Home > Vulnerability Database > CVE-2016-6794

Mend.io Vulnerability Database

CVE-2016-6794

Good to know:

Date: August 10, 2017

When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.

Language: Java

Severity Score

5.3

Related Resources (53)

Url: https://github.com/apache/tomcat/commit/0b41766456b1980e4f809e13ad6dc9fa912bae7e

Url: https://lists.apache.org/thread.html/09d2f2c65ac4ff5da42f15dc2b0f78b655e50f1a42e8a9784134a9eb%40%3Cannounce.tomcat.apache.org%3E

Url: https://nvd.nist.gov/vuln/detail/CVE-2016-6794

Url: https://usn.ubuntu.com/4557-1/

Url: https://lists.apache.org/thread.html/09d2f2c65ac4ff5da42f15dc2b0f78b655e50f1a42e8a9784134a9eb@%3Cannounce.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E

Url: https://github.com/apache/tomcat

Url: https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E

Url: http://www.securitytracker.com/id/1037143

Url: https://github.com/apache/tomcat/commit/f8db078f1e6e8b225f8344e63595113ca34cd408

Url: https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E

Url: https://www.oracle.com/security-alerts/cpuoct2021.html

Url: http://rhn.redhat.com/errata/RHSA-2017-0457.html

Url: https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E

Url: https://access.redhat.com/errata/RHSA-2017:2247

Url: https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E

Url: https://access.redhat.com/errata/RHSA-2017:0455

Url: https://access.redhat.com/errata/RHSA-2017:0456

Url: https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E

Url: https://access.redhat.com/security/cve/CVE-2016-6794

Url: https://usn.ubuntu.com/4557-1

Url: https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E

Url: http://www.debian.org/security/2016/dsa-3720

Url: https://web.archive.org/web/20170626130744/http://www.securityfocus.com/bid/93943

Url: https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E

Url: https://github.com/apache/tomcat/commit/c1660182010b4255c21c874d69c124370a67784a

Url: https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E

Url: https://web.archive.org/web/20170317100547/http://www.securitytracker.com/id/1037143

Url: https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

Url: http://www.securityfocus.com/bid/93943

Url: https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E

Url: https://github.com/apache/tomcat80/commit/ae6163a4f230bc679abfc93e048ff92996badad6

Url: https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E

Url: https://security.netapp.com/advisory/ntap-20180605-0001

Url: https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E

Url: https://security.netapp.com/advisory/ntap-20180605-0001/

Url: https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E

Url: https://www.mend.io/vulnerability-database/CVE-2016-6794

Url: https://www.mend.io/resources/blog/top-10-security-vulnerabilities-of-2017

Severity Score

5.3

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Insufficient Information

NVD-CWE-noinfo

Top Fix

Upgrade Version

Upgrade to version io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.5.X;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.5.X;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.4.15;io.hawt:hawtio-sample-springboot:1.4.15;org.apache.tomcat:tomcat-util-scan:9.0.0.M10;org.apache.tomcat:tomcat-util-scan:8.5.5;org.apache.tomcat:tomcat-util-scan:8.0.37;org.apache.camel:camel-example-spring-boot-metrics:2.17.1;org.apache.camel:camel-example-spring-boot-metrics:2.17.1;org.apache.camel:camel-example-spring-boot-metrics:2.17.1;org.apache.camel:camel-example-spring-boot-metrics:2.17.1;org.apache.camel:camel-example-spring-boot-metrics:2.17.1;org.apache.camel:camel-example-spring-boot-metrics:2.17.1;org.apache.camel:camel-example-spring-boot-metrics:2.17.1;org.apache.camel:camel-example-spring-boot-metrics:2.17.1;org.apache.camel:camel-example-spring-boot-metrics:2.17.1;org.apache.camel:camel-example-spring-boot-metrics:2.17.1;org.apache.camel:camel-example-spring-boot-metrics:2.17.1;org.apache.camel:camel-example-spring-boot-metrics:2.17.1;org.apache.camel:camel-example-spring-boot-metrics:2.17.1;org.apache.camel:camel-example-spring-boot-metrics:2.17.1;org.apache.camel:camel-example-spring-boot-metrics:2.17.1;org.apache.camel:camel-example-spring-boot-metrics:2.17.1;org.apache.camel:camel-example-spring-boot-metrics:2.17.1;org.apache.camel:camel-example-spring-boot-metrics:2.17.1;org.apache.camel:camel-example-spring-boot-metrics:2.17.1;org.apache.tomcat.embed:tomcat-embed-core:8.0.37;org.apache.tomcat.embed:tomcat-embed-core:9.0.0.M10;org.apache.tomcat.embed:tomcat-embed-core:7.0.72;org.apache.tomcat.embed:tomcat-embed-core:8.5.5;org.apache.tomcat:tomcat-coyote:9.0.0.M10;org.apache.tomcat:tomcat-coyote:8.0.37;org.apache.tomcat:tomcat-coyote:8.5.5;org.apache.tomcat:tomcat-coyote:7.0.72;org.apache.tomcat:tomcat-catalina:7.0.72;org.apache.tomcat:tomcat-catalina:8.5.5;org.apache.tomcat:tomcat-catalina:8.0.37;org.apache.tomcat:tomcat-catalina:9.0.0.M10;org.apache.camel:camel-example-spring-boot:2.17.1;org.apache.camel:camel-example-spring-boot:2.17.1;org.apache.camel:camel-example-spring-boot:2.17.1

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2016-6794

Good to know:

Date: August 10, 2017

Language: Java

Severity Score

Related Resources (53)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?