{"id":"CVE-2016-0763","details":"The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.","aliases":["GHSA-9hjv-9h75-xmpp"],"modified":"2026-07-08T05:46:08.437679818Z","published":"2016-02-25T01:59:06.280Z","related":["SUSE-SU-2016:0769-1","SUSE-SU-2016:0822-1","openSUSE-SU-2024:10446-1","openSUSE-SU-2024:13441-1"],"database_specific":{"unresolved_ranges":[{"cpes":["cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.5:beta:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.0:rc3:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.11:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.12:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.14:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.15:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.17:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.18:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.20:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.21:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.22:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.23:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.24:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.26:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.27:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.28:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.29:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.30:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:8.0.3:*:*:*:*:*:*:*"],"source":"CPE_STRING","vendor_product":"apache:tomcat","extracted_events":[{"introduced":"7.0.0-beta"},{"last_affected":"7.0.0-beta"},{"introduced":"7.0.2-beta"},{"last_affected":"7.0.2-beta"},{"introduced":"7.0.4-beta"},{"last_affected":"7.0.4-beta"},{"introduced":"7.0.5-beta"},{"last_affected":"7.0.5-beta"},{"introduced":"8.0.0-rc1"},{"last_affected":"8.0.0-rc1"},{"introduced":"8.0.0-rc10"},{"last_affected":"8.0.0-rc10"},{"introduced":"8.0.0-rc3"},{"last_affected":"8.0.0-rc3"},{"introduced":"8.0.0-rc5"},{"last_affected":"8.0.0-rc5"},{"introduced":"8.0.1"},{"last_affected":"8.0.1"},{"introduced":"8.0.3"},{"last_affected":"8.0.3"},{"introduced":"8.0.11"},{"last_affected":"8.0.11"},{"introduced":"8.0.12"},{"last_affected":"8.0.12"},{"introduced":"8.0.14"},{"last_affected":"8.0.14"},{"introduced":"8.0.15"},{"last_affected":"8.0.15"},{"introduced":"8.0.17"},{"last_affected":"8.0.17"},{"introduced":"8.0.18"},{"last_affected":"8.0.18"},{"introduced":"8.0.20"},{"last_affected":"8.0.20"},{"introduced":"8.0.21"},{"last_affected":"8.0.21"},{"introduced":"8.0.22"},{"last_affected":"8.0.22"},{"introduced":"8.0.23"},{"last_affected":"8.0.23"},{"introduced":"8.0.24"},{"last_affected":"8.0.24"},{"introduced":"8.0.26"},{"last_affected":"8.0.26"},{"introduced":"8.0.27"},{"last_affected":"8.0.27"},{"introduced":"8.0.28"},{"last_affected":"8.0.28"},{"introduced":"8.0.29"},{"last_affected":"8.0.29"},{"introduced":"8.0.30"},{"last_affected":"8.0.30"}]},{"cpes":["cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*"],"source":"CPE_STRING","vendor_product":"canonical:ubuntu_linux","extracted_events":[{"introduced":"12.04"},{"last_affected":"12.04"},{"introduced":"14.04"},{"last_affected":"14.04"},{"introduced":"15.10"},{"last_affected":"15.10"},{"introduced":"16.04"},{"last_affected":"16.04"}]},{"cpes":["cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"],"source":"CPE_STRING","vendor_product":"debian:debian_linux","extracted_events":[{"introduced":"7.0"},{"last_affected":"7.0"},{"introduced":"8.0"},{"last_affected":"8.0"}]}]},"references":[{"type":"WEB","url":"http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179356.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html"},{"type":"WEB","url":"http://seclists.org/bugtraq/2016/Feb/147"},{"type":"WEB","url":"http://svn.apache.org/viewvc?view=revision&revision=1725926"},{"type":"WEB","url":"http://svn.apache.org/viewvc?view=revision&revision=1725929"},{"type":"WEB","url":"http://svn.apache.org/viewvc?view=revision&revision=1725931"},{"type":"WEB","url":"http://www.securityfocus.com/bid/83326"},{"type":"WEB","url":"http://www.securitytracker.com/id/1035069"},{"type":"WEB","url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442"},{"type":"WEB","url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626"},{"type":"WEB","url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755"},{"type":"WEB","url":"https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-1089.