CVE-2011-1184Improper Authentication in Apache Tomcat

CWE-264CWE-287Improper AuthenticationCWE-284Improper Access ControlCWE-321Use of Hard-coded Cryptographic Key17 documents7 sources
Severity
5.0MEDIUMNVD
EPSS
2.2%
top 15.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Tomcat
Timeline
PublishedJan 14
Latest updateMay 17

Description

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

NVDapache/tomcat76 versions+75

Patches

Patch: svn.apache.orgPatch: svn.apache.orgPatch: svn.apache.org

🔴Vulnerability Details

7
GHSA
Improper Access Control in Apache Tomcat2022-05-17
GHSA
Authentication Bypass in Apache Tomcat2022-05-14
OSV
Authentication Bypass in Apache Tomcat2022-05-14
GHSA
Improper Authentication in Apache Tomcat2022-05-14
GHSA
Use of Hard-coded Cryptographic Key in Apache Tomcat2022-05-14

📋Vendor Advisories

6
Red Hat
tomcat: three DIGEST authentication implementation issues2012-11-05
Ubuntu
Tomcat vulnerabilities2011-11-08
Red Hat
tomcat: Multiple weaknesses in HTTP DIGEST authentication2011-09-26
Red Hat
tomcat: Multiple weaknesses in HTTP DIGEST authentication2011-09-26
Red Hat
tomcat: Multiple weaknesses in HTTP DIGEST authentication2011-09-26

💬Community

3
Bugzilla
CVE-2011-1184 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064 tomcat: Multiple weaknesses in HTTP DIGEST authentication2011-09-26
Bugzilla
CVE-2011-1184 tomcat5: Multiple weaknesses in the HTTP DIGEST authentication [fedora-16]2011-09-26
Bugzilla
CVE-2011-1184 tomcat5, tomcat6: Multiple weaknesses in the HTTP DIGEST authentication [fedora-all]2011-09-26
CVE-2011-1184 — Improper Authentication in Apache | cvebase