CVE-2012-5887

Severity

4.3

Description

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 does not properly check for stale nonce values in conjunction with enforcement of proper credentials, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests.

Mitigation

We recommend upgrading to a version of this component that is not vulnerable to this specific issue or investigating other forms of authentication.

Related links:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5887

http://tools.cisco.com/security/center/viewAlert.x?alertId=27343

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3439

Project

Apache Tomcat

Category

n/a

Tags

functional

Date Disclosed

2012-11-17

Date Discovered

2012-11-17

Apache Tomcat 7.0.x

First release:

2011-01-14

First release:

2021-03-31

CVEs:

55

Support Lifecycle:

Maintenance Support

Namespace:

javax

7.0.6 7.0.8 7.0.11 7.0.12 7.0.14 7.0.16 7.0.19 7.0.20 7.0.21 7.0.22 7.0.23 7.0.25 7.0.26 7.0.27 7.0.28 7.0.29

Apache Tomcat 6.0.x

First release:

2007-02-28

First release:

2016-12-31

CVEs:

50

Support Lifecycle:

Namespace:

javax

6.0.13 6.0.14 6.0.16 6.0.18 6.0.20 6.0.24 6.0.26 6.0.28 6.0.29 6.0.30 6.0.32 6.0.33 6.0.35

Apache TomEE 1.0.x

First release:

2012-04-27

CVEs:

130

Support Lifecycle:

Namespace:

javax

Feel Vulnerable?

Contact us so we can help you.

First name ^*
Last name ^*
Email ^*
Company ^*
Product ^*
Heard about us from: ^*
Tell us more ^*

Send me a confirmation email

^* These fields are required.