Description

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

Remediation

References

CVE-2016-8735

Related Vulnerabilities

WordPress Plugin Page Flip Image Gallery 'book_id' Parameter Remote File Disclosure (0.2.2)

MySQL CVE-2020-14550 Vulnerability (CVE-2020-14550)

WordPress Plugin Relevanssi-A Better Search SQL Injection (3.2)

Liferay Portal Allocation of Resources Without Limits or Throttling Vulnerability (CVE-2024-26265)

Magento Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-9665)

Severity

Critical

Classification

CVE-2016-8735 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities