5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
53.5%
The replay-countermeasure functionality in the HTTP Digest Access
Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x
before 6.0.36, and 7.x before 7.0.30 tracks cnonce (aka client nonce)
values instead of nonce (aka server nonce) and nc (aka nonce-count) values,
which makes it easier for remote attackers to bypass intended access
restrictions by sniffing the network for valid requests, a different
vulnerability than CVE-2011-1184.
Author | Note |
---|---|
mdeslaur | This was originally called CVE-2012-3439 |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 10.04 | noarch | tomcat6 | <ย 6.0.24-2ubuntu1.11 | UNKNOWN |
ubuntu | 11.10 | noarch | tomcat6 | <ย 6.0.32-5ubuntu1.3 | UNKNOWN |
ubuntu | 12.04 | noarch | tomcat6 | <ย 6.0.35-1ubuntu3.1 | UNKNOWN |
ubuntu | 12.10 | noarch | tomcat6 | <ย 6.0.35-5ubuntu0.1 | UNKNOWN |
ubuntu | 11.10 | noarch | tomcat7 | <ย 7.0.21-1ubuntu0.1 | UNKNOWN |
ubuntu | 12.04 | noarch | tomcat7 | <ย 7.0.26-1ubuntu1.2 | UNKNOWN |