Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusTenable5882.PASL
HistoryApr 07, 2011 - 12:00 a.m.

Apache Tomcat 7.0.x < 7.0.12 Multiple Vulnerabilities

2011-04-0700:00:00
Tenable
www.tenable.com
10
JSON

According to its self-reported version number, the instance of Apache Tomcat 7.x listening on the remote host is prior to 7.0.12. It is, therefore, affected by multiple vulnerabilities:

  • A fix for CVE-2011-1088 introduced a security bypass vulnerability. If login configuration data is absent from the ‘web.xml’ file and a web application is marked as ‘metadata-complete’, security constraints are ignored and may be bypassed by an attacker. Please note this vulnerability only affects version 7.0.11 of Tomcat. (CVE-2011-1183)

  • Several weaknesses were found in the HTTP Digest authentication implementation. The issues are as follows: replay attacks are possible, server nonces are not checked, client nonce counts are not checked, ‘quality of protection’ (qop) values are not checked, realm values are not checked, and the server secret is a hard-coded, known string. The effect of these issues is that Digest authentication is no stronger than Basic authentication. (CVE-2011-1184, CVE-2011-5062, CVE-2011-5063, CVE-2011-5064)

  • Updates to the HTTP BIO connector, in support of Servlet 3.0 asynchronous requests, fail to completely handle HTTP pipelining. Sensitive information may be disclosed because responses from the server can be improperly returned to the wrong request and possibly to the wrong user. (CVE-2011-1475)

Note that Nessus Network Monitor has not tested for these issues but has instead relied only on the application’s self-reported version number.

Binary data 5882.pasl
VendorProductVersionCPE
apachetomcatcpe:/a:apache:tomcat

Related

nessus 28
tomcat 5
openvas 37
suse 2
redhat 10
oraclelinux 3
centos 2
prion 10
debiancve 5
ubuntucve 8
cve 10
osv 11
github 10
securityvulns 7
fedora 2
debian 1
seebug 1
veracode 2
gentoo 1
amazon 1
f5 1
ubuntu 1
ibm 3
nessus
nessus
Apache Tomcat 7.x < 7.0.12 Multiple Vulnerabilities
2011-04-07 00:00:00
openSUSE Security Update : tomcat6 (openSUSE-SU-2012:0208-1)
2014-06-13 00:00:00
SuSE 11.1 Security Update : tomcat6 (SAT Patch Number 5759)
2012-02-07 00:00:00
tomcat
tomcat
Fixed in Apache Tomcat 7.0.12
2011-04-06 00:00:00
Fixed in Apache Tomcat 6.0.33
2011-08-18 00:00:00
Fixed in Apache Tomcat 5.5.34
2011-09-22 00:00:00
openvas
openvas
Apache Tomcat 7.0.x < 7.0.11 Multiple Vulnerabilities - Linux
2021-10-29 00:00:00
SUSE: Security Advisory (SUSE-SU-2012:0155-1)
2021-06-09 00:00:00
SuSE Update for tomcat6 openSUSE-SU-2012:0208-1 (tomcat6)
2012-08-02 00:00:00
suse
suse
Security update for tomcat6 (important)
2012-02-07 04:08:27
tomcat6: Fix multiple weaknesses in HTTP DIGESTS (important)
2012-02-09 19:09:55
redhat
redhat
(RHSA-2012:0041) Moderate: jbossweb security update
2012-01-19 17:20:26
(RHSA-2011:1845) Moderate: tomcat5 security update
2011-12-20 00:00:00
(RHSA-2011:1780) Moderate: tomcat6 security and bug fix update
2011-12-05 00:00:00
oraclelinux
oraclelinux
tomcat5 security update
2011-12-20 00:00:00
tomcat6 security and bug fix update
2011-12-05 00:00:00
tomcat5 security update
2012-04-11 00:00:00
centos
centos
tomcat6 security update
2011-12-22 16:00:12
tomcat5 security update
2011-12-20 19:18:57
prion
prion
Authentication flaw
2012-01-14 21:55:00
Design/Logic Flaw
2012-01-14 21:55:00
Hardcoded credentials
2012-01-14 21:55:00
debiancve
debiancve
CVE-2011-5062
2012-01-14 21:55:00
CVE-2011-5063
2012-01-14 21:55:00
CVE-2011-5064
2012-01-14 21:55:00
ubuntucve
ubuntucve
CVE-2011-5062
2012-01-14 00:00:00
CVE-2011-5064
2012-01-14 00:00:00
CVE-2011-5063
2012-01-14 00:00:00
cve
cve
CVE-2011-5063
2012-01-14 21:55:00
CVE-2011-5062
2012-01-14 21:55:00
CVE-2011-5064
2012-01-14 21:55:00
osv
osv
Improper Authentication in Apache Tomcat
2022-05-14 01:17:03
Use of Hard-coded Cryptographic Key in Apache Tomcat
2022-05-14 01:17:03
Improper Authentication in Apache Tomcat
2022-05-14 01:17:03
github
github
Improper Authentication in Apache Tomcat
2022-05-14 01:17:03
Improper Authentication in Apache Tomcat
2022-05-14 01:17:03
Use of Hard-coded Cryptographic Key in Apache Tomcat
2022-05-14 01:17:03
securityvulns
securityvulns
Apache Tomcat protection bypass
2011-05-17 00:00:00
[SECURITY] CVE-2011-1582 Apache Tomcat security constraint bypass
2011-05-17 00:00:00
Apache Tomcat information leakage
2011-04-13 00:00:00
fedora
fedora
[SECURITY] Fedora 16 Update: tomcat6-6.0.35-1.fc16
2012-08-09 23:11:34
[SECURITY] Fedora 15 Update: tomcat6-6.0.32-10.fc15
2011-11-10 17:33:27
debian
debian
[SECURITY] [DSA 2401-1] tomcat6 security update
2012-02-02 19:29:50
seebug
seebug
Apache Tomcat &quot;@ServletSecurity&quot; 注释安全限制绕过漏洞
2011-03-14 00:00:00
veracode
veracode
Authentication Bypass By Sniffing Valid Network Requests
2019-01-15 08:51:25
Authentication Bypass In The Replay-countermeasure Functionality
2019-01-15 09:00:03
gentoo
gentoo
Apache Tomcat: Multiple vulnerabilities
2012-06-24 00:00:00
amazon
amazon
Important: tomcat6
2011-12-02 22:21:00
f5
f5
K54891070 : Tomcat vulnerabilities CVE-2012-5885, CVE-2012-5886, and CVE-2012-5887
2017-10-11 00:00:00
ubuntu
ubuntu
Tomcat vulnerabilities
2011-11-08 00:00:00
ibm
ibm
Security Bulletin: Apache Log4j Vulnerabilities Affect IBM Sterling B2B Integrator
2021-10-06 14:56:49
Security Bulletin: Storwize V7000 Unified V1.3.2.3 and V1.4.0.0 Include Fixes for Multiple Vendor Security Vulnerabilities
2022-09-26 04:23:14
Security Bulletin: SONAS Update Includes Fixes for Multiple Vendor Security Vulnerabilities
2022-09-26 04:23:14
JSON
Related for 5882.PASL
nessus28tomcat5openvas37suse2redhat10oraclelinux3centos2prion10debiancve5ubuntucve8cve10osv11github10securityvulns7fedora2debian1seebug1veracode2gentoo1amazon1f51ubuntu1ibm3