Select your cookie preferences

We use cookies and similar tools to enhance your experience, provide our services, deliver relevant advertising, and make improvements. Approved third parties also use these tools to help us deliver advertising and provide certain site features.

CVE-2019-12418

Public on 2019-12-23
Modified on 2024-01-28
Description

A privilege escalation flaw was found in Tomcat when the JMX Remote Lifecycle Listener was enabled. A local attacker without access to the Tomcat process or configuration files could be able to manipulate the RMI registry to perform a man-in-the-middle attack. The attacker could then capture user names and passwords used to access the JMX interface and gain complete control over the Tomcat instance.

Severity
Important
See what this means
CVSS v3 Base Score
7.4
See breakdown
Continue reading

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 2 - Core tomcat 2023-05-11 17:49 ALAS2-2023-2047
Amazon Linux 2 - Tomcat8.5 Extra tomcat 2023-08-21 20:58 ALAS2TOMCAT8.5-2023-013
Amazon Linux 2 - Tomcat9 Extra tomcat 2023-08-21 20:58 ALAS2TOMCAT9-2023-008
Amazon Linux 1 tomcat8 2020-01-14 18:18 ALAS-2020-1337

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD CVSSv2 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P
NVD CVSSv3 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H