PT-2012-2040 · Apache+3 · Apache Tomcat+3

Published

2011-12-05

·

Updated

2022-05-14

·

CVE-2011-5062

CVSS v2.0

5.0

Medium

VectorAV:N/AC:L/Au:N/C:P/I:N/A:N
Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 5.5.x through 5.5.33 Apache Tomcat versions 6.x through 6.0.32 Apache Tomcat versions 7.x through 7.0.11
Description The issue is related to the HTTP Digest Access Authentication implementation, which does not check qop values. This could allow remote attackers to bypass intended integrity-protection requirements by using a qop=auth value.
Recommendations For Apache Tomcat versions 5.5.x through 5.5.33, update to version 5.5.34 or later. For Apache Tomcat versions 6.x through 6.0.32, update to version 6.0.33 or later. For Apache Tomcat versions 7.x through 7.0.11, update to version 7.0.12 or later.

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-287CWE-264

Related Identifiers

CESA-2011_1780
CVE-2011-5062
DSA-2401-1
GHSA-4F7H-9J2X-CMR4
RHSA-2011:1780
RHSA-2011:1845
RHSA-2011_1780
RHSA-2011_1845
RHSA-2012:0074
RHSA-2012:0076
RHSA-2012:0680
RHSA-2012:0682

Affected Products

Apache Tomcat
Centos
Red Hat
Suse