Vulnerability & Exploit Database

Back to search

RHSA-2013:0640: tomcat5 security update

Severity CVSS Published Added Modified
5 (AV:N/AC:L/Au:N/C:N/I:P/A:N) November 17, 2012 March 15, 2013 July 04, 2017

Description

Apache Tomcat is a servlet container.It was found that when an application used FORM authentication, along withanother component that calls request.setUserPrincipal() before the call toFormAuthenticator#authenticate() (such as the Single-Sign-On valve), it waspossible to bypass the security constraint checks in the FORM authenticatorby appending "/j_security_check" to the end of a URL. A remote attackerwith an authenticated session on an affected application could use thisflaw to circumvent authorization controls, and thereby access resources notpermitted by the roles associated with their authenticated session.(CVE-2012-3546)Multiple weaknesses were found in the Tomcat DIGEST authenticationimplementation, effectively reducing the security normally provided byDIGEST authentication. A remote attacker could use these flaws to performreplay attacks in some circumstances. (CVE-2012-5885, CVE-2012-5886,CVE-2012-5887)Users of Tomcat should upgrade to these updated packages, which correctthese issues. Tomcat must be restarted for this update to take effect.

Scan For This Vulnerability

Use our top-rated tool to discover, prioritize, and remediate your vulnerabilities

 Free InsightVM Trial

References

Solution

redhat-upgrade-tomcat5

Related Vulnerabilities