CVE-2012-3546

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 6.x before 6.0.36 Apache Tomcat versions 7.x before 7.0.30

Description The issue allows remote attackers to bypass security-constraint checks when FORM authentication is used. This can be achieved by leveraging a previous setUserPrincipal call and then placing /j security check at the end of a URI. The vulnerability can be exploited if some other component, such as the Single-Sign-On valve, had called request.setUserPrincipal() before the call to FormAuthenticator#authenticate().

Recommendations For Apache Tomcat 6.x before 6.0.36, update to version 6.0.36 or later to resolve the issue. For Apache Tomcat 7.x before 7.0.30, update to version 7.0.30 or later to resolve the issue. As a temporary workaround, consider restricting access to the /j security check endpoint until a patch is available.