CVE-2012-5886

NameCVE-2012-5886
DescriptionThe HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches information about the authenticated user within the session state, which makes it easier for remote attackers to bypass authentication via vectors related to the session ID.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
NVD severitymedium (attack range: remote)
Debian Bugs692439, 692440
Debian/oldoldstablenot vulnerable.
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat6 (PTS)squeeze, squeeze (security)6.0.35-1+squeeze4fixed
squeeze (lts)6.0.41-2+squeeze6fixed
wheezy, wheezy (security)6.0.35-6+deb7u1fixed
jessie6.0.41-3fixed
stretch, sid6.0.41-4fixed
tomcat7 (PTS)wheezy, wheezy (security)7.0.28-4+deb7u1fixed
jessie7.0.56-3fixed
stretch, sid7.0.61-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat6source(unstable)6.0.35-5+nmu1medium692439
tomcat6sourcesqueeze6.0.35-1+squeeze3medium
tomcat7source(unstable)7.0.28-3+nmu1medium692440

Notes

DSA 2725

Search for package or bug name: Reporting problems