CVE-2011-5064Use of Hard-coded Cryptographic Key in Apache Tomcat

CWE-321Use of Hard-coded Cryptographic Key8 documents6 sources
Severity
4.3MEDIUMNVD
CNA5.0GHSA5.0OSV5.0
EPSS
5.3%
top 9.94%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Tomcat
Timeline
PublishedJan 14
Latest updateMay 14

Description

DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

NVDapache/tomcat76 versions+75

Patches

Patch: svn.apache.orgPatch: svn.apache.orgPatch: svn.apache.org

🔴Vulnerability Details

3
OSV
Use of Hard-coded Cryptographic Key in Apache Tomcat2022-05-14
GHSA
Use of Hard-coded Cryptographic Key in Apache Tomcat2022-05-14
CVEList
CVE-2011-5064: DigestAuthenticator2012-01-14

📋Vendor Advisories

1
Red Hat
tomcat: Multiple weaknesses in HTTP DIGEST authentication2011-09-26

💬Community

3
Bugzilla
CVE-2011-5064 tomcat: Hard-coded server secret eases bypass of cryptographic protection mechanisms2012-01-16
Bugzilla
CVE-2011-1184 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064 tomcat: Multiple weaknesses in HTTP DIGEST authentication2011-09-26
Bugzilla
CVE-2009-5064 glibc: ldd unexpected code execution issue [rhel-6.2]2011-06-14
CVE-2011-5064 — Use of Hard-coded Cryptographic Key | cvebase