CVE-2012-5886

NameCVE-2012-5886
DescriptionThe HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches information about the authenticated user within the session state, which makes it easier for remote attackers to bypass authentication via vectors related to the session ID.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs692439, 692440

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat6 (PTS)wheezy6.0.45+dfsg-1~deb7u1fixed
wheezy (security)6.0.45+dfsg-1~deb7u2fixed
jessie (security), jessie6.0.45+dfsg-1~deb8u1fixed
tomcat7 (PTS)wheezy7.0.28-4+deb7u4fixed
wheezy (security)7.0.28-4+deb7u6fixed
jessie7.0.56-3+deb8u3fixed
jessie (security)7.0.56-3+deb8u4fixed
stretch7.0.70-3fixed
sid7.0.72-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat6source(unstable)6.0.35-5+nmu1medium692439
tomcat6sourcesqueeze6.0.35-1+squeeze3medium
tomcat7source(unstable)7.0.28-3+nmu1medium692440

Notes

DSA 2725

Search for package or bug name: Reporting problems