GHSA-6cr4-7c7p-p3xv

Suggest an improvement
Source
https://github.com/advisories/GHSA-6cr4-7c7p-p3xv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6cr4-7c7p-p3xv/GHSA-6cr4-7c7p-p3xv.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-6cr4-7c7p-p3xv
Aliases
  • CVE-2011-5064
Published
2022-05-14T01:17:03Z
Modified
2023-11-01T04:44:37.276767Z
Summary
Use of Hard-coded Cryptographic Key in Apache Tomcat
Details

DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184.

Database specific
{
    "nvd_published_at": "2012-01-14T21:55:00Z",
    "cwe_ids": [
        "CWE-321"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-13T18:30:02Z"
}
References

Affected packages

Maven / org.apache.tomcat:tomcat

Package

Name
org.apache.tomcat:tomcat
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.5.34

Maven / org.apache.tomcat:tomcat

Package

Name
org.apache.tomcat:tomcat
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.33

Maven / org.apache.tomcat:tomcat

Package

Name
org.apache.tomcat:tomcat
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0.0
Fixed
7.0.12