CVE-2016-6816
Publication date 23 November 2016
Last updated 24 July 2024
Ubuntu priority
Cvss 3 Severity Score
The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.
Status
Package | Ubuntu Release | Status |
---|---|---|
tomcat6 | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic | Not in release | |
16.04 LTS xenial |
Fixed 6.0.45+dfsg-1ubuntu0.1
|
|
14.04 LTS trusty | Ignored end of ESM support, was needed | |
tomcat7 | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic |
Not affected
|
|
16.04 LTS xenial |
Fixed 7.0.68-1ubuntu0.3
|
|
14.04 LTS trusty |
Fixed 7.0.52-1ubuntu0.8
|
|
tomcat8 | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic |
Fixed 8.0.38-2ubuntu1
|
|
16.04 LTS xenial |
Fixed 8.0.32-1ubuntu1.3
|
|
14.04 LTS trusty | Not in release | |
Patch details
Package | Patch details |
---|---|
tomcat6 | |
tomcat7 |
|
tomcat8 |
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.1 · High |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Changed |
Confidentiality | Low |
Integrity impact | Low |
Availability impact | Low |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L |
References
Related Ubuntu Security Notices (USN)
- USN-3177-1
- Tomcat vulnerabilities
- 23 January 2017
- USN-4557-1
- Tomcat vulnerabilities
- 30 September 2020