The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
Configuration 6 (hide)
|
History
21 Nov 2024, 02:42
Type | Values Removed | Values Added |
---|---|---|
References | () http://rhn.redhat.com/errata/RHSA-2017-0457.html - Third Party Advisory | |
References | () http://www.debian.org/security/2016/dsa-3720 - Third Party Advisory | |
References | () http://www.securityfocus.com/bid/93939 - Broken Link | |
References | () http://www.securitytracker.com/id/1037144 - Broken Link | |
References | () https://access.redhat.com/errata/RHSA-2017:0455 - Third Party Advisory | |
References | () https://access.redhat.com/errata/RHSA-2017:0456 - Third Party Advisory | |
References | () https://access.redhat.com/errata/RHSA-2017:2247 - Third Party Advisory | |
References | () https://lists.apache.org/thread.html/1872f96bad43647832bdd84a408794cd06d9cbb557af63085ca10009%40%3Cannounce.tomcat.apache.org%3E - | |
References | () https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E - | |
References | () https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E - | |
References | () https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E - | |
References | () https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E - | |
References | () https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E - | |
References | () https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E - | |
References | () https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E - | |
References | () https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E - | |
References | () https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E - | |
References | () https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E - | |
References | () https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E - | |
References | () https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E - | |
References | () https://security.netapp.com/advisory/ntap-20180605-0001/ - Third Party Advisory | |
References | () https://usn.ubuntu.com/4557-1/ - Third Party Advisory | |
References | () https://www.oracle.com//security-alerts/cpujul2021.html - Patch, Third Party Advisory | |
References | () https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory |
07 Nov 2023, 02:29
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Information
Published : 2017-08-10 16:29
Updated : 2024-11-21 02:42
NVD link : CVE-2016-0762
Mitre link : CVE-2016-0762
CVE.ORG link : CVE-2016-0762
JSON object : View
Products Affected
redhat
- enterprise_linux_server
- enterprise_linux_desktop
- enterprise_linux_server_aus
- enterprise_linux_eus
- jboss_enterprise_web_server
- enterprise_linux_server_tus
- enterprise_linux_workstation
netapp
- oncommand_shift
- oncommand_insight
- snap_creator_framework
oracle
- tekelec_platform_distribution
- communications_diameter_signaling_router
canonical
- ubuntu_linux
apache
- tomcat
debian
- debian_linux
CWE
CWE-203
Observable Discrepancy