1. Home
  2. CVE Database
  3. CVE-2016-0763
MEDIUM · 6.3

CVE-2016-0763

The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkF...

Vulnerability Description

The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.

CVSS Score

6.3

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
LOW

Affected Products

VendorProductVersions
DebianDebian Linux7.0
ApacheTomcat7.0.0
CanonicalUbuntu Linux12.04

Related Weaknesses (CWE)

CWE-264

References

FAQ

What is CVE-2016-0763?

CVE-2016-0763 is a vulnerability with a CVSS score of 6.3 (MEDIUM). The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkF...

How severe is CVE-2016-0763?

CVE-2016-0763 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-0763?

Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Apache Tomcat, Canonical Ubuntu Linux.