CVE-2016-8747 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2016-8747?

CVE-2016-8747 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2016-8747?

Check the references section above for vendor advisories and patch information. Affected products include: Netapp Oncommand Insight, Netapp Oncommand Shift, Apache Tomcat.

Vulnerability Description

An information disclosure issue was discovered in Apache Tomcat 8.5.7 to 8.5.9 and 9.0.0.M11 to 9.0.0.M15 in reverse-proxy configurations. Http11InputBuffer.java allows remote attackers to read data that was intended to be associated with a different request.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Netapp	Oncommand Insight	-
Netapp	Oncommand Shift	-
Apache	Tomcat	>= 8.5.7, < 8.5.10

Related Weaknesses (CWE)

CWE-200

References

http://svn.apache.org/viewvc?view=revision&revision=1774161Issue TrackingPatchVendor Advisory
http://svn.apache.org/viewvc?view=revision&revision=1774166Issue TrackingPatchVendor Advisory
http://tomcat.apache.org/security-8.htmlRelease NotesVendor Advisory
http://tomcat.apache.org/security-9.htmlRelease NotesVendor Advisory
http://www.securityfocus.com/bid/96895Broken Link
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e8Patch
https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3Patch
https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77Patch
https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429ePatch
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafaPatch
https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453Patch
https://security.netapp.com/advisory/ntap-20180614-0002/Third Party Advisory
http://svn.apache.org/viewvc?view=revision&revision=1774161Issue TrackingPatchVendor Advisory
http://svn.apache.org/viewvc?view=revision&revision=1774166Issue TrackingPatchVendor Advisory
http://tomcat.apache.org/security-8.htmlRelease NotesVendor Advisory

FAQ

What is CVE-2016-8747?

CVE-2016-8747 is a vulnerability with a CVSS score of 7.5 (HIGH). An information disclosure issue was discovered in Apache Tomcat 8.5.7 to 8.5.9 and 9.0.0.M11 to 9.0.0.M15 in reverse-proxy configurations. Http11InputBuffer.java allows remote attackers to read data t...

How severe is CVE-2016-8747?

CVE-2016-8747 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-8747?

Check the references section above for vendor advisories and patch information. Affected products include: Netapp Oncommand Insight, Netapp Oncommand Shift, Apache Tomcat.