GitHub Advisory DatabaseGHSA-9XRJ-439H-62HGImproper Authentication in Apache Tomcat
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
EPSS
Percentile
71.6%
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches information about the authenticated user within the session state, which makes it easier for remote attackers to bypass authentication via vectors related to the session ID.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| org.apache.tomcat | tomcat-catalina | * | cpe:2.3:a:org.apache.tomcat:tomcat-catalina:*:*:*:*:*:*:*:* |
References
lists.opensuse.org/opensuse-updates/2012-12/msg00089.html
lists.opensuse.org/opensuse-updates/2012-12/msg00090.html
lists.opensuse.org/opensuse-updates/2013-01/msg00037.html
rhn.redhat.com/errata/RHSA-2013-0623.html
rhn.redhat.com/errata/RHSA-2013-0629.html
rhn.redhat.com/errata/RHSA-2013-0631.html
rhn.redhat.com/errata/RHSA-2013-0632.html
rhn.redhat.com/errata/RHSA-2013-0640.html
rhn.redhat.com/errata/RHSA-2013-0647.html
rhn.redhat.com/errata/RHSA-2013-0648.html
rhn.redhat.com/errata/RHSA-2013-0726.html
svn.apache.org/viewvc?view=revision&revision=1377807
svn.apache.org/viewvc?view=revision&revision=1380829
svn.apache.org/viewvc?view=revision&revision=1392248
tomcat.apache.org/security-5.html
tomcat.apache.org/security-6.html
tomcat.apache.org/security-7.html
www-01.ibm.com/support/docview.wss?uid=swg21626891
www.ubuntu.com/usn/USN-1637-1
exchange.xforce.ibmcloud.com/vulnerabilities/80407
github.com/advisories/GHSA-9xrj-439h-62hg
nvd.nist.gov/vuln/detail/CVE-2012-5886
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
EPSS
Percentile
71.6%