9.8
CVE-2016-8735
- EPSS 93.9%
- Published 06.04.2017 21:59:00
- Last modified 20.04.2025 01:37:25
- Source security@apache.org
- Teams watchlist Login
- Open Login
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
Data is provided by the National Vulnerability Database (NVD)
Canonical ≫ Ubuntu Linux Version16.04 SwEditionesm
Netapp ≫ 7-mode Transition Tool Version-
Netapp ≫ Oncommand Insight Version-
Netapp ≫ Oncommand Shift Version-
Netapp ≫ Snap Creator Framework Version-
Debian ≫ Debian Linux Version8.0
Redhat ≫ Jboss Enterprise Web Server Version3.0.0
Oracle ≫ Agile Engineering Data Management Version6.1.3
Oracle ≫ Agile Engineering Data Management Version6.2.0
Oracle ≫ Agile Engineering Data Management Version6.2.1.0
Oracle ≫ Communications Application Session Controller Version3.7.1
Oracle ≫ Communications Application Session Controller Version3.8.0
Oracle ≫ Communications Instant Messaging Server Version10.0.1
Oracle ≫ Communications Interactive Session Recorder Version6.0
Oracle ≫ Communications Interactive Session Recorder Version6.1
Oracle ≫ Communications Interactive Session Recorder Version6.2
Oracle ≫ Hospitality Guest Access Version4.2.0
Oracle ≫ Hospitality Guest Access Version4.2.1
Oracle ≫ Micros Relate Crm Software Version10.8
Oracle ≫ Micros Relate Crm Software Version11.4
Oracle ≫ Micros Retail Xbri Loss Prevention Version10.0.1
Oracle ≫ Micros Retail Xbri Loss Prevention Version10.5.0
Oracle ≫ Micros Retail Xbri Loss Prevention Version10.6.0
Oracle ≫ Micros Retail Xbri Loss Prevention Version10.7.7
Oracle ≫ Micros Retail Xbri Loss Prevention Version10.8.0
Oracle ≫ Micros Retail Xbri Loss Prevention Version10.8.1
Oracle ≫ Mysql Enterprise Monitor Version <= 3.2.8.2223
Oracle ≫ Mysql Enterprise Monitor Version >= 3.3.0 <= 3.3.4.3247
Oracle ≫ Mysql Enterprise Monitor Version >= 3.4.0 <= 3.4.2.4181
Oracle ≫ Retail Convenience And Fuel Pos Software Version2.1.132
Oracle ≫ Transportation Management Version6.3.0
Oracle ≫ Transportation Management Version6.3.1
Oracle ≫ Transportation Management Version6.3.2
Oracle ≫ Transportation Management Version6.3.3
Oracle ≫ Transportation Management Version6.3.4
Oracle ≫ Transportation Management Version6.3.5
Oracle ≫ Transportation Management Version6.3.6
Oracle ≫ Transportation Management Version6.3.7
12.05.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog
Apache Tomcat Remote Code Execution Vulnerability
VulnerabilityApache Tomcat contains an unspecified vulnerability that allows for remote code execution if JmxRemoteLifecycleListener is used and an attacker can reach Java Management Extension (JMX) ports. This CVE exists because this listener wasn't updated for consistency with the Oracle patched issues for CVE-2016-3427 which affected credential types.
DescriptionApply updates per vendor instructions.
Required actions| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 93.9% | 0.999 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|