GHSA-6vx3-hr43-cfrh

Suggest an improvement
Source
https://github.com/advisories/GHSA-6vx3-hr43-cfrh
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6vx3-hr43-cfrh/GHSA-6vx3-hr43-cfrh.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-6vx3-hr43-cfrh
Aliases
Published
2022-05-14T01:10:17Z
Modified
2024-03-16T05:18:48.032572Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
Details

Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.

Database specific
{
    "nvd_published_at": "2016-02-25T01:59:00Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-06T20:07:37Z"
}
References

Affected packages

Maven / org.apache.tomcat:tomcat

Package

Name
org.apache.tomcat:tomcat
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type
ECOSYSTEM
Events
Introduced
9.0.0.M1
Fixed
9.0.0.M2

Affected versions

9.*

9.0.0.M1

Maven / org.apache.tomcat:tomcat

Package

Name
org.apache.tomcat:tomcat
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.0.0.RC1
Fixed
8.0.31

Affected versions

8.*

8.0.1
8.0.3
8.0.5
8.0.8
8.0.9
8.0.11
8.0.12
8.0.14
8.0.15
8.0.17
8.0.18
8.0.20
8.0.21
8.0.22
8.0.23
8.0.24
8.0.26
8.0.27
8.0.28
8.0.29
8.0.30

Database specific

{
    "last_known_affected_version_range": "<= 8.0.30"
}

Maven / org.apache.tomcat:tomcat

Package

Name
org.apache.tomcat:tomcat
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.45

Database specific

{
    "last_known_affected_version_range": "<= 6.0.44"
}