View at Official suse advisory, NVD, CVE.org · CVE detail
Freshness: upstream tracker timestamp is available; use API updated time as primary recency signal.
CVE-2016-6797 severity low: SUSE including 72 source package names (tomcat-7.0.76-2.el7, tomcat-7.0.78-7.13.4, …), 166 product×package rows across 19 product lines (SUSE Liberty Linux 7, SUSE Linux Enterprise High Performance Computing 12 SP5, … (19 product lines)): Fixed 166.
The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.