CVE-2011-5063 — Improper Authentication in Apache Tomcat

CWE-287 — Improper Authentication8 documents6 sources

Severity

4.3MEDIUMNVD

CNA5.0GHSA5.0OSV5.0

EPSS

2.0%

top 16.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Tomcat

Timeline

PublishedJan 14

Latest updateMay 14

Description

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check realm values, which might allow remote attackers to bypass intended access restrictions by leveraging the availability of a protection space with weaker authentication or authorization requirements, a different vulnerability than CVE-2011-1184.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

▶NVDapache/tomcat76 versions+75

Patches

Patch: svn.apache.org ↗Patch: svn.apache.org ↗Patch: svn.apache.org ↗

🔴Vulnerability Details

OSV

Improper Authentication in Apache Tomcat↗2022-05-14

▶

GHSA

Improper Authentication in Apache Tomcat↗2022-05-14

▶

CVEList

CVE-2011-5063: The HTTP Digest Access Authentication implementation in Apache Tomcat 5↗2012-01-14

▶

📋Vendor Advisories

Red Hat

tomcat: Multiple weaknesses in HTTP DIGEST authentication↗2011-09-26

▶

💬Community

Bugzilla

CVE-2011-5063 tomcat: Bypass intended integrity protection due to incorrect realm checking↗2012-01-16

▶

Bugzilla

CVE-2011-1184 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064 tomcat: Multiple weaknesses in HTTP DIGEST authentication↗2011-09-26

▶

Bugzilla

libpng10, libpng: Memory leak by write of iCCP chunk with negative embedded profile length (CVE-2006-7244, CVE-2009-5063)↗2011-03-23

▶