Your submission was sent successfully! Close

CVE-2012-5886

Published: 17 November 2012

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches information about the authenticated user within the session state, which makes it easier for remote attackers to bypass authentication via vectors related to the session ID.

Priority

Medium

Status

Package Release Status
tomcat5.5
Launchpad, Ubuntu, Debian
Upstream Needed

Patches:
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1392248
tomcat6
Launchpad, Ubuntu, Debian
Upstream
Released (6.0.35-5+nmu1)
Patches:
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1380829
tomcat7
Launchpad, Ubuntu, Debian
Upstream
Released (7.0.30)
Patches:
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1377807