CVE-2012-3439

Name of the Vulnerable Software and Affected Versions Apache Tomcat (affected versions not specified)

Description The issue concerns weaknesses in Tomcat's implementation of DIGEST authentication. Specifically, Tomcat tracked client rather than server nonces and nonce count, which reduced the security of DIGEST authentication. Additionally, when a session ID was present, authentication was bypassed, and the user name and password were not checked before indicating that a nonce was stale. These weaknesses made replay attacks possible in some circumstances.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.