Lucene search

[email protected]NVD:CVE-2009-0580

HistoryJun 05, 2009 - 4:00 p.m.

CVE-2009-0580

2009-06-0516:00:00

CWE-200

[email protected]

web.nvd.nist.gov

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

AI Score

4.8

Confidence

High

EPSS

0.971

Percentile

99.8%

JSON

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter.

Affected configurations

Nvd

Node

apachetomcatMatch4.1.0

apachetomcatMatch4.1.1

apachetomcatMatch4.1.2

apachetomcatMatch4.1.3

apachetomcatMatch4.1.3beta

apachetomcatMatch4.1.4

apachetomcatMatch4.1.5

apachetomcatMatch4.1.6

apachetomcatMatch4.1.7

apachetomcatMatch4.1.8

apachetomcatMatch4.1.9

apachetomcatMatch4.1.9beta

apachetomcatMatch4.1.10

apachetomcatMatch4.1.11

apachetomcatMatch4.1.12

apachetomcatMatch4.1.13

apachetomcatMatch4.1.14

apachetomcatMatch4.1.15

apachetomcatMatch4.1.16

apachetomcatMatch4.1.17

apachetomcatMatch4.1.18

apachetomcatMatch4.1.19

apachetomcatMatch4.1.20

apachetomcatMatch4.1.21

apachetomcatMatch4.1.22

apachetomcatMatch4.1.23

apachetomcatMatch4.1.24

apachetomcatMatch4.1.25

apachetomcatMatch4.1.26

apachetomcatMatch4.1.27

apachetomcatMatch4.1.28

apachetomcatMatch4.1.29

apachetomcatMatch4.1.30

apachetomcatMatch4.1.31

apachetomcatMatch4.1.32

apachetomcatMatch4.1.33

apachetomcatMatch4.1.34

apachetomcatMatch4.1.35

apachetomcatMatch4.1.36

apachetomcatMatch4.1.37

apachetomcatMatch4.1.38

apachetomcatMatch4.1.39

apachetomcatMatch5.5.0

apachetomcatMatch5.5.1

apachetomcatMatch5.5.2

apachetomcatMatch5.5.3

apachetomcatMatch5.5.4

apachetomcatMatch5.5.5

apachetomcatMatch5.5.6

apachetomcatMatch5.5.7

apachetomcatMatch5.5.8

apachetomcatMatch5.5.9

apachetomcatMatch5.5.10

apachetomcatMatch5.5.11

apachetomcatMatch5.5.12

apachetomcatMatch5.5.13

apachetomcatMatch5.5.14

apachetomcatMatch5.5.15

apachetomcatMatch5.5.16

apachetomcatMatch5.5.17

apachetomcatMatch5.5.18

apachetomcatMatch5.5.19

apachetomcatMatch5.5.20

apachetomcatMatch5.5.21

apachetomcatMatch5.5.22

apachetomcatMatch5.5.23

apachetomcatMatch5.5.24

apachetomcatMatch5.5.25

apachetomcatMatch5.5.26

apachetomcatMatch5.5.27

apachetomcatMatch6.0.0

apachetomcatMatch6.0.1

apachetomcatMatch6.0.2

apachetomcatMatch6.0.3

apachetomcatMatch6.0.4

apachetomcatMatch6.0.5

apachetomcatMatch6.0.6

apachetomcatMatch6.0.7

apachetomcatMatch6.0.8

apachetomcatMatch6.0.9

apachetomcatMatch6.0.10

apachetomcatMatch6.0.11

apachetomcatMatch6.0.12

apachetomcatMatch6.0.13

apachetomcatMatch6.0.14

apachetomcatMatch6.0.15

apachetomcatMatch6.0.16

VendorProductVersionCPE
apachetomcat4.1.0cpe:2.3:a:apache:tomcat:4.1.0:*:*:*:*:*:*:*
apachetomcat4.1.1cpe:2.3:a:apache:tomcat:4.1.1:*:*:*:*:*:*:*
apachetomcat4.1.2cpe:2.3:a:apache:tomcat:4.1.2:*:*:*:*:*:*:*
apachetomcat4.1.3cpe:2.3:a:apache:tomcat:4.1.3:*:*:*:*:*:*:*
apachetomcat4.1.3cpe:2.3:a:apache:tomcat:4.1.3:beta:*:*:*:*:*:*
apachetomcat4.1.4cpe:2.3:a:apache:tomcat:4.1.4:*:*:*:*:*:*:*
