#VU1091 Information disclosure in Apache Tomcat - CVE-2016-6797
Published: October 28, 2016 / Updated: October 31, 2016
Vulnerability identifier: #VU1091
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-6797
CWE-ID: CWE-399
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Apache Tomcat
Apache Tomcat
Software vendor:
Apache Foundation
Apache Foundation
Description
The vulnerability allows an application to gain access to global resources on the target system.
The weakness exists due to a flaw in the ResourceLinkFactory that allows a web application to obtain global JNDI resources.
Successful exploitation of the vulnerability results in application's access to global JNDI resources on the vulnerable system.
The weakness exists due to a flaw in the ResourceLinkFactory that allows a web application to obtain global JNDI resources.
Successful exploitation of the vulnerability results in application's access to global JNDI resources on the vulnerable system.
Remediation
Update to version 6.0.47, 7.0.72, 8.0.37, 8.5.5, 9.0.0.M10.