CVE-2012-5885 β€” Improper Access Control in Apache Tomcat

CWE-284 β€” Improper Access Control11 documents7 sources
Severity
5.0MEDIUMNVD
EPSS
2.3%
top 15.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Tomcat
Timeline
PublishedNov 17
Latest updateMay 17

Description

The replay-countermeasure functionality in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 tracks cnonce (aka client nonce) values instead of nonce (aka server nonce) and nc (aka nonce-count) values, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, a different vulnerability than CVE-2011-1184.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

β–ΆNVDapache/tomcat94 versions+93

πŸ”΄Vulnerability Details

3
OSV
Improper Access Control in Apache Tomcat↗2022-05-17
β–Ά
GHSA
Improper Access Control in Apache Tomcat↗2022-05-17
β–Ά
CVEList
CVE-2012-5885: The replay-countermeasure functionality in the HTTP Digest Access Authentication implementation in Apache Tomcat 5β†—2012-11-17
β–Ά

πŸ“‹Vendor Advisories

3
Ubuntu
Tomcat vulnerabilities↗2012-11-21
β–Ά
Red Hat
tomcat: three DIGEST authentication implementation issues↗2012-11-05
β–Ά
Red Hat
Rejected:β†—2012-11-05
β–Ά

πŸ’¬Community

4
Bugzilla
CVE-2012-3439 Rejected: CVE-2012-3439β†—2015-10-28
β–Ά
Bugzilla
CVE-2012-5885 CVE-2012-5886 CVE-2012-5587 CVE-2012-2733 tomcat various flaws [fedora-16]β†—2012-11-06
β–Ά
Bugzilla
CVE-2012-5885 CVE-2012-5886 CVE-2012-5587 tomcat5: Three weaknesses in the DIGEST authentication implementation [fedora-16]β†—2012-11-06
β–Ά
Bugzilla
CVE-2012-5885 CVE-2012-5886 CVE-2012-5587 CVE-2012-2733 tomcat6 various flaws [fedora-all]β†—2012-11-06
β–Ά
CVE-2012-5885 β€” Improper Access Control in Apache | cvebase