CVE-2011-5063

MEDIUM

Description

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check realm values, which might allow remote attackers to bypass intended access restrictions by leveraging the availability of a protection space with weaker authentication or authorization requirements, a different vulnerability than CVE-2011-1184.

References

http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html

http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html

http://marc.info/?l=bugtraq&m=139344343412337&w=2

http://rhn.redhat.com/errata/RHSA-2012-0074.html

http://rhn.redhat.com/errata/RHSA-2012-0075.html

http://rhn.redhat.com/errata/RHSA-2012-0076.html

http://rhn.redhat.com/errata/RHSA-2012-0077.html

http://rhn.redhat.com/errata/RHSA-2012-0078.html

http://rhn.redhat.com/errata/RHSA-2012-0325.html

http://secunia.com/advisories/57126

http://svn.apache.org/viewvc?view=rev&rev=1087655

http://svn.apache.org/viewvc?view=rev&rev=1158180

http://svn.apache.org/viewvc?view=rev&rev=1159309

http://tomcat.apache.org/security-5.html

http://tomcat.apache.org/security-6.html

http://tomcat.apache.org/security-7.html

http://www.debian.org/security/2012/dsa-2401

http://www.redhat.com/support/errata/RHSA-2011-1845.html

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

Details

Source: MITRE

Published: 2012-01-14

Updated: 2019-03-25

Type: CWE-287

Risk Information

CVSS v2.0

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:apache:tomcat:5.5.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.9:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.10:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.11:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.12:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.13:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.14:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.15:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.16:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.17:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.18:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.19:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.20:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.21:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.22:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.23:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.24:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.25:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.26:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.27:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.28:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.29:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.30:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.31:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.32:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.33:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:apache:tomcat:6.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.19:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.24:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.26:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.27:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.28:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.29:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.30:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.31:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.32:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*

Tenable Plugins

View all (18 total)

ID	Name	Product	Family	Severity
78925	RHEL 5 / 6 : JBoss Web Server (RHSA-2012:0682)	Nessus	Red Hat Local Security Checks	high
78924	RHEL 5 / 6 : JBoss Web Server (RHSA-2012:0680)	Nessus	Red Hat Local Security Checks	high
76037	openSUSE Security Update : tomcat6 (openSUSE-SU-2012:0208-1)	Nessus	SuSE Local Security Checks	medium
68410	Oracle Linux 5 : tomcat5 (ELSA-2011-1845)	Nessus	Oracle Linux Local Security Checks	medium
68399	Oracle Linux 6 : tomcat6 (ELSA-2011-1780)	Nessus	Oracle Linux Local Security Checks	high
64022	RHEL 4 / 5 / 6 : jbossweb (RHSA-2012:0074)	Nessus	Red Hat Local Security Checks	medium
59677	GLSA-201206-24 : Apache Tomcat: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
57855	SuSE 11.1 Security Update : tomcat6 (SAT Patch Number 5759)	Nessus	SuSE Local Security Checks	medium
57812	Debian DSA-2401-1 : tomcat6 - several vulnerabilities	Nessus	Debian Local Security Checks	high
57374	CentOS 6 : tomcat6 (CESA-2011:1780)	Nessus	CentOS Local Security Checks	high
57356	RHEL 5 : tomcat5 (RHSA-2011:1845)	Nessus	Red Hat Local Security Checks	medium
57354	CentOS 5 : tomcat5 (CESA-2011:1845)	Nessus	CentOS Local Security Checks	medium
57023	RHEL 6 : tomcat6 (RHSA-2011:1780)	Nessus	Red Hat Local Security Checks	high
56301	Apache Tomcat 5.5.x < 5.5.34 Multiple Vulnerabilities	Nessus	Web Servers	high
56008	Apache Tomcat 6.0.x < 6.0.33 Multiple Vulnerabilities	Nessus	Web Servers	medium
800625	Apache Tomcat 7.0.x < 7.0.12 Multiple Vulnerabilities	Log Correlation Engine	Web Servers	medium
53323	Apache Tomcat 7.x < 7.0.12 Multiple Vulnerabilities	Nessus	Web Servers	medium
5882	Apache Tomcat 7.0.x < 7.0.12 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	medium