CVE-2011-5063
First published: Sat Jan 14 2012(Updated: )
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check realm values, which might allow remote attackers to bypass intended access restrictions by leveraging the availability of a protection space with weaker authentication or authorization requirements, a different vulnerability than CVE-2011-1184.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Tomcat | =5.5.27 | |
| Apache Tomcat | =5.5.18 | |
| Apache Tomcat | =5.5.12 | |
| Apache Tomcat | =5.5.14 | |
| Apache Tomcat | =5.5.10 | |
| Apache Tomcat | =5.5.4 | |
| Apache Tomcat | =5.5.7 | |
| Apache Tomcat | =5.5.1 | |
| Apache Tomcat | =5.5.11 | |
| Apache Tomcat | =5.5.28 | |
| Apache Tomcat | =5.5.6 | |
| Apache Tomcat | =5.5.26 | |
| Apache Tomcat | =5.5.20 | |
| Apache Tomcat | =5.5.15 | |
| Apache Tomcat | =5.5.5 | |
| Apache Tomcat | =5.5.30 | |
| Apache Tomcat | =5.5.21 | |
| Apache Tomcat | =5.5.22 | |
| Apache Tomcat | =5.5.3 | |
| Apache Tomcat | =5.5.32 | |
| Apache Tomcat | =5.5.31 | |
| Apache Tomcat | =5.5.9 | |
| Apache Tomcat | =5.5.25 | |
| Apache Tomcat | =5.5.33 | |
| Apache Tomcat | =5.5.2 | |
| Apache Tomcat | =5.5.0 | |
| Apache Tomcat | =5.5.13 | |
| Apache Tomcat | =5.5.24 | |
| Apache Tomcat | =5.5.8 | |
| Apache Tomcat | =5.5.16 | |
| Apache Tomcat | =5.5.17 | |
| Apache Tomcat | =5.5.29 | |
| Apache Tomcat | =5.5.19 | |
| Apache Tomcat | =5.5.23 | |
| Apache Tomcat | =6.0.6 | |
| Apache Tomcat | =6.0.11 | |
| Apache Tomcat | =6.0.7 | |
| Apache Tomcat | =6.0.4 | |
| Apache Tomcat | =6.0.15 | |
| Apache Tomcat | =6.0.20 | |
| Apache Tomcat | =6.0.10 | |
| Apache Tomcat | =6.0.31 | |
| Apache Tomcat | =6.0.29 | |
| Apache Tomcat | =6.0.3 | |
| Apache Tomcat | =6.0.9 | |
| Apache Tomcat | =6.0.24 | |
| Apache Tomcat | =6.0.17 | |
| Apache Tomcat | =6.0 | |
| Apache Tomcat | =6.0.32 | |
| Apache Tomcat | =6.0.28 | |
| Apache Tomcat | =6.0.0 | |
| Apache Tomcat | =6.0.14 | |
| Apache Tomcat | =6.0.1 | |
| Apache Tomcat | =6.0.12 | |
| Apache Tomcat | =6.0.18 | |
| Apache Tomcat | =6.0.5 | |
| Apache Tomcat | =6.0.30 | |
| Apache Tomcat | =6.0.2 | |
| Apache Tomcat | =6.0.13 | |
| Apache Tomcat | =6.0.26 | |
| Apache Tomcat | =6.0.19 | |
| Apache Tomcat | =6.0.27 | |
| Apache Tomcat | =6.0.16 | |
| Apache Tomcat | =6.0.8 | |
| Apache Tomcat | =7.0.8 | |
| Apache Tomcat | =7.0.1 | |
| Apache Tomcat | =7.0.2 | |
| Apache Tomcat | =7.0.5 | |
| Apache Tomcat | =7.0.0 | |
| Apache Tomcat | =7.0.6 | |
| Apache Tomcat | =7.0.11 | |
| Apache Tomcat | =7.0.0-beta | |
| Apache Tomcat | =7.0.7 | |
| Apache Tomcat | =7.0.10 | |
| Apache Tomcat | =7.0.9 | |
| Apache Tomcat | =7.0.4 | |
| Apache Tomcat | =7.0.3 | |
| maven/org.apache.tomcat:tomcat | >=7.0.0<7.0.12 | 7.0.12 |
| maven/org.apache.tomcat:tomcat | >=6.0.0<6.0.33 | 6.0.33 |
| maven/org.apache.tomcat:tomcat | >=5.5.0<5.5.34 | 5.5.34 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://svn.apache.org/viewvc?view=rev&rev=1087655
- http://tomcat.apache.org/security-6.html
- http://tomcat.apache.org/security-7.html
- http://svn.apache.org/viewvc?view=rev&rev=1159309
- http://svn.apache.org/viewvc?view=rev&rev=1158180
- http://tomcat.apache.org/security-5.html
- http://www.redhat.com/support/errata/RHSA-2011-1845.html
- http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html
- http://www.debian.org/security/2012/dsa-2401
- http://rhn.redhat.com/errata/RHSA-2012-0074.html
- http://rhn.redhat.com/errata/RHSA-2012-0075.html
- http://rhn.redhat.com/errata/RHSA-2012-0325.html
- http://rhn.redhat.com/errata/RHSA-2012-0076.html
- http://rhn.redhat.com/errata/RHSA-2012-0078.html
