cbcvebase.
CVE-2010-1157
published 2010-04-23

CVE-2010-1157: Apache Tomcat 5.5.0 through 5.5.29 and 6.0.0 through 6.0.26 might allow remote attackers to discover the server's hostname or IP address by sending a request…

PriorityP335low2.6CVSS 2.0
AVNACHAuNCPINAN
EXPLOIT
EPSS
52.51%
98.8th percentile
Apache Tomcat 5.5.0 through 5.5.29 and 6.0.0 through 6.0.26 might allow remote attackers to discover the server's hostname or IP address by sending a request for a resource that requires (1) BASIC or (2) DIGEST authentication, and then reading the realm field in the WWW-Authenticate header in the reply.

Affected

58 ranges· showing 25
VendorProductVersion rangeFixed in
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat

Detection & IOCsextracted from sources · hover to see the quote

urlGET /application/j_security_check HTTP/1.0
otherWWW-Authenticate: Basic realm="<hostname>:<port>"
  • Detect information disclosure by monitoring WWW-Authenticate response headers where the realm field contains a hostname or IP address and port (e.g. realm="<host>:<port>"), indicating no realm-name is configured in web.xml.
  • Trigger condition: attacker sends a request to a resource requiring BASIC or DIGEST authentication and reads the realm field in the WWW-Authenticate header of the 401 reply to discover internal hostname or IP.
  • The vulnerable default realm is generated by Tomcat using request.getServerName() + ":" + request.getServerPort(); look for this pattern in 401 responses to identify unpatched instances.
  • ·Vulnerability only applies when no realm-name is explicitly set in the login-config section of web.xml for applications using BASIC or DIGEST authentication.
  • ·Configurations that already have a realm-name specified in web.xml are not affected by this issue.
  • ·The leak is only operationally significant in deployments where requests are proxied to internal Tomcat instances from a publicly-accessible host, since it exposes the internal host:port.

CVSS provenance

nvdv2.02.6LOWAV:N/AC:H/Au:N/C:P/I:N/A:N
vendor_redhat2.6LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.