org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote attackers to bypass security-constraint checks by leveraging a previous setUserPrincipal call and then placing /j_security_check at the end of a URI.

OSVersionArchitecturePackageVersionFilename
Debian9alltomcat7< 7.0.75-1tomcat7_7.0.75-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	9	all	tomcat7	< 7.0.75-1	tomcat7_7.0.75-1_all.deb

redhat 22

nessus 34

prion 1

veracode 9

securityvulns 4

freebsd 1

ubuntucve 1

github 1

osv 2

cve 1

seebug 1

thn 2

atlassian 6

openvas 22

ubuntu 1

tomcat 2

centos 2

oraclelinux 2

fedora 1

f5 1

debian 1

vmware 2

gentoo 1

ibm 2

redhat

(RHSA-2013:0151) Important: JBoss Enterprise Portal Platform 4.3 CP07 security update

2013-01-10 00:00:00

(RHSA-2013:0162) Important: JBoss Enterprise SOA Platform 4.2.0.CP05 and 4.3.0.CP05 update

2013-01-15 00:00:00

(RHSA-2013:0147) Important: jbossas security update

2013-01-08 00:00:00

nessus

RHEL 5 / 6 : jbossweb (RHSA-2013:0164)

2013-01-24 00:00:00

RHEL 5 : jbossas (RHSA-2013:0147)

2013-01-24 00:00:00

RHEL 5 / 6 : JBoss Web Server (RHSA-2013:0641)

2014-11-08 00:00:00

prion

Authentication flaw

2012-12-19 11:55:00

veracode

Authentication Bypass When FORM Authentication Is Used

2019-01-15 08:52:32

Privilege Escalation

2019-05-02 04:46:48

Cross Site Scripting (XSS)

2019-05-02 04:46:17

securityvulns

CVE-2012-3546 Apache Tomcat Bypass of security constraints

2012-12-07 00:00:00

Apache Tomcat multiple security vulnerabilities

2012-12-07 00:00:00

[security bulletin] HPSBMU02894 rev.1 - HP Network Node Manager I (NNMi) for HP-UX, Linux, Solaris, and Windows, Remote Denial of Service (DoS), Unauthorized Access, Execution of Arbitrary Code

2013-07-29 00:00:00

freebsd

tomcat -- bypass of security constraints

2012-12-04 00:00:00

ubuntucve

CVE-2012-3546

2012-12-19 00:00:00

github

Authentication Bypass in Apache Tomcat

2022-05-17 00:59:04

osv

Authentication Bypass in Apache Tomcat

2022-05-17 00:59:04

tomcat6 - several

2013-07-18 00:00:00

cve

CVE-2012-3546

2012-12-19 11:55:00

seebug

Apache Tomcat FORM身份验证安全绕过漏洞

2012-12-07 00:00:00

thn

Apache Tomcat Multiple Critical Vulnerabilities

2012-12-05 06:45:00

Apache Tomcat Multiple Critical Vulnerabilities

2012-12-05 17:45:00

atlassian

Upgrade bundled Tomcat to the latest minor release

2013-06-19 09:30:24

Upgrade bundled Tomcat to the latest minor release

2013-06-19 09:30:24

Upgrade bundled Tomcat to the latest minor release

2013-06-19 09:30:24

openvas

Ubuntu: Security Advisory (USN-1685-1)

2013-01-15 00:00:00

Apache Tomcat 7.0.x < 7.0.29 Multiple Vulnerabilities - Linux

2021-10-29 00:00:00

Ubuntu Update for tomcat7 USN-1685-1

2013-01-15 00:00:00

ubuntu

Tomcat vulnerabilities

2013-01-14 00:00:00

tomcat

Fixed in Apache Tomcat 7.0.30

2012-09-06 00:00:00

Fixed in Apache Tomcat 6.0.36

2012-10-19 00:00:00

centos

tomcat5 security update

2013-03-12 19:14:34

tomcat6 security update

2013-03-12 05:31:44

oraclelinux

tomcat5 security update

2013-03-12 00:00:00

tomcat6 security update

2013-03-11 00:00:00

fedora

[SECURITY] Fedora 16 Update: tomcat-7.0.33-1.fc16

2012-12-19 08:29:53

K20038622 : Multiple Apache Tomcat vulnerabilities

2020-08-06 00:00:00

debian

[SECURITY] [DSA 2725-1] tomcat6 security update

2013-07-18 17:58:50

vmware

VMware security updates for vCenter Server

2013-04-25 00:00:00

VMware security updates for vCenter Server

2013-04-25 00:00:00

gentoo

Apache Tomcat: Multiple vulnerabilities

2014-12-15 00:00:00

ibm

Security Bulletin: Apache Log4j Vulnerabilities Affect IBM Sterling B2B Integrator

2021-10-06 14:56:49

Security Bulletin: IBM Disconnected Log Collector is vulnerable to using components with known vulnerabilities

2022-06-16 21:33:31

Products

Security Intelligence
Non-intrusive assessment
Developers SDK
Windows scanner
Linux scanner
Perimeter control tool
MSSP

Database

Vulnerabilities
Exploits
IOC
Security News
BugBounty
Popular
Wild Exploited
Top Vulnerabilities

Tools

Linux Security Scanner
API integration
Subscriptions
Plugins
Manual Audit

Learn More

Stats
API
Docs
Api-keys
License
Pricing
Glossary
FAQ

Company

Blog
Contacts
About Us
OpenSource
EULA
Brand Guideline
Privacy Policy

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please contact us. Using Vulners services you are accepting Vulners services end-user license agreement

@2024 Vulners Inc

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

JSON

Related for DEBIANCVE:CVE-2012-3546