CVE-2010-1157

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 5.5.0 through 5.5.29 Apache Tomcat versions 6.0.0 through 6.0.26

Description The issue allows remote attackers to discover the server's hostname or IP address by sending a request for a resource that requires either BASIC or DIGEST authentication. The realm field in the WWW-Authenticate header in the reply can be read to obtain this information.

Recommendations For Apache Tomcat versions 5.5.0 through 5.5.29, consider restricting access to resources that require BASIC or DIGEST authentication until a fix is available. For Apache Tomcat versions 6.0.0 through 6.0.26, consider disabling the BASIC and DIGEST authentication methods as a temporary workaround to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.