CVE-2016-0763

The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.

Published: Feb 25, 2016
Updated: Nov 8, 2023
CVE: CVE-2016-0763
GHSA: GHSA-9hjv-9h75-xmpp
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.3
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

Affected Software
References

Software	From	Fixed in
debian / debian_linux	8.0	8.0.x
debian / debian_linux	7.0	7.0.x
apache / tomcat	7.0.2-beta	7.0.2-beta.x
apache / tomcat	8.0.30	8.0.30.x
apache / tomcat	7.0.12	7.0.12.x
apache / tomcat	7.0.62	7.0.62.x
apache / tomcat	8.0.17	8.0.17.x
apache / tomcat	7.0.53	7.0.53.x
apache / tomcat	7.0.20	7.0.20.x
apache / tomcat	7.0.34	7.0.34.x
apache / tomcat	8.0.26	8.0.26.x
apache / tomcat	7.0.55	7.0.55.x
apache / tomcat	7.0.4-beta	7.0.4-beta.x
apache / tomcat	7.0.63	7.0.63.x
apache / tomcat	8.0.20	8.0.20.x
apache / tomcat	7.0.22	7.0.22.x
apache / tomcat	7.0.39	7.0.39.x
apache / tomcat	7.0.26	7.0.26.x
apache / tomcat	7.0.28	7.0.28.x
apache / tomcat	8.0.1	8.0.1.x
apache / tomcat	8.0.0-rc3	8.0.0-rc3.x
apache / tomcat	7.0.59	7.0.59.x
apache / tomcat	7.0.65	7.0.65.x
apache / tomcat	7.0.50	7.0.50.x
apache / tomcat	7.0.6	7.0.6.x
apache / tomcat	8.0.12	8.0.12.x
apache / tomcat	7.0.14	7.0.14.x
apache / tomcat	8.0.27	8.0.27.x
apache / tomcat	8.0.15	8.0.15.x
apache / tomcat	7.0.11	7.0.11.x
apache / tomcat	7.0.67	7.0.67.x
apache / tomcat	8.0.0-rc1	8.0.0-rc1.x
apache / tomcat	7.0.23	7.0.23.x
apache / tomcat	7.0.0-beta	7.0.0-beta.x
apache / tomcat	8.0.22	8.0.22.x
apache / tomcat	8.0.29	8.0.29.x
apache / tomcat	7.0.52	7.0.52.x
apache / tomcat	7.0.42	7.0.42.x
apache / tomcat	7.0.37	7.0.37.x
apache / tomcat	7.0.29	7.0.29.x
apache / tomcat	8.0.11	8.0.11.x
apache / tomcat	8.0.24	8.0.24.x
apache / tomcat	8.0.0-rc10	8.0.0-rc10.x
apache / tomcat	8.0.23	8.0.23.x
apache / tomcat	7.0.47	7.0.47.x
apache / tomcat	7.0.5-beta	7.0.5-beta.x
apache / tomcat	8.0.21	8.0.21.x
apache / tomcat	7.0.41	7.0.41.x
apache / tomcat	7.0.30	7.0.30.x
apache / tomcat	7.0.19	7.0.19.x
apache / tomcat	7.0.16	7.0.16.x
apache / tomcat	7.0.10	7.0.10.x
apache / tomcat	8.0.18	8.0.18.x
apache / tomcat	7.0.25	7.0.25.x
apache / tomcat	7.0.54	7.0.54.x
apache / tomcat	7.0.35	7.0.35.x
apache / tomcat	7.0.61	7.0.61.x
apache / tomcat	8.0.3	8.0.3.x
apache / tomcat	7.0.57	7.0.57.x
apache / tomcat	8.0.14	8.0.14.x
apache / tomcat	8.0.0-rc5	8.0.0-rc5.x
apache / tomcat	7.0.32	7.0.32.x
apache / tomcat	7.0.21	7.0.21.x
apache / tomcat	7.0.27	7.0.27.x
apache / tomcat	7.0.40	7.0.40.x
apache / tomcat	7.0.56	7.0.56.x
apache / tomcat	8.0.28	8.0.28.x
apache / tomcat	7.0.64	7.0.64.x
apache / tomcat	7.0.33	7.0.33.x
canonical / ubuntu_linux	12.04	12.04.x
canonical / ubuntu_linux	16.04	16.04.x
canonical / ubuntu_linux	15.10	15.10.x
canonical / ubuntu_linux	14.04	14.04.x
org.apache.tomcat / tomcat	7.0.0	7.0.68
org.apache.tomcat / tomcat	8.0.0	8.0.32
org.apache.tomcat / tomcat	9.0.0M1	9.0.0.M3
apache / tomcat	9.0.0-milestone1	9.0.0-milestone1.x

Vulnerability Database

289,599

CVE-2016-0763