CVE-2012-3546

🗓️ 19 Dec 2012 11:00:00Reported by redhatType

org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote attackers to bypass security-constraint checks by leveraging a previous setUserPrincipal call and then placing /j_security_check at the end of a URI

Reporter	Title	Published	Views	Family All 167
IBM Security Bulletins	Security Bulletin: IBM Disconnected Log Collector is vulnerable to using components with known vulnerabilities	16 Jun 202221:33	–	ibm
IBM Security Bulletins	Security Bulletin: Apache Log4j Vulnerabilities Affect IBM Sterling B2B Integrator	6 Oct 202114:56	–	ibm
Tenable Nessus	Apache Tomcat 7.0.x < 7.0.30 DIGEST Authentication Multiple Security Weaknesses	26 Nov 201200:00	–	nessus
Tenable Nessus	Apache Tomcat 6.0.x < 6.0.36 Multiple Vulnerabilities	26 Nov 201200:00	–	nessus
Tenable Nessus	CentOS 6 : tomcat6 (CESA-2013:0623)	13 Mar 201300:00	–	nessus
Tenable Nessus	CentOS 5 : tomcat5 (CESA-2013:0640)	14 Mar 201300:00	–	nessus
Tenable Nessus	Debian DSA-2725-1 : tomcat6 - several vulnerabilities	19 Jul 201300:00	–	nessus
Tenable Nessus	Fedora 16 : tomcat-7.0.33-1.fc16 (2012-20151)	20 Dec 201200:00	–	nessus
Tenable Nessus	FreeBSD : tomcat -- bypass of security constraints (f599dfc4-3ec2-11e2-8ae1-001a8056d0b5)	6 Dec 201200:00	–	nessus
Tenable Nessus	GLSA-201412-29 : Apache Tomcat: Multiple vulnerabilities	15 Dec 201400:00	–	nessus

NVD

Node

apache tomcatMatch6.0

apache tomcatMatch6.0.0

apache tomcatMatch6.0.0alpha

apache tomcatMatch6.0.1

apache tomcatMatch6.0.1alpha

apache tomcatMatch6.0.2

apache tomcatMatch6.0.2alpha

apache tomcatMatch6.0.2beta

apache tomcatMatch6.0.3

apache tomcatMatch6.0.4

apache tomcatMatch6.0.5

apache tomcatMatch6.0.6

apache tomcatMatch6.0.7

apache tomcatMatch6.0.8

apache tomcatMatch6.0.9

apache tomcatMatch6.0.9beta

apache tomcatMatch6.0.10

apache tomcatMatch6.0.11

apache tomcatMatch6.0.12

apache tomcatMatch6.0.13

apache tomcatMatch6.0.14

apache tomcatMatch6.0.15

apache tomcatMatch6.0.16

apache tomcatMatch6.0.17

apache tomcatMatch6.0.18

apache tomcatMatch6.0.19

apache tomcatMatch6.0.20

apache tomcatMatch6.0.24

apache tomcatMatch6.0.26

apache tomcatMatch6.0.27

apache tomcatMatch6.0.28

apache tomcatMatch6.0.29

apache tomcatMatch6.0.30

apache tomcatMatch6.0.31

apache tomcatMatch6.0.32

apache tomcatMatch6.0.33

apache tomcatMatch6.0.35

Node

apache tomcatMatch7.0.0

apache tomcatMatch7.0.0beta

apache tomcatMatch7.0.1

apache tomcatMatch7.0.2

apache tomcatMatch7.0.2beta

apache tomcatMatch7.0.3

apache tomcatMatch7.0.4

apache tomcatMatch7.0.4beta

apache tomcatMatch7.0.5

apache tomcatMatch7.0.6

apache tomcatMatch7.0.7

apache tomcatMatch7.0.8

apache tomcatMatch7.0.9

apache tomcatMatch7.0.10

apache tomcatMatch7.0.11

apache tomcatMatch7.0.12

apache tomcatMatch7.0.13

apache tomcatMatch7.0.14

apache tomcatMatch7.0.15

apache tomcatMatch7.0.16

apache tomcatMatch7.0.17

apache tomcatMatch7.0.18

apache tomcatMatch7.0.19

apache tomcatMatch7.0.20

apache tomcatMatch7.0.21

apache tomcatMatch7.0.22

apache tomcatMatch7.0.23

apache tomcatMatch7.0.25

apache tomcatMatch7.0.28

Source	Link
ubuntu	www.ubuntu.com/usn/USN-1685-1
rhn	www.rhn.redhat.com/errata/RHSA-2013-0198.html
secunia	www.secunia.com/advisories/52054
lists	www.lists.opensuse.org/opensuse-updates/2012-12/msg00090.html
securityfocus	www.securityfocus.com/bid/56812
rhn	www.rhn.redhat.com/errata/RHSA-2013-0197.html
rhn	www.rhn.redhat.com/errata/RHSA-2013-0147.html
tomcat	www.tomcat.apache.org/security-6.html
lists	www.lists.opensuse.org/opensuse-updates/2013-01/msg00037.html
rhn	www.rhn.redhat.com/errata/RHSA-2013-0192.html

29 Apr 2026 01:13Current

6.3Medium risk

Vulners AI Score6.3

CVSS 24.3

EPSS0.02215

CWE-264