What is CVE-2016-1240?

CVE-2016-1240 is a high-severity vulnerability in Apache Tomcat, classified under Improper Input Validation. CVSS score: 7.8/10. Published 2016-10-03.

How severe is CVE-2016-1240?

High severity. CVSS v3 base score is 7.8 out of 10.

Is CVE-2016-1240 known to be exploited?

12 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Improper input validation in Apache Tomcat

CVE-2016-1240

The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and libtomcat6-java packages before 6.0.35-1ubuntu3.8 on Ubuntu 12.04 LTS, the tomcat7 and lib…

Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)

EPSS: 0.222 (95.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.8 (High). Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Affected products

Apache Tomcat — versions 6.0, 7.0, 8.0
Canonical Ubuntu_linux — versions 12.04, 14.04, 16.04
Debian Debian_linux — versions 8.0
N/a — versions n/a

Weakness classification (CWE)

CWE-20 — Improper Input Validation

Public proof-of-concept exploits

References

1036845 (Third Party Advisory, VDB Entry, vdb-entry)
DSA-3670 (vendor-advisory, Third Party Advisory)
GLSA-201705-09 (vendor-advisory)
security@debian.org
93263 (vdb-entry)
RHSA-2017:0457 (vendor-advisory)
security@debian.org
40450 (exploit)
DSA-3669 (vendor-advisory, Third Party Advisory)
RHSA-2017:0455 (vendor-advisory)

Frequently asked questions

What is CVE-2016-1240?: CVE-2016-1240 is a high-severity vulnerability in Apache Tomcat, classified under Improper Input Validation. CVSS score: 7.8/10. Published 2016-10-03.
How severe is CVE-2016-1240?: High severity. CVSS v3 base score is 7.8 out of 10.
Is CVE-2016-1240 known to be exploited?: 12 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.