CVE-2011-5062Improper Authentication in Apache Tomcat

CWE-287Improper Authentication7 documents6 sources
Severity
5.0MEDIUMNVD
EPSS
5.3%
top 9.94%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Tomcat
Timeline
PublishedJan 14
Latest updateMay 14

Description

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check qop values, which might allow remote attackers to bypass intended integrity-protection requirements via a qop=auth value, a different vulnerability than CVE-2011-1184.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

NVDapache/tomcat76 versions+75

Patches

Patch: svn.apache.orgPatch: svn.apache.orgPatch: svn.apache.org

🔴Vulnerability Details

3
GHSA
Improper Authentication in Apache Tomcat2022-05-14
OSV
Improper Authentication in Apache Tomcat2022-05-14
CVEList
CVE-2011-5062: The HTTP Digest Access Authentication implementation in Apache Tomcat 52012-01-14

📋Vendor Advisories

1
Red Hat
tomcat: Multiple weaknesses in HTTP DIGEST authentication2011-09-26

💬Community

2
Bugzilla
CVE-2011-5062 tomcat: Bypass intended integrity-protection requirements via a qop=auth value2012-01-16
Bugzilla
CVE-2011-1184 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064 tomcat: Multiple weaknesses in HTTP DIGEST authentication2011-09-26
CVE-2011-5062 — Improper Authentication in Apache | cvebase