Improper Authentication in Apache Tomcat
Moderate severity
GitHub Reviewed
Published
May 14, 2022
to the GitHub Advisory Database
•
Updated Feb 21, 2024
Package
Affected versions
>= 5.5.0, < 5.5.34
>= 6.0.0, < 6.0.33
>= 7.0.0, < 7.0.12
Patched versions
5.5.34
6.0.33
7.0.12
Description
Published by the National Vulnerability Database
Jan 14, 2012
Published to the GitHub Advisory Database
May 14, 2022
Reviewed
Jul 13, 2022
Last updated
Feb 21, 2024
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check qop values, which might allow remote attackers to bypass intended integrity-protection requirements via a qop=auth value, a different vulnerability than CVE-2011-1184.
References