CVE-2019-12418
Public on 2019-12-23
Modified on 2024-01-28
Description
A privilege escalation flaw was found in Tomcat when the JMX Remote Lifecycle Listener was enabled. A local attacker without access to the Tomcat process or configuration files could be able to manipulate the RMI registry to perform a man-in-the-middle attack. The attacker could then capture user names and passwords used to access the JMX interface and gain complete control over the Tomcat instance.
Severity
Important
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | tomcat | 2023-05-11 | ALAS2-2023-2047 | Fixed |
| Amazon Linux 2 - Tomcat8.5 Extra | tomcat | 2023-08-21 | ALAS2TOMCAT8.5-2023-013 | Fixed |
| Amazon Linux 2 - Tomcat9 Extra | tomcat | 2023-08-21 | ALAS2TOMCAT9-2023-008 | Fixed |
| Amazon Linux 1 | tomcat8 | 2020-01-14 | ALAS-2020-1337 | Fixed |
| Amazon Linux 1 | tomcat80 | Pending Fix | ||
| Amazon Linux 2023 | tomcat9 | Not Affected |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 7.4 | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| NVD | CVSSv2 | 4.4 | AV:L/AC:M/Au:N/C:P/I:P/A:P |
| NVD | CVSSv3 | 7.0 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |