Your submission was sent successfully! Close

CVE-2011-1184

Published: 26 September 2011

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values.

Priority

Medium

Status

Package Release Status
tomcat5.5
Launchpad, Ubuntu, Debian
hardy Ignored
(reached end-of-life)
lucid Does not exist

maverick Does not exist

natty Does not exist

oneiric Does not exist

upstream
Released (5.5.34)
tomcat6
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid
Released (6.0.24-2ubuntu1.9)
maverick
Released (6.0.28-2ubuntu1.5)
natty
Released (6.0.28-10ubuntu2.2)
oneiric
Released (6.0.32-5ubuntu1.1)
upstream
Released (6.0.33)
Patches:
upstream: http://svn.apache.org/viewvc?view=revision&revision=1158180
tomcat7
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid Does not exist

maverick Does not exist

natty Does not exist

oneiric Not vulnerable
(7.0.21-1)
upstream
Released (7.0.12)