The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
Configuration 6 (hide)
|
History
07 Nov 2023, 02:29
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Information
Published : 2017-08-10 16:29
Updated : 2024-02-28 16:04
NVD link : CVE-2016-0762
Mitre link : CVE-2016-0762
CVE.ORG link : CVE-2016-0762
JSON object : View
Products Affected
redhat
- enterprise_linux_workstation
- enterprise_linux_desktop
- enterprise_linux_server_aus
- enterprise_linux_server
- jboss_enterprise_web_server
- enterprise_linux_server_tus
- enterprise_linux_eus
debian
- debian_linux
netapp
- snap_creator_framework
- oncommand_insight
- oncommand_shift
canonical
- ubuntu_linux
oracle
- tekelec_platform_distribution
- communications_diameter_signaling_router
apache
- tomcat
CWE
CWE-203
Observable Discrepancy