Your submission was sent successfully! Close

CVE-2012-3546

Published: 19 December 2012

org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote attackers to bypass security-constraint checks by leveraging a previous setUserPrincipal call and then placing /j_security_check at the end of a URI.

Priority

Medium

Status

Package Release Status
tomcat6
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid
Released (6.0.24-2ubuntu1.12)
oneiric
Released (6.0.32-5ubuntu1.4)
precise
Released (6.0.35-1ubuntu3.2)
quantal
Released (6.0.35-5ubuntu0.1)
raring Not vulnerable
(6.0.35-6)
upstream
Released (6.0.35-6)
tomcat7
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid Does not exist

oneiric
Released (7.0.21-1ubuntu0.1)
precise
Released (7.0.26-1ubuntu1.2)
quantal Not vulnerable
(7.0.30-0ubuntu1)
raring Not vulnerable
(7.0.34-0ubuntu1)
upstream
Released (7.0.28-4)