CVE-2012-5887
First published: Sat Nov 17 2012(Updated: )
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 does not properly check for stale nonce values in conjunction with enforcement of proper credentials, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Tomcat | =5.5.0 | |
| Apache Tomcat | =5.5.1 | |
| Apache Tomcat | =5.5.2 | |
| Apache Tomcat | =5.5.3 | |
| Apache Tomcat | =5.5.4 | |
| Apache Tomcat | =5.5.5 | |
| Apache Tomcat | =5.5.6 | |
| Apache Tomcat | =5.5.7 | |
| Apache Tomcat | =5.5.8 | |
| Apache Tomcat | =5.5.9 | |
| Apache Tomcat | =5.5.10 | |
| Apache Tomcat | =5.5.11 | |
| Apache Tomcat | =5.5.12 | |
| Apache Tomcat | =5.5.13 | |
| Apache Tomcat | =5.5.14 | |
| Apache Tomcat | =5.5.15 | |
| Apache Tomcat | =5.5.16 | |
| Apache Tomcat | =5.5.17 | |
| Apache Tomcat | =5.5.18 | |
| Apache Tomcat | =5.5.19 | |
| Apache Tomcat | =5.5.20 | |
| Apache Tomcat | =5.5.21 | |
| Apache Tomcat | =5.5.22 | |
| Apache Tomcat | =5.5.23 | |
| Apache Tomcat | =5.5.24 | |
| Apache Tomcat | =5.5.25 | |
| Apache Tomcat | =5.5.26 | |
| Apache Tomcat | =5.5.27 | |
| Apache Tomcat | =5.5.28 | |
| Apache Tomcat | =5.5.29 | |
| Apache Tomcat | =5.5.30 | |
| Apache Tomcat | =5.5.31 | |
| Apache Tomcat | =5.5.32 | |
| Apache Tomcat | =5.5.33 | |
| Apache Tomcat | =5.5.34 | |
| Apache Tomcat | =5.5.35 | |
| Apache Tomcat | =6.0 | |
| Apache Tomcat | =6.0.0 | |
| Apache Tomcat | =6.0.0-alpha | |
| Apache Tomcat | =6.0.1 | |
| Apache Tomcat | =6.0.1-alpha | |
| Apache Tomcat | =6.0.2 | |
| Apache Tomcat | =6.0.2-alpha | |
| Apache Tomcat | =6.0.2-beta | |
| Apache Tomcat | =6.0.3 | |
| Apache Tomcat | =6.0.4 | |
| Apache Tomcat | =6.0.4-alpha | |
| Apache Tomcat | =6.0.5 | |
| Apache Tomcat | =6.0.6 | |
| Apache Tomcat | =6.0.6-alpha | |
| Apache Tomcat | =6.0.7 | |
| Apache Tomcat | =6.0.7-alpha | |
| Apache Tomcat | =6.0.7-beta | |
| Apache Tomcat | =6.0.8 | |
| Apache Tomcat | =6.0.8-alpha | |
| Apache Tomcat | =6.0.9 | |
| Apache Tomcat | =6.0.9-beta | |
| Apache Tomcat | =6.0.10 | |
| Apache Tomcat | =6.0.11 | |
| Apache Tomcat | =6.0.12 | |
| Apache Tomcat | =6.0.13 | |
| Apache Tomcat | =6.0.14 | |
| Apache Tomcat | =6.0.15 | |
| Apache Tomcat | =6.0.16 | |
| Apache Tomcat | =6.0.17 | |
| Apache Tomcat | =6.0.18 | |
| Apache Tomcat | =6.0.19 | |
| Apache Tomcat | =6.0.20 | |
| Apache Tomcat | =6.0.24 | |
| Apache Tomcat | =6.0.26 | |
| Apache Tomcat | =6.0.27 | |
| Apache Tomcat | =6.0.28 | |
| Apache Tomcat | =6.0.29 | |
| Apache Tomcat | =6.0.30 | |
| Apache Tomcat | =6.0.31 | |
| Apache Tomcat | =6.0.32 | |
| Apache Tomcat | =6.0.33 | |
| Apache Tomcat | =6.0.35 | |
| Apache Tomcat | =7.0.0 | |
| Apache Tomcat | =7.0.0-beta | |
| Apache Tomcat | =7.0.1 | |
| Apache Tomcat | =7.0.2 | |
