CVE-2011-5064
Published: 14 January 2012
DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184.
Notes
| Author | Note |
|---|---|
| sbeattie | MITRE split this out from CVE-2011-1184. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
tomcat5.5 Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
| lucid |
Does not exist
|
|
| maverick |
Does not exist
|
|
| natty |
Does not exist
|
|
| oneiric |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
Patches: upstream: http://svn.apache.org/viewvc?view=revision&revision=1159309 |
||
|
tomcat6 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Released
(6.0.24-2ubuntu1.9)
|
|
| maverick |
Released
(6.0.28-2ubuntu1.5)
|
|
| natty |
Released
(6.0.28-10ubuntu2.2)
|
|
| oneiric |
Released
(6.0.32-5ubuntu1.1)
|
|
| upstream |
Needs triage
|
|
|
Patches: upstream: http://svn.apache.org/viewvc?view=revision&revision=1158180 |
||
|
tomcat7 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Does not exist
|
|
| maverick |
Does not exist
|
|
| natty |
Does not exist
|
|
| oneiric |
Not vulnerable
(7.0.21-1)
|
|
| upstream |
Needs triage
|
|
|
Patches: upstream: http://svn.apache.org/viewvc?view=rev&rev=1087655 |
||