5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
71.0%
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x
before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches information
about the authenticated user within the session state, which makes it
easier for remote attackers to bypass authentication via vectors related to
the session ID.
Author | Note |
---|---|
mdeslaur | This was originally called CVE-2012-3439 same fix as CVE-2012-5885 |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 10.04 | noarch | tomcat6 | < 6.0.24-2ubuntu1.11 | UNKNOWN |
ubuntu | 11.10 | noarch | tomcat6 | < 6.0.32-5ubuntu1.3 | UNKNOWN |
ubuntu | 12.04 | noarch | tomcat6 | < 6.0.35-1ubuntu3.1 | UNKNOWN |
ubuntu | 12.10 | noarch | tomcat6 | < 6.0.35-5ubuntu0.1 | UNKNOWN |
ubuntu | 11.10 | noarch | tomcat7 | < 7.0.21-1ubuntu0.1 | UNKNOWN |
ubuntu | 12.04 | noarch | tomcat7 | < 7.0.26-1ubuntu1.2 | UNKNOWN |
tomcat.apache.org/security-5.html
tomcat.apache.org/security-6.html
tomcat.apache.org/security-7.html
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5886
launchpad.net/bugs/cve/CVE-2012-5886
nvd.nist.gov/vuln/detail/CVE-2012-5886
security-tracker.debian.org/tracker/CVE-2012-5886
ubuntu.com/security/notices/USN-1637-1