CVE-2012-5887

Apache Tomcat < 5.5.36 - Authentication Bypass

Title source: rule

Description

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 does not properly check for stale nonce values in conjunction with enforcement of proper credentials, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests.

References (23)

[Third Party Advisory] http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html

[Third Party Advisory] http://lists.opensuse.org/opensuse-updates/2012-12/msg00090.html

[Third Party Advisory] http://lists.opensuse.org/opensuse-updates/2013-01/msg00037.html

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2013-0623.html

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2013-0629.html

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2013-0631.html

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2013-0632.html

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2013-0633.html

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2013-0640.html

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2013-0647.html

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2013-0648.html

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2013-0726.html

[Broken Link] http://secunia.com/advisories/51371

[Permissions Required] http://svn.apache.org/viewvc?view=revision&revision=1377807

[Permissions Required] http://svn.apache.org/viewvc?view=revision&revision=1380829

[Permissions Required] http://svn.apache.org/viewvc?view=revision&revision=1392248

[Vendor Advisory] http://tomcat.apache.org/security-5.html

[Vendor Advisory] http://tomcat.apache.org/security-6.html

[Vendor Advisory] http://tomcat.apache.org/security-7.html

[Third Party Advisory] http://www-01.ibm.com/support/docview.wss?uid=swg21626891

... and 3 more

Scores

EPSS 0.0090

EPSS Percentile 75.4%

Classification

CWE

CWE-287

Status published

Affected Products (2)

apache/tomcat < 5.5.36

org.apache.tomcat/tomcat < 5.5.36Maven

Timeline

Published Nov 17, 2012

Tracked Since Feb 18, 2026