apachetomcat4.1.5cpe:2.3:a:apache:tomcat:4.1.5:*:*:*:*:*:*:*
apachetomcat4.1.6cpe:2.3:a:apache:tomcat:4.1.6:*:*:*:*:*:*:*
apachetomcat4.1.7cpe:2.3:a:apache:tomcat:4.1.7:*:*:*:*:*:*:*
apachetomcat4.1.8cpe:2.3:a:apache:tomcat:4.1.8:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	tomcat	4.1.0	cpe:2.3:a:apache:tomcat:4.1.0:::::::*
apache	tomcat	4.1.1	cpe:2.3:a:apache:tomcat:4.1.1:::::::*
apache	tomcat	4.1.2	cpe:2.3:a:apache:tomcat:4.1.2:::::::*
apache	tomcat	4.1.3	cpe:2.3:a:apache:tomcat:4.1.3:::::::*
apache	tomcat	4.1.3	cpe:2.3:a:apache:tomcat:4.1.3:beta::::::
apache	tomcat	4.1.4	cpe:2.3:a:apache:tomcat:4.1.4:::::::*
apache	tomcat	4.1.5	cpe:2.3:a:apache:tomcat:4.1.5:::::::*
apache	tomcat	4.1.6	cpe:2.3:a:apache:tomcat:4.1.6:::::::*
apache	tomcat	4.1.7	cpe:2.3:a:apache:tomcat:4.1.7:::::::*
apache	tomcat	4.1.8	cpe:2.3:a:apache:tomcat:4.1.8:::::::*

Rows per page:

1-10 of 871

References

lists.apple.com/archives/security-announce/2010//Mar/msg00001.html

lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html

marc.info/?l=bugtraq&m=127420533226623&w=2

marc.info/?l=bugtraq&m=129070310906557&w=2

marc.info/?l=bugtraq&m=133469267822771&w=2

marc.info/?l=bugtraq&m=136485229118404&w=2

secunia.com/advisories/35326

secunia.com/advisories/35344

secunia.com/advisories/35685

secunia.com/advisories/35788

secunia.com/advisories/37460

secunia.com/advisories/42368

securitytracker.com/id?1022332

sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1

support.apple.com/kb/HT4077

svn.apache.org/viewvc?rev=747840&view=rev

svn.apache.org/viewvc?rev=781379&view=rev

svn.apache.org/viewvc?rev=781382&view=rev

tomcat.apache.org/security-4.html

tomcat.apache.org/security-5.html

tomcat.apache.org/security-6.html

www.debian.org/security/2011/dsa-2207

www.mandriva.com/security/advisories?name=MDVSA-2009:136

www.mandriva.com/security/advisories?name=MDVSA-2009:138

www.mandriva.com/security/advisories?name=MDVSA-2010:176

www.securityfocus.com/archive/1/504045/100/0/threaded

www.securityfocus.com/archive/1/504108/100/0/threaded

www.securityfocus.com/archive/1/504125/100/0/threaded

www.securityfocus.com/archive/1/507985/100/0/threaded

www.securityfocus.com/bid/35196

www.vmware.com/security/advisories/VMSA-2009-0016.html

www.vupen.com/english/advisories/2009/1496

www.vupen.com/english/advisories/2009/1856

www.vupen.com/english/advisories/2009/3316

www.vupen.com/english/advisories/2010/3056

exchange.xforce.ibmcloud.com/vulnerabilities/50930

lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18915

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6628

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9101

www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html

www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html

www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

AI Score

4.8

Confidence

High

EPSS

0.971

Percentile

99.8%

JSON

Related for NVD:CVE-2009-0580