VDB

CVE-2016-1240

CVE-2016-1240 PUBLISHED

The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and libtomcat6-java packages before 6.0.35-1ubuntu3.8 on Ubuntu 12.04 LTS, the tomcat7 and libtomcat7-java packages before 7.0.52-1ubuntu0.7 on Ubuntu 14.04 LTS, and tomcat8 and libtomcat8-java packages before 8.0.32-1ubuntu1.2 on Ubuntu 16.04 LTS allows local users with access to the tomcat account to gain root privileges via a symlink attack on the Catalina log file, as demonstrated by /var/log/tomcat7/catalina.out.

EPSS 22.22% · 95.9th percentile

Risk Scores

EPSS Score
22.22%
95.9th percentile

Affected Products

VendorProductVersions
Ubuntu:16.04:LTStomcat88.0.32-1ubuntu1.1, 8.0.32-1, 8.0.26-1
Ubuntu:14.04:LTStomcat66.0.37-1, 6.0.39-1, 0
Ubuntu:16.04:LTStomcat66.0.45+dfsg-1ubuntu0.1, 0, 6.0.41-4
Ubuntu:14.04:LTStomcat77.0.52-1ubuntu0.6, 7.0.50-1, 7.0.52-1
Ubuntu:16.04:LTStomcat77.0.64-1, 7.0.68-1ubuntu0.1, 7.0.68-1

Exploit Intelligence

…and 13 more exploits

Timeline

  • Sep 16, 2016 CVE Published
  • Oct 1, 2016 PoC Published
  • Feb 4, 2022 EPSS Score
  • Feb 6, 2023 PoC Published
  • Mar 7, 2023 EPSS Score
  • Mar 17, 2025 EPSS Score
  • Mar 20, 2025 EPSS Score
  • Mar 27, 2025 EPSS Score
  • Mar 29, 2025 EPSS Score
  • Mar 30, 2025 EPSS Score
  • May 1, 2025 EPSS Score
  • May 4, 2025 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›