Skip to main content

CVE-2011-1184

Severity

9.1

Description

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values.

Mitigation

We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Project

Category
n/a
Tags
functional
Date Disclosed

2012-01-14

Date Discovered

2011-03-03

Apache Tomcat 7.0.x

First release:
2011-01-14
First release:
2021-03-31
0
Support Lifecycle:
Namespace:
javax

Apache Tomcat 6.0.x

First release:
2007-02-28
First release:
2016-12-31
0
Support Lifecycle:
Namespace:
javax
Feel Vulnerable? 

Contact us so we can help you.

* These fields are required.