CVE-2016-0762

State: PUBLISHED · Published: 2017-08-10 · Updated: 2024-09-17 · Assigner: apache

Description

The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.

CWE

(none)

Affected

Apache Software Foundation / Apache Tomcat — v=9.0.0.M1 to 9.0.0.M9 [affected]; v=8.5.0 to 8.5.4 [affected]; v=8.0.0.RC1 to 8.0.36 [affected]; v=7.0.0 to 7.0.70 [affected]; v=6.0.0 to 6.0.45 [affected]

CVSS

(none)

References

http://www.securitytracker.com/id/1037144 vdb-entry, x_refsource_SECTRACK
https://lists.apache.org/thread.html/1872f96bad43647832bdd84a408794cd06d9cbb557af63085ca10009%40%3Cannounce.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://access.redhat.com/errata/RHSA-2017:2247 vendor-advisory, x_refsource_REDHAT
http://rhn.redhat.com/errata/RHSA-2017-0457.html vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2017:0455 vendor-advisory, x_refsource_REDHAT
http://www.securityfocus.com/bid/93939 vdb-entry, x_refsource_BID
http://www.debian.org/security/2016/dsa-3720 vendor-advisory, x_refsource_DEBIAN
https://access.redhat.com/errata/RHSA-2017:0456 vendor-advisory, x_refsource_REDHAT
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://usn.ubuntu.com/4557-1/ vendor-advisory, x_refsource_UBUNTU
https://www.oracle.com//security-alerts/cpujul2021.html x_refsource_MISC
https://security.netapp.com/advisory/ntap-20180605-0001/ x_refsource_CONFIRM
https://www.oracle.com/security-alerts/cpuoct2021.html x_refsource_MISC

Source

cvelistV5-main/cves/2016/0xxx/CVE-2016-0762.json