7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2016-6797

GHSA ID

GHSA-q6x7-f33r-3wxx

EPSS Score

0.59857%

CWE

CWE-863

Published

5/13/2022

Updated

2/23/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-6797

CVE-2016-6797: Incorrect Authorization in Apache Tomcat

The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2016-6797

GHSA ID

GHSA-q6x7-f33r-3wxx

EPSS Score

0.59857%

CWE

CWE-863

Published

5/13/2022

Updated

2/23/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.tomcat:tomcat	maven	>= 9.0.0.M1, <= 9.0.0.M9	9.0.0.M10
org.apache.tomcat:tomcat	maven	>= 8.5.0, <= 8.5.4	8.5.5
org.apache.tomcat:tomcat	maven	>= 8.0.0, <= 8.0.36	8.0.37
org.apache.tomcat:tomcat	maven	>= 7.0.0, < 7.0.72	7.0.72

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from missing authorization checks in ResourceLinkFactory's lookup logic (getObjectInstance) and improper lifecycle management of resource links in NamingContextListener. The patch added: 1) A validation check in getObjectInstance via validateGlobalResourceAccess, 2) Registration/deregistration hooks in addResourceLink/removeResourceLink to track authorized resources. These changes directly address the root cause of unrestricted JNDI access described in CVE-2016-6797.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** R*sour**Link***tory impl*m*nt*tion in *p**** Tom**t *.*.*.M* to *.*.*.M*, *.*.* to *.*.*, *.*.*.R** to *.*.**, *.*.* to *.*.** *n* *.*.* to *.*.** *i* not limit w** *ppli**tion ****ss to *lo**l JN*I r*sour**s to t*os* r*sour**s *xpli*itly link**

Reasoning

T** vuln*r**ility st*mm** *rom missin* *ut*oriz*tion ****ks in `R*sour**Link***tory`'s lookup lo*i* (`**tO*j**tInst*n**`) *n* improp*r li***y*l* m*n***m*nt o* r*sour** links in `N*min**ont*xtList*n*r`. T** p*t** *****: *) * v*li**tion ****k in `**tO*

7.5

Basic Information

Concerned about an active attack path?

CVE-2016-6797: Incorrect Authorization in Apache Tomcat

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI