cbcvebase.
CVE-2009-0580
published 2009-06-05

CVE-2009-0580: Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate…

PriorityP342medium4.3CVSS 2.0
AVNACMAuNCPINAN
EXPLOIT
EPSS
94.44%
99.8th percentile
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter.

Affected

90 ranges· showing 25
VendorProductVersion rangeFixed in
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat

Detection & IOCsextracted from sources · hover to see the quote

url/j_security_check
commandPOST /j_security_check HTTP/1.1 Host: www.example.com j_username=tomcat&j_password=%
path/j_security_check
  • Detect username enumeration attempts by monitoring POST requests to /j_security_check where the j_password parameter contains a bare '%' (percent) character, indicating malformed URL encoding used to trigger differential error responses.
  • Alert on repeated POST requests to /j_security_check with malformed/illegally URL-encoded password values — differential server responses (error vs. redirect) can be used to confirm valid usernames.
  • Monitor for scanning activity targeting /j_security_check across Tomcat versions 4.1.0–4.1.39, 5.5.0–5.5.27, and 6.0.0–6.0.18, as these are the confirmed vulnerable ranges exploited by the Metasploit auxiliary module.
  • ·The vulnerability is only exploitable when FORM-based authentication (j_security_check) is configured. Installations not using FORM authentication are not affected.
  • ·The enumeration is specifically tied to three authentication realm implementations: MemoryRealm, DataSourceRealm, and JDBCRealm. Other realm types are not mentioned as vulnerable.
  • ·The Metasploit tomcat_enum module notes that newer Tomcat versions no longer ship the 'admin' package by default, limiting the attack surface on updated deployments.

CVSS provenance

nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
vendor_ubuntu5.0MEDIUM
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.