Description
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check realm values, which might allow remote attackers to bypass intended access restrictions by leveraging the availability of a protection space with weaker authentication or authorization requirements, a different vulnerability than CVE-2011-1184.
Remediation
References
http://svn.apache.org/viewvc?view=rev&rev=1087655
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-7.html
http://svn.apache.org/viewvc?view=rev&rev=1159309
http://svn.apache.org/viewvc?view=rev&rev=1158180
http://tomcat.apache.org/security-5.html
http://www.redhat.com/support/errata/RHSA-2011-1845.html
http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html
http://www.debian.org/security/2012/dsa-2401
http://rhn.redhat.com/errata/RHSA-2012-0074.html
http://rhn.redhat.com/errata/RHSA-2012-0075.html
http://rhn.redhat.com/errata/RHSA-2012-0325.html
http://rhn.redhat.com/errata/RHSA-2012-0076.html
http://rhn.redhat.com/errata/RHSA-2012-0078.html
http://rhn.redhat.com/errata/RHSA-2012-0077.html
http://marc.info/?l=bugtraq&m=139344343412337&w=2
http://secunia.com/advisories/57126
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E
Related Vulnerabilities
CVE-2016-0762 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core
CVE-2012-5883 Vulnerability in npm package yui
CVE-2018-11537 Vulnerability in maven package org.webjars.bower:angular-jwt
CVE-2022-31018 Vulnerability in maven package com.typesafe.play:play_2.13
CVE-2023-32314 Vulnerability in maven package org.webjars.npm:vm2