CVE-2016-0762

The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.

Published: Aug 10, 2017
Updated: Nov 8, 2023
CVE: CVE-2016-0762
GHSA: GHSA-wxcp-f2c8-x6xv
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.9
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:P/I:N/A:N

CWEs:

CWE-203

Affected Software
References

Software	From	Fixed in
apache / tomcat	6.0.0	6.0.45.x
apache / tomcat	7.0.0	7.0.70.x
apache / tomcat	8.0	8.0.36.x
apache / tomcat	8.5.0	8.5.4.x
canonical / ubuntu_linux	16.04	16.04.x
debian / debian_linux	8.0	8.0.x
redhat / enterprise_linux_desktop	7.0	7.0.x
redhat / enterprise_linux_workstation	7.0	7.0.x
redhat / enterprise_linux_server	7.0	7.0.x
redhat / enterprise_linux_server_aus	7.4	7.4.x
redhat / jboss_enterprise_web_server	3.0.0	3.0.0.x
redhat / enterprise_linux_eus	7.4	7.4.x
redhat / enterprise_linux_eus	7.5	7.5.x
redhat / enterprise_linux_server_tus	7.6	7.6.x
redhat / enterprise_linux_server_aus	7.6	7.6.x
redhat / enterprise_linux_eus	7.6	7.6.x
redhat / enterprise_linux_server_aus	7.7	7.7.x
redhat / enterprise_linux_server_tus	7.7	7.7.x
redhat / enterprise_linux_eus	7.7	7.7.x
oracle / communications_diameter_signaling_router	8.0.0	8.5.0.x
oracle / tekelec_platform_distribution	7.4.0	7.7.1.x
org.apache.tomcat / tomcat	9.0.0M1	9.0.0.M10
org.apache.tomcat / tomcat	8.5.0	8.5.5
org.apache.tomcat / tomcat	8.0.0.RC1	8.0.37
org.apache.tomcat / tomcat	7.0.0	7.0.72
org.apache.tomcat / tomcat	6.0.0	6.0.46
apache / tomcat	9.0.0-milestone1	9.0.0-milestone1.x
apache / tomcat	9.0.0-milestone2	9.0.0-milestone2.x
apache / tomcat	9.0.0-milestone3	9.0.0-milestone3.x
apache / tomcat	9.0.0-milestone4	9.0.0-milestone4.x
apache / tomcat	9.0.0-milestone5	9.0.0-milestone5.x
apache / tomcat	9.0.0-milestone6	9.0.0-milestone6.x
apache / tomcat	9.0.0-milestone7	9.0.0-milestone7.x
apache / tomcat	9.0.0-milestone8	9.0.0-milestone8.x
apache / tomcat	9.0.0-milestone9	9.0.0-milestone9.x

Vulnerability Database

289,599

CVE-2016-0762