CVE-2016-0762

MEDIUM

Apache Tomcat <9.0.0.M10, <8.5.5, <8.0.37, <7.0.71, <6.0.46 - Info ...

Title source: llm

Description

The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.

References (24)

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2017-0457.html

[Third Party Advisory] http://www.debian.org/security/2016/dsa-3720

[Broken Link] http://www.securityfocus.com/bid/93939

[Broken Link] http://www.securitytracker.com/id/1037144

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:0455

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:0456

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:2247

[Mailing List] https://lists.apache.org/thread.html/1872f96bad43647832bdd84a408794cd06d9cbb557af63085ca10009%40%3Cannounce.tomcat.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20180605-0001/

[Third Party Advisory] https://usn.ubuntu.com/4557-1/

[Patch, Third Party Advisory] https://www.oracle.com//security-alerts/cpujul2021.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuoct2021.html

[Mailing List] https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E

... and 4 more

Scores

CVSS v3 5.9

EPSS 0.0072

EPSS Percentile 72.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-203

Status published

Products (36)

apache/tomcat < 6.0.45

apache/tomcat

apache/tomcat

apache/tomcat

apache/tomcat

apache/tomcat

apache/tomcat

apache/tomcat

apache/tomcat

apache/tomcat

... and 26 more

Published Aug 10, 2017

Tracked Since Feb 18, 2026