Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
Metrics
Affected Vendors & Products
References
History
Wed, 14 Aug 2024 00:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
MITRE
Status: PUBLISHED
Assigner: apache
Published: 2017-04-06T21:00:00
Updated: 2024-08-06T02:27:41.259Z
Reserved: 2016-10-18T00:00:00
Link: CVE-2016-8735
Vulnrichment
No data.
NVD
Status : Modified
Published: 2017-04-06T21:59:00.243
Modified: 2024-11-21T02:59:57.203
Link: CVE-2016-8735
Redhat