- http://rhn.redhat.com/errata/RHSA-2012-0077.html
- http://marc.info/?l=bugtraq&m=139344343412337&w=2
- http://secunia.com/advisories/57126
- https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2011-5063
- https://github.com/apache/tomcat/commit/639e20992a66d7a42fb59c974db91c8a0f730a1e
- https://github.com/apache/tomcat55/commit/644dfdf96cf82fcd2a2046d93f2b5495f7e94584
- https://access.redhat.com/errata/RHSA-2012:0074
- https://access.redhat.com/errata/RHSA-2012:0075
- https://access.redhat.com/errata/RHSA-2012:0076
- https://web.archive.org/web/20151017023138/http://secunia.com/advisories/57126
- https://github.com/advisories/GHSA-hffm-fqv4-w27r (Advisory)
- https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E
- collector/nvd-historical
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-hffm-fqv4-w27r
- alias/CVE-2011-5063
- agent/software-canonical-lookup
- agent/references
- agent/severity
- agent/author
- agent/last-modified-date
- agent/weakness
- agent/remedy
- agent/description
- collector/nvd-cve
- source/NVD
- agent/softwarecombine
- agent/event
- collector/github-advisory
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/apache
- canonical/apache tomcat
- version/apache tomcat/5.5.27
- version/apache tomcat/5.5.18
- version/apache tomcat/5.5.12
- version/apache tomcat/5.5.14
- version/apache tomcat/5.5.10
- version/apache tomcat/5.5.4
- version/apache tomcat/5.5.7
- version/apache tomcat/5.5.1
- version/apache tomcat/5.5.11
- version/apache tomcat/5.5.28
- version/apache tomcat/5.5.6
- version/apache tomcat/5.5.26
- version/apache tomcat/5.5.20
- version/apache tomcat/5.5.15
- version/apache tomcat/5.5.5
- version/apache tomcat/5.5.30
- version/apache tomcat/5.5.21
- version/apache tomcat/5.5.22
- version/apache tomcat/5.5.3
- version/apache tomcat/5.5.32
- version/apache tomcat/5.5.31
- version/apache tomcat/5.5.9
- version/apache tomcat/5.5.25
- version/apache tomcat/5.5.33
- version/apache tomcat/5.5.2
- version/apache tomcat/5.5.0
- version/apache tomcat/5.5.13
- version/apache tomcat/5.5.24
- version/apache tomcat/5.5.8
- version/apache tomcat/5.5.16
- version/apache tomcat/5.5.17
- version/apache tomcat/5.5.29
- version/apache tomcat/5.5.19
- version/apache tomcat/5.5.23
- version/apache tomcat/6.0.6
- version/apache tomcat/6.0.11
- version/apache tomcat/6.0.7
- version/apache tomcat/6.0.4
- version/apache tomcat/6.0.15
- version/apache tomcat/6.0.20
- version/apache tomcat/6.0.10
- version/apache tomcat/6.0.31
- version/apache tomcat/6.0.29
- version/apache tomcat/6.0.3
- version/apache tomcat/6.0.9
- version/apache tomcat/6.0.24
- version/apache tomcat/6.0.17
- version/apache tomcat/6.0
- version/apache tomcat/6.0.32
- version/apache tomcat/6.0.28
- version/apache tomcat/6.0.0
- version/apache tomcat/6.0.14
- version/apache tomcat/6.0.1
- version/apache tomcat/6.0.12
- version/apache tomcat/6.0.18
- version/apache tomcat/6.0.5
- version/apache tomcat/6.0.30
- version/apache tomcat/6.0.2
- version/apache tomcat/6.0.13
- version/apache tomcat/6.0.26
- version/apache tomcat/6.0.19
- version/apache tomcat/6.0.27
- version/apache tomcat/6.0.16
- version/apache tomcat/6.0.8
- version/apache tomcat/7.0.8
- version/apache tomcat/7.0.1
- version/apache tomcat/7.0.2
- version/apache tomcat/7.0.5
- version/apache tomcat/7.0.0
- version/apache tomcat/7.0.6
- version/apache tomcat/7.0.11
- version/apache tomcat/7.0.0-beta
- version/apache tomcat/7.0.7
- version/apache tomcat/7.0.10
- version/apache tomcat/7.0.9
- version/apache tomcat/7.0.4
- version/apache tomcat/7.0.3
- package-manager/maven