CVE-2016-0762

medium

Apache

CVSS v3 Base Score

5.9

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score

0.5%

Exploitation probability in 30 days

Top 34% most likely to be exploited

Attack Characteristics

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Confidentiality

High

Integrity

None

Availability

None

Published: August 10, 2017 (3199 days ago)

Last Modified: May 13, 2026

Vendor: Apache

Source: NVD

Description

The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.

CWE

CWE-203

Affected Products

apache tomcatcanonical ubuntu linuxdebian debian linuxredhat jboss enterprise web serverredhat enterprise linux desktopredhat enterprise linux eusredhat enterprise linux serverredhat enterprise linux server ausredhat enterprise linux server tusredhat enterprise linux workstation

References

🔗 rhn.redhat.com 🔗 www.debian.org 🔗 www.securityfocus.com 🔗 www.securitytracker.com 🔗 access.redhat.com

CVE-2016-0762

Vulnerability Report

Description

CWE

Affected Products

References