CVE-2016-6796

high

Published 2017-08-11 · Modified 2024-11-28

CVSS v3

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v2

5.0

VIR risk

7.5

Description

Apache Tomcat vulnerable to SecurityManager bypass

Exploit likelihood

83%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2016-6796.html

vendor Authored 2026-05-27

Vendor advisory: security@apache.org — https://www.oracle.com/security-alerts/cpuoct2021.html

OS	Version	Status
sles		affected
debian	8.0	affected
rhel	7.0	affected
rhel	7.4	affected
rhel	7.5	affected
rhel	7.6	affected
rhel	7.7	affected
ubuntu	16.04	affected

Ecosystem	Package	Vulnerable	Fixed
Maven	org.apache.tomcat:tomcat	`>=9.0.0.M1,<9.0.0.M10`	`9.0.0.M10`
Maven	org.apache.tomcat:tomcat	`>=8.5.0,<8.5.5`	`8.5.5`
Maven	org.apache.tomcat:tomcat	`>=8.0.0.RC1,<8.0.37`	`8.0.37`
Maven	org.apache.tomcat:tomcat	`>=7.0.0,<7.0.71`	`7.0.71`
Maven	org.apache.tomcat:tomcat	`>=6.0.0,<6.0.46`	`6.0.46`

Vendor	Product	Versions
apache	tomcat	`{"startIncluding":"6.0.0","endIncluding":"6.0.45"}`
apache	tomcat	`9.0.0`
netapp	oncommand_insight	`-`
netapp	oncommand_shift	`-`
netapp	snap_creator_framework	`-`
oracle	tekelec_platform_distribution	`7.4.0`
oracle	tekelec_platform_distribution	`7.7.1`
redhat	jboss_enterprise_application_platform	`6.4`
redhat	jboss_enterprise_web_server	`3.0.0`

Verify integrity in audit chain (admin only). AS-IS.