CVE-2019-12418

When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.

Published: Dec 23, 2019
Updated: Nov 8, 2023
CVE: CVE-2019-12418
GHSA: GHSA-hh3j-x4mc-g48r
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Low
Score: 4.4
AV:L/AC:M/Au:N/C:P/I:P/A:P

CWEs:

CWE-522

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
apache / tomcat	7.0.0	7.0.97.x
apache / tomcat	8.5.0	8.5.47.x
apache / tomcat	9.0.0	9.0.28.x
debian / debian_linux	8.0	8.0.x
debian / debian_linux	9.0	9.0.x
debian / debian_linux	10.0	10.0.x
oracle / workload_manager	18c	18c.x
oracle / workload_manager	19c	19c.x
oracle / workload_manager	12.2.0.1	12.2.0.1.x
canonical / ubuntu_linux	16.04	16.04.x
opensuse / leap	15.1	15.1.x
netapp / oncommand_system_manager	3.0.0	3.1.3.x
org.apache.tomcat.embed / tomcat-embed-core	-	7.0.99
org.apache.tomcat.embed / tomcat-embed-core	8.0.0	8.5.49
org.apache.tomcat.embed / tomcat-embed-core	9.0.0	9.0.29

Vulnerability Database

289,599

CVE-2019-12418