CVE-2009-0580
published 2009-06-05CVE-2009-0580: Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate…
PriorityP342medium4.3CVSS 2.0
AVNACMAuNCPINAN
EXPLOIT
EPSS
94.44%
99.8th percentile
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter.
Affected
90 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect username enumeration attempts by monitoring POST requests to /j_security_check where the j_password parameter contains a bare '%' (percent) character, indicating malformed URL encoding used to trigger differential error responses. ↗
- →Alert on repeated POST requests to /j_security_check with malformed/illegally URL-encoded password values — differential server responses (error vs. redirect) can be used to confirm valid usernames. ↗
- →Monitor for scanning activity targeting /j_security_check across Tomcat versions 4.1.0–4.1.39, 5.5.0–5.5.27, and 6.0.0–6.0.18, as these are the confirmed vulnerable ranges exploited by the Metasploit auxiliary module. ↗
- ·The vulnerability is only exploitable when FORM-based authentication (j_security_check) is configured. Installations not using FORM authentication are not affected. ↗
- ·The enumeration is specifically tied to three authentication realm implementations: MemoryRealm, DataSourceRealm, and JDBCRealm. Other realm types are not mentioned as vulnerable. ↗
- ·The Metasploit tomcat_enum module notes that newer Tomcat versions no longer ship the 'admin' package by default, limiting the attack surface on updated deployments. ↗
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
vendor_ubuntu5.0MEDIUM
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Exposure of Sensitive Information in Apache Tomcat
osv·2022-05-02
CVE-2009-0580 [MEDIUM] Exposure of Sensitive Information in Apache Tomcat
Exposure of Sensitive Information in Apache Tomcat
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter.
GHSA
Exposure of Sensitive Information in Apache Tomcat
ghsa·2022-05-02
CVE-2009-0580 [MEDIUM] CWE-200 Exposure of Sensitive Information in Apache Tomcat
Exposure of Sensitive Information in Apache Tomcat
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter.
VMware
VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.
vendor_vmware·2009-11-20·CVSS 5.0
CVE-2007-2052 [MEDIUM] VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.
VMSA-2009-0016: VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.
a. JRE Security Update JRE update to version 1.5.0_20, which addresses multiple security issues that existed in earlier releases of JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099, CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103, CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_20: CVE-2009-
Ubuntu
Tomcat vulnerabilities
vendor_ubuntu·2009-06-15·CVSS 5.0
CVE-2009-0580 [MEDIUM] Tomcat vulnerabilities
Title: Tomcat vulnerabilities
Summary: Tomcat vulnerabilities
Iida Minehiko discovered that Tomcat did not properly normalise paths. A
remote attacker could send specially crafted requests to the server and
bypass security restrictions, gaining access to sensitive content.
(CVE-2008-5515)
Yoshihito Fukuyama discovered that Tomcat did not properly handle errors
when the Java AJP connector and mod_jk load balancing are used. A remote
attacker could send specially crafted requests containing invalid headers
to the server and cause a temporary denial of service. (CVE-2009-0033)
D. Matscheko and T. Hackner discovered that Tomcat did not properly handle
malformed URL encoding of passwords when FORM authentication is used. A
remote attacker could exploit this in order to enumerate valid usern
Red Hat
tomcat6 Information disclosure in authentication classes
vendor_redhat·2009-06-03·CVSS 4.3
CVE-2009-0580 [MEDIUM] tomcat6 Information disclosure in authentication classes
tomcat6 Information disclosure in authentication classes
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter.
No detection rules found.
Exploit-DB
Apache Tomcat 6.0.18 - Form Authentication Existing/Non-Existing 'Username' Enumeration
exploitdb·2009-06-03
CVE-2009-0580 Apache Tomcat 6.0.18 - Form Authentication Existing/Non-Existing 'Username' Enumeration
Apache Tomcat 6.0.18 - Form Authentication Existing/Non-Existing 'Username' Enumeration
---
source: https://www.securityfocus.com/bid/35196/info
Apache Tomcat is prone to a username-enumeration weakness because it displays different responses to login attempts, depending on whether or not the username exists.
