CVE-2011-1184 – org.apache.tomcat:tomcat

Package

Manager: maven
Name: org.apache.tomcat:tomcat
Vulnerable Version: >=5.5.0 <5.5.34 || >=6.0.0 <6.0.33 || >=7.0.0 <7.0.12

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0527 pctl0.89622

Details

Authentication Bypass in Apache Tomcat The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values.

Metadata

Created: 2022-05-14T01:17:02Z
Modified: 2024-02-21T21:18:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q9xf-jwr4-v445/GHSA-q9xf-jwr4-v445.json
CWE IDs: []
Alternative ID: GHSA-q9xf-jwr4-v445
Finding: F006
Auto approve: 1