CVE-2016-6794

medium Apache
CVSS v3 Base Score
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score
0.3%
Exploitation probability in 30 days
Top 50% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Confidentiality
Low
Integrity
None
Availability
None
Published: August 10, 2017 (3199 days ago)
Last Modified: May 13, 2026
Vendor: Apache
Source: NVD

Description

When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.

CWE

NVD-CWE-noinfo

Affected Products

apache tomcatdebian debian linuxredhat jboss enterprise web serverredhat enterprise linux desktopredhat enterprise linux eusredhat enterprise linux serverredhat enterprise linux server ausredhat enterprise linux server tusredhat enterprise linux workstationnetapp oncommand insight

References

🔗 rhn.redhat.com 🔗 www.debian.org 🔗 www.securityfocus.com 🔗 www.securitytracker.com 🔗 access.redhat.com