The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values.
References
Link Providers
http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html cve-icon cve-icon
http://marc.info/?l=bugtraq&m=133469267822771&w=2 cve-icon cve-icon
http://marc.info/?l=bugtraq&m=136485229118404&w=2 cve-icon cve-icon
http://marc.info/?l=bugtraq&m=139344343412337&w=2 cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2012-0074.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2012-0075.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2012-0076.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2012-0077.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2012-0078.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2012-0325.html cve-icon cve-icon
http://secunia.com/advisories/57126 cve-icon cve-icon
http://svn.apache.org/viewvc?view=rev&rev=1087655 cve-icon cve-icon
http://svn.apache.org/viewvc?view=rev&rev=1158180 cve-icon cve-icon
http://svn.apache.org/viewvc?view=rev&rev=1159309 cve-icon cve-icon
http://tomcat.apache.org/security-5.html cve-icon cve-icon
http://tomcat.apache.org/security-6.html cve-icon cve-icon
http://tomcat.apache.org/security-7.html cve-icon cve-icon
http://www.debian.org/security/2012/dsa-2401 cve-icon cve-icon
http://www.mandriva.com/security/advisories?name=MDVSA-2011:156 cve-icon cve-icon
http://www.redhat.com/support/errata/RHSA-2011-1845.html cve-icon cve-icon
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2011-1184 cve-icon
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19169 cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2011-1184 cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2012-01-14T21:00:00

Updated: 2024-08-06T22:21:32.232Z

Reserved: 2011-03-03T00:00:00

Link: CVE-2011-1184

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2012-01-14T21:55:00.740

Modified: 2024-11-21T01:25:44.330

Link: CVE-2011-1184

cve-icon Redhat

Severity : Moderate

Publid Date: 2011-09-26T00:00:00Z

Links: CVE-2011-1184 - Bugzilla