CVE-2011-5064

Published: Jan 14, 2012Modified: Apr 29, 2026

4.3

Vector

AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability: 8.6 / Impact: 2.9

Source: NVD

Description

DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184.

Affected (77)

Products: Apache: Tomcat

1 product

Configuration A

34 vulnerable

Vulnerable Software	Affected Versions
Apache Tomcat	Version 5.5.0
Apache Tomcat	Version 5.5.10
Apache Tomcat	Version 5.5.11
Apache Tomcat	Version 5.5.12
Apache Tomcat	Version 5.5.13
Apache Tomcat	Version 5.5.14
Apache Tomcat	Version 5.5.15
Apache Tomcat	Version 5.5.16
Apache Tomcat	Version 5.5.17
Apache Tomcat	Version 5.5.18
Apache Tomcat	Version 5.5.19
Apache Tomcat	Version 5.5.1
Apache Tomcat	Version 5.5.20
Apache Tomcat	Version 5.5.21
Apache Tomcat	Version 5.5.22
Apache Tomcat	Version 5.5.23
Apache Tomcat	Version 5.5.24
Apache Tomcat	Version 5.5.25
Apache Tomcat	Version 5.5.26
Apache Tomcat	Version 5.5.27
Apache Tomcat	Version 5.5.28
Apache Tomcat	Version 5.5.29
Apache Tomcat	Version 5.5.2
Apache Tomcat	Version 5.5.30
Apache Tomcat	Version 5.5.31
Apache Tomcat	Version 5.5.32
Apache Tomcat	Version 5.5.33
Apache Tomcat	Version 5.5.3
Apache Tomcat	Version 5.5.4
Apache Tomcat	Version 5.5.5
Apache Tomcat	Version 5.5.6
Apache Tomcat	Version 5.5.7
Apache Tomcat	Version 5.5.8
Apache Tomcat	Version 5.5.9

Configuration B

30 vulnerable

Vulnerable Software	Affected Versions
Apache Tomcat	Version 6.0.0
Apache Tomcat	Version 6.0.10
Apache Tomcat	Version 6.0.11
Apache Tomcat	Version 6.0.12
Apache Tomcat	Version 6.0.13
Apache Tomcat	Version 6.0.14
Apache Tomcat	Version 6.0.15
Apache Tomcat	Version 6.0.16
Apache Tomcat	Version 6.0.17
Apache Tomcat	Version 6.0.18
Apache Tomcat	Version 6.0.19
Apache Tomcat	Version 6.0.1
Apache Tomcat	Version 6.0.20
Apache Tomcat	Version 6.0.24
Apache Tomcat	Version 6.0.26
Apache Tomcat	Version 6.0.27
Apache Tomcat	Version 6.0.28
Apache Tomcat	Version 6.0.29
Apache Tomcat	Version 6.0.2
Apache Tomcat	Version 6.0.30
Apache Tomcat	Version 6.0.31
Apache Tomcat	Version 6.0.32
Apache Tomcat	Version 6.0.3
Apache Tomcat	Version 6.0.4
Apache Tomcat	Version 6.0.5
Apache Tomcat	Version 6.0.6
Apache Tomcat	Version 6.0.7
Apache Tomcat	Version 6.0.8
Apache Tomcat	Version 6.0.9
Apache Tomcat	Version 6.0

Configuration C

13 vulnerable

Vulnerable Software	Affected Versions
Apache Tomcat	Version 7.0.0
Apache Tomcat	Version 7.0.0 beta
Apache Tomcat	Version 7.0.10
Apache Tomcat	Version 7.0.11
Apache Tomcat	Version 7.0.1
Apache Tomcat	Version 7.0.2
Apache Tomcat	Version 7.0.3
Apache Tomcat	Version 7.0.4
Apache Tomcat	Version 7.0.5
Apache Tomcat	Version 7.0.6
Apache Tomcat	Version 7.0.7
Apache Tomcat	Version 7.0.8
Apache Tomcat	Version 7.0.9

Related CWEs

References (44)

http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html

Source: cve@mitre.org

http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html

Source: cve@mitre.org

http://marc.info/?l=bugtraq&m=139344343412337&w=2

Source: cve@mitre.org

http://rhn.redhat.com/errata/RHSA-2012-0074.html

Source: cve@mitre.org

http://rhn.redhat.com/errata/RHSA-2012-0075.html

Source: cve@mitre.org

http://rhn.redhat.com/errata/RHSA-2012-0076.html

Source: cve@mitre.org

http://rhn.redhat.com/errata/RHSA-2012-0077.html

Source: cve@mitre.org

http://rhn.redhat.com/errata/RHSA-2012-0078.html

Source: cve@mitre.org

http://rhn.redhat.com/errata/RHSA-2012-0325.html

Source: cve@mitre.org

http://secunia.com/advisories/57126

Source: cve@mitre.org

http://svn.apache.org/viewvc?view=rev&rev=1087655

Source: cve@mitre.org

Patch

http://svn.apache.org/viewvc?view=rev&rev=1158180

Source: cve@mitre.org

Patch

http://svn.apache.org/viewvc?view=rev&rev=1159309

Source: cve@mitre.org

Patch

http://tomcat.apache.org/security-5.html

Source: cve@mitre.org

Vendor Advisory

http://tomcat.apache.org/security-6.html

Source: cve@mitre.org

Vendor Advisory

http://tomcat.apache.org/security-7.html

Source: cve@mitre.org

Vendor Advisory

http://www.debian.org/security/2012/dsa-2401

Source: cve@mitre.org

http://www.redhat.com/support/errata/RHSA-2011-1845.html

Source: cve@mitre.org

https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E

Source: cve@mitre.org

http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://marc.info/?l=bugtraq&m=139344343412337&w=2

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2012-0074.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2012-0075.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2012-0076.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2012-0077.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2012-0078.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2012-0325.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/57126

Source: af854a3a-2127-422b-91ae-364da2661108

http://svn.apache.org/viewvc?view=rev&rev=1087655

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://svn.apache.org/viewvc?view=rev&rev=1158180

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://svn.apache.org/viewvc?view=rev&rev=1159309

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://tomcat.apache.org/security-5.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://tomcat.apache.org/security-6.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://tomcat.apache.org/security-7.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://www.debian.org/security/2012/dsa-2401

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.redhat.com/support/errata/RHSA-2011-1845.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.