Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
Metrics
Affected Vendors & Products
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Tue, 04 Feb 2025 19:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
kev
|
Wed, 14 Aug 2024 00:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|

Status: PUBLISHED
Assigner: apache
Published:
Updated: 2025-07-30T01:46:29.702Z
Reserved: 2016-10-18T00:00:00.000Z
Link: CVE-2016-8735

Updated: 2024-08-06T02:27:41.259Z

Status : Deferred
Published: 2017-04-06T21:59:00.243
Modified: 2025-04-20T01:37:25.860
Link: CVE-2016-8735


No data.