Attackers may exploit this weakness to discern valid usernames. This may aid them in brute-force password cracking or other attacks.
The following are vulnerable:
Tomcat 4.1.x (prior to 4.1.40)
Tomcat 5.5x (prior to 5.5.28)
Tomcat 6.0.x (prior to 6.0.20)
The following example POST data is available:
POST /j_security_check HTTP/1.1
Host: www.example.com
j_username=tomcat&j_password=%
Metasploit
Apache Tomcat User Enumeration
metasploit
Apache Tomcat User Enumeration
Apache Tomcat User Enumeration
This module enumerates Apache Tomcat's usernames via malformed requests to j_security_check, which can be found in the web administration package. It should work against Tomcat servers 4.1.0 - 4.1.39, 5.5.0 - 5.5.27, and 6.0.0 - 6.0.18. Newer versions no longer have the "admin" package by default. The 'admin' package is no longer provided for Tomcat 6 and later versions.
Bugzilla
CVE-2009-2696 tomcat: missing fix for CVE-2009-0781
bugzilla·2010-07-21·CVSS 4.3
CVE-2009-2696 [MEDIUM] CVE-2009-2696 tomcat: missing fix for CVE-2009-0781
CVE-2009-2696 tomcat: missing fix for CVE-2009-0781
The RHSA-2009:1164 Tomcat security update for Red Hat Enterprise Linux 5
did not, unlike the erratum text stated, provide a fix for CVE-2009-0781, a
cross-site scripting (XSS) flaw in the examples calendar application. A
missing patch is considered a security regression, and requires a new CVE
name. This regression is assigned CVE-2009-2696. It fixes the same issue as
CVE-2009-0781 and is specific to Red Hat Enterprise Linux 5.
Discussion:
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2010:0580 https://rhn.redhat.com/errata/RHSA-2010-0580.html
Bugzilla
CVE-2009-0033 CVE-2009-0580 CVE-2009-0783 CVE-2008-5515 CVE-2009-0781 Multiple tomcat5 vulnerabilities [Fedora all]
bugzilla·2009-11-09·CVSS 5.0
CVE-2009-0033 [MEDIUM] CVE-2009-0033 CVE-2009-0580 CVE-2009-0783 CVE-2008-5515 CVE-2009-0781 Multiple tomcat5 vulnerabilities [Fedora all]
CVE-2009-0033 CVE-2009-0580 CVE-2009-0783 CVE-2008-5515 CVE-2009-0781 Multiple tomcat5 vulnerabilities [Fedora all]
This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in all affected branches.
You should *not* refer to this bug publicly, as it is a private "Fedora Project Contributors" bug.
For comments that are specific to the vulnerability please use bugs filed against "Security Response" product referenced in "Blocks" field.
bug #493381: CVE-2009-0033 tomcat6 Denial-Of-Service with AJP connection
bug #503978: CVE-2009-0580 tomcat6 Information disclosure in authentication classes
bug #504153: CVE-2009-0783 tomcat XML parser information disclosure
bug #504753: CVE-2008-5515 tomcat request dispatcher information d
Bugzilla
CVE-2009-0580 tomcat6 Information disclosure in authentication classes
bugzilla·2009-06-03·CVSS 4.3
CVE-2009-0580 [MEDIUM] CVE-2009-0580 tomcat6 Information disclosure in authentication classes
CVE-2009-0580 tomcat6 Information disclosure in authentication classes
Due to insufficient error checking in some authentication classes, Tomcat allows for the enumeration (brute force testing) of user names by supplying illegally URL encoded passwords. The attack is possible if FORM based authenticiaton (j_security_check) with either the MemoryRealm, DataSourceRealm or JDBCRealm.
