Detections
Analytics
SCA: security update for org.apache.tomcat:tomcat (GHSA-wxcp-f2c8-x6xv)
medium Tenable Self-Hosted Container Security Plugin ID 420180
Description
There are packages installed that are affected by a vulnerability referenced in the following CVE:- The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to
8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user
name did not exist. This made a timing attack possible to determine valid user names. Note that the
default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.
(CVE-2016-0762)
See Also
Plugin Details
Severity: Medium
ID: 420180
Version: Revision 1.5
Type: Local
Family: SCA Checks
Published: 1/23/2025
Updated: 6/22/2026
Risk Information
VPR
Risk Factor: Medium
Score: 4.4
Vendor
Vendor Severity: Medium
CVSS v2
Risk Factor: Medium
Base Score: 4.3
Temporal Score: 3.2
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS Score Source: CVE-2016-0762
CVSS v3
Risk Factor: Medium
Base Score: 5.9
Temporal Score: 5.2
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
Exploit Ease: No known exploits are available
Patch Publication Date: 5/13/2022
Vulnerability Publication Date: 9/5/2016
Reference Information
CVE: CVE-2016-0762
BID: 93939
cwe: CWE-203