GHSA-jc7p-5r39-9477

Source

https://github.com/advisories/GHSA-jc7p-5r39-9477

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jc7p-5r39-9477/GHSA-jc7p-5r39-9477.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-jc7p-5r39-9477

Aliases

CVE-2016-6816

Published

2022-05-13T01:14:53Z

Modified

2024-03-11T05:31:23.170355Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L CVSS Calculator

Summary

Improper Input Validation in Apache Tomcat

Details

The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.

References

Affected packages

Maven / org.apache.tomcat:tomcat-coyote

Package

Name: org.apache.tomcat:tomcat-coyote; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat-coyote

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.0.M1

Fixed

9.0.0.M12

Affected versions

9.*

9.0.0.M1

9.0.0.M3

9.0.0.M4

9.0.0.M6

9.0.0.M8

9.0.0.M9

9.0.0.M10

9.0.0.M11

Database specific

{
    "last_known_affected_version_range": "<= 9.0.0.M11"
}

Maven / org.apache.tomcat:tomcat-coyote

Package

Name: org.apache.tomcat:tomcat-coyote; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat-coyote

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.5.0

Fixed

8.5.8

Affected versions

8.*

8.5.0

8.5.2

8.5.3

8.5.4

8.5.5

8.5.6

Maven / org.apache.tomcat:tomcat-coyote

Package

Name: org.apache.tomcat:tomcat-coyote; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat-coyote

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0RC1

Fixed

8.0.39

Affected versions

8.*

8.0.0-RC1

8.0.0-RC3

8.0.0-RC5

8.0.0-RC10

8.0.1

8.0.3

8.0.5

8.0.8

8.0.9

8.0.11

8.0.12

8.0.14

8.0.15

8.0.17

8.0.18

8.0.20

8.0.21

8.0.22

8.0.23

8.0.24

8.0.26

8.0.27

8.0.28

8.0.29

8.0.30

8.0.32

8.0.33

8.0.35

8.0.36

8.0.37

8.0.38

Maven / org.apache.tomcat:tomcat-coyote

Package

Name: org.apache.tomcat:tomcat-coyote; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat-coyote

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.0.0

Fixed

7.0.73

Affected versions

7.*

7.0.0

7.0.2

7.0.4

7.0.5

7.0.6

7.0.8

7.0.11

7.0.12

7.0.14

7.0.16

7.0.19

7.0.20

7.0.21

7.0.22

7.0.23

7.0.25

7.0.26

7.0.27

7.0.28

7.0.29

7.0.30

7.0.32

7.0.33

7.0.34

7.0.35

7.0.37

7.0.39

7.0.40

7.0.41

7.0.42

7.0.47

7.0.50

7.0.52

7.0.53

7.0.54

7.0.55

7.0.56

7.0.57

7.0.59

7.0.61

7.0.62

7.0.63

7.0.64

7.0.65

7.0.67

7.0.68

7.0.69

7.0.70

7.0.72

Maven / org.apache.tomcat:tomcat-coyote

Package

Name: org.apache.tomcat:tomcat-coyote; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat-coyote

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.0.48