What is CVE-2016-0714?

CVE-2016-0714 is a high-severity vulnerability in Apache Tomcat, classified under CWE-264. CVSS score: 8.8/10. Published 2016-02-25.

How severe is CVE-2016-0714?

High severity. CVSS v3 base score is 8.8 out of 10.

Is CVE-2016-0714 known to be exploited?

9 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Tomcat

CVE-2016-0714

The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityMana…

EPSS: 0.071 (91.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.8 (High). Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Affected products

Apache Tomcat — versions 6.0.0, 6.0.1, 6.0.2
Canonical Ubuntu_linux — versions 12.04, 14.04, 15.10
Debian Debian_linux — versions 7.0, 8.0
N/a — versions n/a

Weakness classification (CWE)

CWE-264

Public proof-of-concept exploits

References

secalert@redhat.com (x_refsource_CONFIRM)
secalert@redhat.com (x_refsource_CONFIRM)
GLSA-201705-09 (vendor-advisory, x_refsource_GENTOO)
secalert@redhat.com (x_refsource_CONFIRM)
20160222 [SECURITY] CVE-2016-0714 Apache Tomcat Security Manager Bypass (mailing-list, x_refsource_BUGTRAQ)
secalert@redhat.com (x_refsource_CONFIRM)
openSUSE-SU-2016:0865 (vendor-advisory, x_refsource_SUSE)
secalert@redhat.com (x_refsource_CONFIRM, Vendor Advisory)
USN-3024-1 (x_refsource_UBUNTU, vendor-advisory)
SUSE-SU-2016:0769 (vendor-advisory, x_refsource_SUSE)

Frequently asked questions

What is CVE-2016-0714?: CVE-2016-0714 is a high-severity vulnerability in Apache Tomcat, classified under CWE-264. CVSS score: 8.8/10. Published 2016-02-25.
How severe is CVE-2016-0714?: High severity. CVSS v3 base score is 8.8 out of 10.
Is CVE-2016-0714 known to be exploited?: 9 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.