CVE-2016-0763 — Improper Verification of Source of a Communication Channel in Apache Tomcat

Description

The `setGlobalContext` method in `org/apache/naming/factory/ResourceLinkFactory.java` in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.

How to fix CVE-2016-0763

To remediate CVE-2016-0763, upgrade the affected package to a fixed version below.

—upgrade to 7.0.68 or later

Is CVE-2016-0763 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 7.0.0, < 7.0.68

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

References (40)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-0763
PATCHgithub.com/apache/tomcat
WEBlists.fedoraproject.org/pipermail/package-announce/2016-March/179356.html
WEBlists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html