CVE-2019-12418

State: PUBLISHED · Published: 2019-12-23 · Updated: 2024-08-04 · Assigner: apache

Description

When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.

CWE

(none)

Affected

Apache Software Foundation / Apache Tomcat — v=9.0.0.M1 to 9.0.28 [affected]; v=8.5.0 to 8.5.47 [affected]; v=7.0.0 to 7.0.97 [affected]

CVSS

(none)

References

https://lists.apache.org/thread.html/43530b91506e2e0c11cfbe691173f5df8c48f51b98262426d7493b67%40%3Cannounce.tomcat.apache.org%3E x_refsource_CONFIRM
https://www.debian.org/security/2019/dsa-4596 vendor-advisory, x_refsource_DEBIAN
https://seclists.org/bugtraq/2019/Dec/43 mailing-list, x_refsource_BUGTRAQ
https://security.netapp.com/advisory/ntap-20200107-0001/ x_refsource_CONFIRM
https://support.f5.com/csp/article/K10107360?utm_source=f5support&amp%3Butm_medium=RSS x_refsource_CONFIRM
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html vendor-advisory, x_refsource_SUSE
https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html mailing-list, x_refsource_MLIST
https://usn.ubuntu.com/4251-1/ vendor-advisory, x_refsource_UBUNTU
https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://security.gentoo.org/glsa/202003-43 vendor-advisory, x_refsource_GENTOO
https://lists.debian.org/debian-lts-announce/2020/03/msg00029.html mailing-list, x_refsource_MLIST
https://www.oracle.com/security-alerts/cpuapr2020.html x_refsource_MISC
https://www.debian.org/security/2020/dsa-4680 vendor-advisory, x_refsource_DEBIAN

Source

cvelistV5-main/cves/2019/12xxx/CVE-2019-12418.json