CVE-2012-3546

Severity

4.3

Description

org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote attackers to bypass security-constraint checks by leveraging a previous setUserPrincipal call and then placing /j_security_check at the end of a URI.

Mitigation

We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Related links:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3546

https://mail-archives.apache.org/mod_mbox/tomcat-announce/201212.mbox/%[email protected]%3E

Project

Apache Tomcat

Category

n/a

Tags

operational

functional

Date Disclosed

2012-12-19

Date Discovered

2012-06-14

Apache Tomcat 7.0.x

First release:

2011-01-14

First release:

2021-03-31

CVEs:

55

Support Lifecycle:

Maintenance Support

Namespace:

javax

7.0.6 7.0.8 7.0.11 7.0.12 7.0.14 7.0.16 7.0.19 7.0.20 7.0.21 7.0.22 7.0.23 7.0.25 7.0.26 7.0.27 7.0.28 7.0.29

Apache Tomcat 6.0.x

First release:

2007-02-28

First release:

2016-12-31

CVEs:

50

Support Lifecycle:

Namespace:

javax

6.0.13 6.0.14 6.0.16 6.0.18 6.0.20 6.0.24 6.0.26 6.0.28 6.0.29 6.0.30 6.0.32 6.0.33 6.0.35

Apache TomEE 1.0.x

First release:

2012-04-27

CVEs:

130

Support Lifecycle:

Namespace:

javax

Feel Vulnerable?

Contact us so we can help you.

First name ^*
Last name ^*
Email ^*
Company ^*
Product ^*
Heard about us from: ^*
Tell us more ^*

Send me a confirmation email

^* These fields are required.