| Apache Tomcat | =7.0.2-beta | |
| Apache Tomcat | =7.0.3 | |
| Apache Tomcat | =7.0.4 | |
| Apache Tomcat | =7.0.4-beta | |
| Apache Tomcat | =7.0.5 | |
| Apache Tomcat | =7.0.6 | |
| Apache Tomcat | =7.0.7 | |
| Apache Tomcat | =7.0.8 | |
| Apache Tomcat | =7.0.9 | |
| Apache Tomcat | =7.0.10 | |
| Apache Tomcat | =7.0.11 | |
| Apache Tomcat | =7.0.12 | |
| Apache Tomcat | =7.0.13 | |
| Apache Tomcat | =7.0.14 | |
| Apache Tomcat | =7.0.15 | |
| Apache Tomcat | =7.0.16 | |
| Apache Tomcat | =7.0.17 | |
| Apache Tomcat | =7.0.18 | |
| Apache Tomcat | =7.0.19 | |
| Apache Tomcat | =7.0.20 | |
| Apache Tomcat | =7.0.21 | |
| Apache Tomcat | =7.0.22 | |
| Apache Tomcat | =7.0.23 | |
| Apache Tomcat | =7.0.25 | |
| Apache Tomcat | =7.0.28 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html
- http://lists.opensuse.org/opensuse-updates/2012-12/msg00090.html
- http://lists.opensuse.org/opensuse-updates/2013-01/msg00037.html
- http://rhn.redhat.com/errata/RHSA-2013-0623.html
- http://rhn.redhat.com/errata/RHSA-2013-0629.html
- http://rhn.redhat.com/errata/RHSA-2013-0631.html
- http://rhn.redhat.com/errata/RHSA-2013-0632.html
- http://rhn.redhat.com/errata/RHSA-2013-0633.html
- http://rhn.redhat.com/errata/RHSA-2013-0640.html
- http://rhn.redhat.com/errata/RHSA-2013-0647.html
- http://rhn.redhat.com/errata/RHSA-2013-0648.html
- http://rhn.redhat.com/errata/RHSA-2013-0726.html
- http://secunia.com/advisories/51371
- http://svn.apache.org/viewvc?view=revision&revision=1377807
- http://svn.apache.org/viewvc?view=revision&revision=1380829
- http://svn.apache.org/viewvc?view=revision&revision=1392248
- http://tomcat.apache.org/security-5.html
- http://tomcat.apache.org/security-6.html
- http://tomcat.apache.org/security-7.html
- http://www-01.ibm.com/support/docview.wss?uid=swg21626891
- http://www.securityfocus.com/bid/56403
- http://www.ubuntu.com/usn/USN-1637-1
- https://exchange.xforce.ibmcloud.com/vulnerabilities/79809
- collector/nvd-index
- agent/weakness
- agent/references
- agent/author
- agent/severity
- agent/type
- agent/description
- agent/event
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/apache
- canonical/apache tomcat
- version/apache tomcat/5.5.0
- version/apache tomcat/5.5.1
- version/apache tomcat/5.5.2
- version/apache tomcat/5.5.3
- version/apache tomcat/5.5.4
- version/apache tomcat/5.5.5
- version/apache tomcat/5.5.6
- version/apache tomcat/5.5.7
- version/apache tomcat/5.5.8
- version/apache tomcat/5.5.9
- version/apache tomcat/5.5.10
- version/apache tomcat/5.5.11
- version/apache tomcat/5.5.12
- version/apache tomcat/5.5.13
- version/apache tomcat/5.5.14
- version/apache tomcat/5.5.15
- version/apache tomcat/5.5.16
- version/apache tomcat/5.5.17
- version/apache tomcat/5.5.18
