CVE-2016-6794: Information Exposure

August 10, 2017 (updated April 15, 2019)

When a SecurityManager is configured, a web application’s ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat, the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.

References

www.securityfocus.com/bid/93943
www.securitytracker.com/id/1037143
lists.apache.org/thread.html/09d2f2c65ac4ff5da42f15dc2b0f78b655e50f1a42e8a9784134a9eb@%3Cannounce.tomcat.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2016-6794

Detect and mitigate CVE-2016-6794 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →