CVE-2011-1184

Published: Jan 14, 2012Modified: Apr 29, 2026

5.0

Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability: 10.0 / Impact: 2.9

Source: NVD

Description

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values.

Affected (77)

Products: Apache: Tomcat

1 product

Configuration A

34 vulnerable

Vulnerable Software	Affected Versions
Apache Tomcat	Version 5.5.0
Apache Tomcat	Version 5.5.10
Apache Tomcat	Version 5.5.11
Apache Tomcat	Version 5.5.12
Apache Tomcat	Version 5.5.13
Apache Tomcat	Version 5.5.14
Apache Tomcat	Version 5.5.15
Apache Tomcat	Version 5.5.16
Apache Tomcat	Version 5.5.17
Apache Tomcat	Version 5.5.18
Apache Tomcat	Version 5.5.19
Apache Tomcat	Version 5.5.1
Apache Tomcat	Version 5.5.20
Apache Tomcat	Version 5.5.21
Apache Tomcat	Version 5.5.22
Apache Tomcat	Version 5.5.23
Apache Tomcat	Version 5.5.24
Apache Tomcat	Version 5.5.25
Apache Tomcat	Version 5.5.26
Apache Tomcat	Version 5.5.27
Apache Tomcat	Version 5.5.28
Apache Tomcat	Version 5.5.29
Apache Tomcat	Version 5.5.2
Apache Tomcat	Version 5.5.30
Apache Tomcat	Version 5.5.31
Apache Tomcat	Version 5.5.32
Apache Tomcat	Version 5.5.33
Apache Tomcat	Version 5.5.3
Apache Tomcat	Version 5.5.4
Apache Tomcat	Version 5.5.5
Apache Tomcat	Version 5.5.6
Apache Tomcat	Version 5.5.7
Apache Tomcat	Version 5.5.8
Apache Tomcat	Version 5.5.9

Configuration B

30 vulnerable

Vulnerable Software	Affected Versions
Apache Tomcat	Version 6.0.0
Apache Tomcat	Version 6.0.10
Apache Tomcat	Version 6.0.11
Apache Tomcat	Version 6.0.12
Apache Tomcat	Version 6.0.13
Apache Tomcat	Version 6.0.14
Apache Tomcat	Version 6.0.15
Apache Tomcat	Version 6.0.16
Apache Tomcat	Version 6.0.17
Apache Tomcat	Version 6.0.18
Apache Tomcat	Version 6.0.19
Apache Tomcat	Version 6.0.1
Apache Tomcat	Version 6.0.20
Apache Tomcat	Version 6.0.24
Apache Tomcat	Version 6.0.26
Apache Tomcat	Version 6.0.27
Apache Tomcat	Version 6.0.28
Apache Tomcat	Version 6.0.29
Apache Tomcat	Version 6.0.2
Apache Tomcat	Version 6.0.30
Apache Tomcat	Version 6.0.31
Apache Tomcat	Version 6.0.32
Apache Tomcat	Version 6.0.3
Apache Tomcat	Version 6.0.4
Apache Tomcat	Version 6.0.5
Apache Tomcat	Version 6.0.6
Apache Tomcat	Version 6.0.7
Apache Tomcat	Version 6.0.8
Apache Tomcat	Version 6.0.9
Apache Tomcat	Version 6.0

Configuration C

13 vulnerable

Vulnerable Software	Affected Versions
Apache Tomcat	Version 7.0.0
Apache Tomcat	Version 7.0.0 beta
Apache Tomcat	Version 7.0.10
Apache Tomcat	Version 7.0.11
Apache Tomcat	Version 7.0.1
Apache Tomcat	Version 7.0.2
Apache Tomcat	Version 7.0.3
Apache Tomcat	Version 7.0.4
Apache Tomcat	Version 7.0.5
Apache Tomcat	Version 7.0.6
Apache Tomcat	Version 7.0.7
Apache Tomcat	Version 7.0.8
Apache Tomcat	Version 7.0.9

Related CWEs

References (52)

http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html

Source: secalert@redhat.com

http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html

Source: secalert@redhat.com

http://marc.info/?l=bugtraq&m=133469267822771&w=2

Source: secalert@redhat.com

http://marc.info/?l=bugtraq&m=136485229118404&w=2

Source: secalert@redhat.com

http://marc.info/?l=bugtraq&m=139344343412337&w=2

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2012-0074.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2012-0075.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2012-0076.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2012-0077.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2012-0078.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2012-0325.html

Source: secalert@redhat.com

http://secunia.com/advisories/57126

Source: secalert@redhat.com

http://svn.apache.org/viewvc?view=rev&rev=1087655

Source: secalert@redhat.com

Patch

http://svn.apache.org/viewvc?view=rev&rev=1158180

Source: secalert@redhat.com

Patch

http://svn.apache.org/viewvc?view=rev&rev=1159309

Source: secalert@redhat.com

Patch

http://tomcat.apache.org/security-5.html

Source: secalert@redhat.com

Vendor Advisory

http://tomcat.apache.org/security-6.html

Source: secalert@redhat.com

Vendor Advisory

http://tomcat.apache.org/security-7.html

Source: secalert@redhat.com

Vendor Advisory

http://www.debian.org/security/2012/dsa-2401

Source: secalert@redhat.com

http://www.mandriva.com/security/advisories?name=MDVSA-2011:156

Source: secalert@redhat.com

http://www.redhat.com/support/errata/RHSA-2011-1845.html

Source: secalert@redhat.com

https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19169

Source: secalert@redhat.com

http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://marc.info/?l=bugtraq&m=133469267822771&w=2

Source: af854a3a-2127-422b-91ae-364da2661108

http://marc.info/?l=bugtraq&m=136485229118404&w=2

Source: af854a3a-2127-422b-91ae-364da2661108

http://marc.info/?l=bugtraq&m=139344343412337&w=2

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2012-0074.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2012-0075.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2012-0076.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2012-0077.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2012-0078.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2012-0325.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/57126

Source: af854a3a-2127-422b-91ae-364da2661108

http://svn.apache.org/viewvc?view=rev&rev=1087655

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://svn.apache.org/viewvc?view=rev&rev=1158180

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://svn.apache.org/viewvc?view=rev&rev=1159309

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://tomcat.apache.org/security-5.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://tomcat.apache.org/security-6.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://tomcat.apache.org/security-7.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://www.debian.org/security/2012/dsa-2401

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.mandriva.com/security/advisories?name=MDVSA-2011:156

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.redhat.com/support/errata/RHSA-2011-1845.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19169

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.