CVE-2019-12418

Public on 2019-12-23
Modified on 2023-05-04
Description

A privilege escalation flaw was found in Tomcat when the JMX Remote Lifecycle Listener was enabled. A local attacker without access to the Tomcat process or configuration files could be able to manipulate the RMI registry to perform a man-in-the-middle attack. The attacker could then capture user names and passwords used to access the JMX interface and gain complete control over the Tomcat instance.

Severity
Important
See what this means
CVSS v3 Base Score
7.4
See breakdown

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 2 tomcat 2023-05-11 17:49 ALAS2-2023-2047
Amazon Linux 2 tomcat 2023-08-21 20:58 ALAS2TOMCAT8.5-2023-013
Amazon Linux 2 tomcat 2023-08-21 20:58 ALAS2TOMCAT9-2023-008
Amazon Linux 1 tomcat8 2020-01-14 18:18 ALAS-2020-1337

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD CVSSv2 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P
NVD CVSSv3 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H