Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

CVE-2019-12418

UNKNOWN

Published 2019-12-23T17:12:43

Actions:

No CVSS data available

Description

When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Apache Software Foundation

Apache Tomcat

Affected Versions:

9.0.0.M1 to 9.0.28 8.5.0 to 8.5.47 7.0.0 to 7.0.97

References

https://lists.apache.org/thread.html/43530b91506e2e0c11cfbe691173f5df8c48f51b98262426d7493b67%40%3Cannounce.tomcat.apache.org%3E

https://www.debian.org/security/2019/dsa-4596

https://seclists.org/bugtraq/2019/Dec/43

https://security.netapp.com/advisory/ntap-20200107-0001/

https://support.f5.com/csp/article/K10107360?utm_source=f5support&amp%3Butm_medium=RSS

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html

https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html

https://usn.ubuntu.com/4251-1/

https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E

https://security.gentoo.org/glsa/202003-43

https://lists.debian.org/debian-lts-announce/2020/03/msg00029.html

https://www.oracle.com/security-alerts/cpuapr2020.html

https://www.debian.org/security/2020/dsa-4680

HackerOne Reports

Tomcat examples available for public, Disclosure Apache Tomcat version, Critical/High/Medium CVE Medium

pvm

U.S. Dept Of Defense

Information Exposure Through an Error Message

Published: 2019-12-23T17:12:43

Last Modified: 2024-08-04T23:17:40.118Z

Copied to clipboard!