.M1

Fixed

9.0.0.M10

Affected versions

9.*

9.0.0.M1

9.0.0.M3

9.0.0.M4

9.0.0.M6

9.0.0.M8

9.0.0.M9

Database specific

{
    "last_known_affected_version_range": "<= 9.0.0.M9"
}

Maven / org.apache.tomcat:tomcat-jasper

Package

Name: org.apache.tomcat:tomcat-jasper; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat-jasper

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.5.0

Fixed

8.5.5

Affected versions

8.*

8.5.0

8.5.2

8.5.3

8.5.4

Database specific

{
    "last_known_affected_version_range": "<= 8.5.4"
}

Maven / org.apache.tomcat:tomcat-jasper

Package

Name: org.apache.tomcat:tomcat-jasper; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat-jasper

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0RC1

Fixed

8.0.37

Affected versions

8.*

8.0.0-RC1

8.0.0-RC3

8.0.0-RC5

8.0.0-RC10

8.0.1

8.0.3

8.0.5

8.0.8

8.0.9

8.0.11

8.0.12

8.0.14

8.0.15

8.0.17

8.0.18

8.0.20

8.0.21

8.0.22

8.0.23

8.0.24

8.0.26

8.0.27

8.0.28

8.0.29

8.0.30

8.0.32

8.0.33

8.0.35

8.0.36

Database specific

{
    "last_known_affected_version_range": "<= 8.0.36"
}

Maven / org.apache.tomcat:tomcat-jasper

Package

Name: org.apache.tomcat:tomcat-jasper; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat-jasper

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.0.0

Fixed

7.0.72

Affected versions

7.*

7.0.0

7.0.2

7.0.4

7.0.5

7.0.6

7.0.8

7.0.11

7.0.12

7.0.14

7.0.16

7.0.19

7.0.20

7.0.21

7.0.22

7.0.23

7.0.25

7.0.26

7.0.27

7.0.28

7.0.29

7.0.30

7.0.32

7.0.33

7.0.34

7.0.35

7.0.37

7.0.39

7.0.40

7.0.41

7.0.42

7.0.47

7.0.50

7.0.52

7.0.53

7.0.54

7.0.55

7.0.56

7.0.57

7.0.59

7.0.61

7.0.62

7.0.63

7.0.64

7.0.65

7.0.67

7.0.68

7.0.69

7.0.70

Database specific

{
    "last_known_affected_version_range": "<= 7.0.70"
}

Maven / org.apache.tomcat:jasper

Package

Name: org.apache.tomcat:jasper; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/jasper

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.0.47

Affected versions

6.*

6.0.13

6.0.14

6.0.16

6.0.18

6.0.20

6.0.24

6.0.26

6.0.28

6.0.29

6.0.30

6.0.32

6.0.33

6.0.35

6.0.36

6.0.37

6.0.39

6.0.41

6.0.43

6.0.44

6.0.45

Database specific

{
    "last_known_affected_version_range": "<= 6.0.45"
}

Maven / org.apache.tomcat.embed:tomcat-embed-jasper

Package

Name: org.apache.tomcat.embed:tomcat-embed-jasper; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-jasper

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.0.M1

Fixed

9.0.0.M10

Affected versions

9.*

9.0.0.M1

9.0.0.M3

9.0.0.M4

9.0.0.M6

9.0.0.M8

9.0.0.M9

Database specific

{
    "last_known_affected_version_range": "<= 9.0.0.M9"
}

Maven / org.apache.tomcat.embed:tomcat-embed-jasper

Package

Name: org.apache.tomcat.embed:tomcat-embed-jasper; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-jasper

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.5.0

Fixed

8.5.5

Affected versions

8.*

8.5.0

8.5.2

8.5.3

8.5.4

Database specific

{
    "last_known_affected_version_range": "<= 8.5.4"
}

Maven / org.apache.tomcat.embed:tomcat-embed-jasper

Package

Name: org.apache.tomcat.embed:tomcat-embed-jasper; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-jasper

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0RC1

Fixed

8.0.37

Affected versions

8.*

8.0.0-RC1

8.0.0-RC3

8.0.0-RC5

8.0.0-RC10

8.0.1

8.0.3

8.0.5

8.0.8

8.0.9

8.0.11

8.0.12

8.0.14

8.0.15

8.0.17

8.0.18

8.0.20

8.0.21

8.0.22

8.0.23

8.0.24

8.0.26

8.0.27

8.0.28

8.0.29

8.0.30

8.0.32

8.0.33

8.0.35

8.0.36

Database specific

{
    "last_known_affected_version_range": "<= 8.0.36"
}

Maven / org.apache.tomcat.embed:tomcat-embed-jasper

Package

Name: org.apache.tomcat.embed:tomcat-embed-jasper; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-jasper

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.0.0

Fixed

7.0.72

Affected versions

7.*

7.0.0

7.0.2

7.0.4

7.0.5

7.0.6

7.0.8

7.0.11

7.0.12

7.0.14

7.0.16

7.0.19

7.0.20

7.0.21

7.0.22

7.0.23

7.0.25

7.0.26

7.0.27

7.0.28

7.0.29

7.0.30

7.0.32

7.0.33

7.0.34

7.0.35

7.0.37

7.0.39

7.0.40

7.0.41

7.0.42

7.0.47

7.0.50

7.0.52

7.0.53

7.0.54

7.0.55

7.0.56

7.0.57

7.0.59

7.0.61

7.0.62

7.0.63

7.0.64

7.0.65

7.0.67

7.0.68

7.0.69

7.0.70

Database specific

{
    "last_known_affected_version_range": "<= 7.0.70"
}

Maven / org.apache.tomcat.embed:tomcat-embed-jasper

Package

Name: org.apache.tomcat.embed:tomcat-embed-jasper; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-jasper

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.0.47

Database specific

{
    "last_known_affected_version_range": "<= 6.0.45"
}