Discussion:
Patchset for tomcat5: http://svn.apache.org/viewvc?view=rev&revision=781379
Patchset for tomcat6: http://svn.apache.org/viewvc?view=rev&revision=747840
---
This issue has been addressed in following products:
JBEAP 4.3.0 for RHEL 5
Via RHSA-2009:1145 https://rhn.redhat.com/errata/RHSA-2009-1145.html
---
This issue has been addressed in following products:
JBEAP 4.3.0 for RHEL 4
Via RHSA-200
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.htmlhttp://marc.info/?l=bugtraq&m=127420533226623&w=2http://marc.info/?l=bugtraq&m=129070310906557&w=2http://marc.info/?l=bugtraq&m=133469267822771&w=2http://marc.info/?l=bugtraq&m=136485229118404&w=2http://secunia.com/advisories/35326http://secunia.com/advisories/35344http://secunia.com/advisories/35685http://secunia.com/advisories/35788http://secunia.com/advisories/37460http://secunia.com/advisories/42368http://securitytracker.com/id?1022332http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1http://support.apple.com/kb/HT4077http://svn.apache.org/viewvc?rev=747840&view=revhttp://svn.apache.org/viewvc?rev=781379&view=revhttp://svn.apache.org/viewvc?rev=781382&view=revhttp://tomcat.apache.org/security-4.htmlhttp://tomcat.apache.org/security-5.htmlhttp://tomcat.apache.org/security-6.htmlhttp://www.debian.org/security/2011/dsa-2207http://www.mandriva.com/security/advisories?name=MDVSA-2009:136http://www.mandriva.com/security/advisories?name=MDVSA-2009:138http://www.mandriva.com/security/advisories?name=MDVSA-2010:176http://www.securityfocus.com/archive/1/504045/100/0/threadedhttp://www.securityfocus.com/archive/1/504108/100/0/threadedhttp://www.securityfocus.com/archive/1/504125/100/0/threadedhttp://www.securityfocus.com/archive/1/507985/100/0/threadedhttp://www.securityfocus.com/bid/35196http://www.vmware.com/security/advisories/VMSA-2009-0016.htmlhttp://www.vupen.com/english/advisories/2009/1496http://www.vupen.com/english/advisories/2009/1856http://www.vupen.com/english/advisories/2009/3316http://www.vupen.com/english/advisories/2010/3056https://exchange.xforce.ibmcloud.com/vulnerabilities/50930https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3Ehttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18915https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6628https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9101https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.htmlhttp://lists.apple.com/archives/security-announce/2010//Mar/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.htmlhttp://marc.info/?l=bugtraq&m=127420533226623&w=2http://marc.info/?l=bugtraq&m=129070310906557&w=2http://marc.info/?l=bugtraq&m=133469267822771&w=2http://marc.info/?l=bugtraq&m=136485229118404&w=2http://secunia.com/advisories/35326http://secunia.com/advisories/35344http://secunia.com/advisories/35685http://secunia.com/advisories/35788http://secunia.com/advisories/37460http://secunia.com/advisories/42368http://securitytracker.com/id?1022332http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1http://support.apple.com/kb/HT4077http://svn.apache.org/viewvc?rev=747840&view=revhttp://svn.apache.org/viewvc?rev=781379&view=revhttp://svn.apache.org/viewvc?rev=781382&view=revhttp://tomcat.apache.org/security-4.htmlhttp://tomcat.apache.org/security-5.htmlhttp://tomcat.apache.org/security-6.htmlhttp://www.debian.org/security/2011/dsa-2207http://www.mandriva.com/security/advisories?name=MDVSA-2009:136http://www.mandriva.com/security/advisories?name=MDVSA-2009:138http://www.mandriva.com/security/advisories?name=MDVSA-2010:176http://www.securityfocus.com/archive/1/504045/100/0/threadedhttp://www.securityfocus.com/archive/1/504108/100/0/threadedhttp://www.securityfocus.com/archive/1/504125/100/0/threadedhttp://www.securityfocus.com/archive/1/507985/100/0/threadedhttp://www.securityfocus.com/bid/35196http://www.vmware.com/security/advisories/VMSA-2009-0016.htmlhttp://www.vupen.com/english/advisories/2009/1496http://www.vupen.com/english/advisories/2009/1856http://www.vupen.com/english/advisories/2009/3316http://www.vupen.com/english/advisories/2010/3056https://exchange.xforce.ibmcloud.com/vulnerabilities/50930https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3Ehttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18915https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6628https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9101https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html
2009-06-05
Published