CVE-2012-3546 — Improper Authentication in Apache Tomcat

CWE-264 CWE-287 — Improper Authentication10 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

2.2%

top 15.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Tomcat

Timeline

PublishedDec 19

Latest updateMay 17

Description

org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote attackers to bypass security-constraint checks by leveraging a previous setUserPrincipal call and then placing /j_security_check at the end of a URI.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

▶NVDapache/tomcat58 versions+57

Patches

Patch: svn.apache.org ↗Patch: svn.apache.org ↗Patch: svn.apache.org ↗

🔴Vulnerability Details

GHSA

Authentication Bypass in Apache Tomcat↗2022-05-17

▶

OSV

Authentication Bypass in Apache Tomcat↗2022-05-17

▶

CVEList

CVE-2012-3546: org/apache/catalina/realm/RealmBase↗2012-12-19

▶

📋Vendor Advisories

Ubuntu

Tomcat vulnerabilities↗2013-01-14

▶

Red Hat

Web: Bypass of security constraints↗2012-12-04

▶

💬Community

Bugzilla

CVE-2012-3546 Tomcat/JBoss Web - Bypass of security constraints [fedora-all]↗2012-12-05

▶

Bugzilla

CVE-2012-3546 Tomcat/JBoss Web: Bypass of security constraints↗2012-12-05

▶

Bugzilla

CVE-2012-3546 Tomcat/JBoss Web - Bypass of security constraints [fedora-all]↗2012-12-05

▶

Bugzilla

CVE-2011-3546 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (Deployment)↗2011-10-19

▶