CVE-2011-5064 – org.apache.tomcat:tomcat

Package

Manager: maven
Name: org.apache.tomcat:tomcat
Vulnerable Version: >=5.5.0 <5.5.34 || >=6.0.0 <6.0.33 || >=7.0.0 <7.0.12

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.05319 pctl0.89665

Details

Use of Hard-coded Cryptographic Key in Apache Tomcat DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184.

Metadata

Created: 2022-05-14T01:17:03Z
Modified: 2022-07-13T18:30:02Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6cr4-7c7p-p3xv/GHSA-6cr4-7c7p-p3xv.json
CWE IDs: ["CWE-321"]
Alternative ID: GHSA-6cr4-7c7p-p3xv
Finding: F020
Auto approve: 1