CVE-2016-0763

medium

Apache

CVSS v3 Base Score

6.3

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score

0.3%

Exploitation probability in 30 days

Top 48% most likely to be exploited

Attack Characteristics

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Confidentiality

Low

Integrity

Low

Availability

Low

Published: February 25, 2016 (3732 days ago)

Last Modified: May 6, 2026

Vendor: Apache

Source: NVD

Description

The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.

CWE

CWE-264

Affected Products

debian debian linuxapache tomcatcanonical ubuntu linux

References

🔗 lists.fedoraproject.org 🔗 lists.opensuse.org 🔗 lists.opensuse.org 🔗 lists.opensuse.org 🔗 rhn.redhat.com

CVE-2016-0763

Vulnerability Report

Description

CWE

Affected Products

References