- version/apache tomcat/5.5.19
- version/apache tomcat/5.5.20
- version/apache tomcat/5.5.21
- version/apache tomcat/5.5.22
- version/apache tomcat/5.5.23
- version/apache tomcat/5.5.24
- version/apache tomcat/5.5.25
- version/apache tomcat/5.5.26
- version/apache tomcat/5.5.27
- version/apache tomcat/5.5.28
- version/apache tomcat/5.5.29
- version/apache tomcat/5.5.30
- version/apache tomcat/5.5.31
- version/apache tomcat/5.5.32
- version/apache tomcat/5.5.33
- version/apache tomcat/5.5.34
- version/apache tomcat/5.5.35
- version/apache tomcat/6.0
- version/apache tomcat/6.0.0
- version/apache tomcat/6.0.0-alpha
- version/apache tomcat/6.0.1
- version/apache tomcat/6.0.1-alpha
- version/apache tomcat/6.0.2
- version/apache tomcat/6.0.2-alpha
- version/apache tomcat/6.0.2-beta
- version/apache tomcat/6.0.3
- version/apache tomcat/6.0.4
- version/apache tomcat/6.0.4-alpha
- version/apache tomcat/6.0.5
- version/apache tomcat/6.0.6
- version/apache tomcat/6.0.6-alpha
- version/apache tomcat/6.0.7
- version/apache tomcat/6.0.7-alpha
- version/apache tomcat/6.0.7-beta
- version/apache tomcat/6.0.8
- version/apache tomcat/6.0.8-alpha
- version/apache tomcat/6.0.9
- version/apache tomcat/6.0.9-beta
- version/apache tomcat/6.0.10
- version/apache tomcat/6.0.11
- version/apache tomcat/6.0.12
- version/apache tomcat/6.0.13
- version/apache tomcat/6.0.14
- version/apache tomcat/6.0.15
- version/apache tomcat/6.0.16
- version/apache tomcat/6.0.17
- version/apache tomcat/6.0.18
- version/apache tomcat/6.0.19
- version/apache tomcat/6.0.20
- version/apache tomcat/6.0.24
- version/apache tomcat/6.0.26
- version/apache tomcat/6.0.27
- version/apache tomcat/6.0.28
- version/apache tomcat/6.0.29
- version/apache tomcat/6.0.30
- version/apache tomcat/6.0.31
- version/apache tomcat/6.0.32
- version/apache tomcat/6.0.33
- version/apache tomcat/6.0.35
- version/apache tomcat/7.0.0
- version/apache tomcat/7.0.0-beta
- version/apache tomcat/7.0.1
- version/apache tomcat/7.0.2
- version/apache tomcat/7.0.2-beta
- version/apache tomcat/7.0.3
- version/apache tomcat/7.0.4
- version/apache tomcat/7.0.4-beta
- version/apache tomcat/7.0.5
- version/apache tomcat/7.0.6
- version/apache tomcat/7.0.7
- version/apache tomcat/7.0.8
- version/apache tomcat/7.0.9
- version/apache tomcat/7.0.10
- version/apache tomcat/7.0.11
- version/apache tomcat/7.0.12
- version/apache tomcat/7.0.13
- version/apache tomcat/7.0.14
- version/apache tomcat/7.0.15
- version/apache tomcat/7.0.16
- version/apache tomcat/7.0.17
- version/apache tomcat/7.0.18
- version/apache tomcat/7.0.19
- version/apache tomcat/7.0.20
- version/apache tomcat/7.0.21
- version/apache tomcat/7.0.22
- version/apache tomcat/7.0.23
- version/apache tomcat/7.0.25
- version/apache tomcat/7.0.28