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2599.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2807.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2808.html"},{"type":"ADVISORY","url":"http://tomcat.apache.org/security-7.html"},{"type":"ADVISORY","url":"http://tomcat.apache.org/security-8.html"},{"type":"ADVISORY","url":"http://tomcat.apache.org/security-9.html"},{"type":"ADVISORY","url":"http://www.debian.org/security/2016/dsa-3530"},{"type":"ADVISORY","url":"http://www.debian.org/security/2016/dsa-3552"},{"type":"ADVISORY","url":"http://www.debian.org/security/2016/dsa-3609"},{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"},{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"},{"type":"ADVISORY","url":"http://www.ubuntu.com/usn/USN-3024-1"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2016:1087"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2016:1088"},{"type":"ADVISORY","url":"https://bto.bluecoat.com/security-advisory/sa118"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201705-09"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20180531-0001/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/tomcat","events":[{"introduced":"4a39288c6eab999452c72af9fd1a0c12b054ca9f"},{"last_affected":"29b07def810d335012e738b22ab44d4e232b50d1"}],"database_specific":{"source":"CPE_STRING","cpe":["cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*"],"extracted_events":[{"introduced":"7.0.6"},{"last_affected":"7.0.6"},{"introduced":"7.0.10"},{"last_affected":"7.0.10"},{"introduced":"7.0.11"},{"last_affected":"7.0.11"},{"introduced":"7.0.12"},{"last_affected":"7.0.12"},{"introduced":"7.0.14"},{"last_affected":"7.0.14"},{"introduced":"7.0.16"},{"last_affected":"7.0.16"},{"introduced":"7.0.19"},{"last_affected":"7.0.19"},{"introduced":"7.0.20"},{"last_affected":"7.0.20"},{"introduced":"7.0.21"},{"last_affected":"7.0.21"},{"introduced":"7.0.22"},{"last_affected":"7.0.22"},{"introduced":"7.0.23"},{"last_affected":"7.0.23"},{"introduced":"7.0.25"},{"last_affected":"7.0.25"},{"introduced":"7.0.26"},{"last_affected":"7.0.26"},{"introduced":"7.0.27"},{"last_affected":"7.0.27"},{"introduced":"7.0.28"},{"last_affected":"7.0.28"},{"introduced":"7.0.29"},{"last_affected":"7.0.29"},{"introduced":"7.0.30"},{"last_affected":"7.0.30"},{"introduced":"7.0.32"},{"last_affected":"7.0.32"},{"introduced":"7.0.33"},{"last_affected":"7.0.33"},{"introduced":"7.0.34"},{"last_affected":"7.0.34"},{"introduced":"7.0.35"},{"last_affected":"7.0.35"},{"introduced":"7.0.37"},{"last_affected":"7.0.37"},{"introduced":"7.0.39"},{"last_affected":"7.0.39"},{"introduced":"7.0.40"},{"last_affected":"7.0.40"},{"introduced":"7.0.41"},{"last_affected":"7.0.41"},{"introduced":"7.0.42"},{"last_affected":"7.0.42"},{"introduced":"7.0.47"},{"last_affected":"7.0.47"},{"introduced":"7.0.50"},{"last_affected":"7.0.50"},{"introduced":"7.0.52"},{"last_affected":"7.0.52"},{"introduced":"7.0.53"},{"last_affected":"7.0.53"},{"introduced":"7.0.54"},{"last_affected":"7.0.54"},{"introduced":"7.0.55"},{"last_affected":"7.0.55"},{"introduced":"7.0.56"},{"last_affected":"7.0.56"},{"introduced":"7.0.57"},{"last_affected":"7.0.57"},{"introduced":"7.0.59"},{"last_affected":"7.0.59"},{"introduced":"7.0.61"},{"last_affected":"7.0.61"},{"introduced":"7.0.62"},{"last_affected":"7.0.62"},{"introduced":"7.0.63"},{"last_affected":"7.0.63"},{"introduced":"7.0.64"},{"last_affected":"7.0.64"},{"introduced":"7.0.65"},{"last_affected":"7.0.65"},{"introduced":"7.0.67"},{"last_affected":"7.0.67"},{"introduced":"9.0.0-milestone1"},{"last_affected":"9.0.0-milestone1"}]}}],"versions":["7.0.10","7.0.11","7.0.12","7.0.14","7.0.16","7.0.19","7.0.20","7.0.21","7.0.22","7.0.23","7.0.25","7.0.26","7.0.27","7.0.28","7.0.29","7.0.30","7.0.32","7.0.33","7.0.34","7.0.35","7.0.37","7.0.39","7.0.40","7.0.41","7.0.42","7.0.47","7.0.50","7.0.52","7.0.53","7.0.54","7.0.55","7.0.56","7.0.57","7.0.59","7.0.6","7.0.61","7.0.62","7.0.63","7.0.64","7.0.65","7.0.67","9.0.0-milestone1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-0763.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"}]}