github - ghsa-w227-xcfx-3pj8

ghsa-w227-xcfx-3pj8

Vulnerability from github

Published

2022-05-02 03:16

Modified

2022-06-17 00:37

Summary

Exposure of Sensitive Information in Apache Tomcat

Details

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat:tomcat"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.0"
            },
            {
              "fixed": "4.1.40"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat:tomcat"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.5.28"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat:tomcat"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.0.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2009-0580"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-17T00:37:06Z",
    "nvd_published_at": "2009-06-05T16:00:00Z",
    "severity": "MODERATE"
  },
  "details": "Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter.",
  "id": "GHSA-w227-xcfx-3pj8",
  "modified": "2022-06-17T00:37:06Z",
  "published": "2022-05-02T03:16:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-0580"
    },
    {
      "type": "WEB",
      "url": "https://marc.info/?l=bugtraq\u0026m=127420533226623\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "https://marc.info/?l=bugtraq\u0026m=129070310906557\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "https://marc.info/?l=bugtraq\u0026m=133469267822771\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "https://marc.info/?l=bugtraq\u0026m=136485229118404\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18915"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6628"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9101"
    },
    {
      "type": "WEB",
      "url": "https://svn.apache.org/viewvc?rev=747840\u0026view=rev"
    },
    {
      "type": "WEB",
      "url": "https://svn.apache.org/viewvc?rev=781379\u0026view=rev"
    },
    {
      "type": "WEB",
      "url": "https://svn.apache.org/viewvc?rev=781382\u0026view=rev"
    },
    {
      "type": "WEB",
      "url": "https://tomcat.apache.org/security-4.html"
    },
    {
      "type": "WEB",
      "url": "https://tomcat.apache.org/security-5.html"
    },
    {
      "type": "WEB",
      "url": "https://tomcat.apache.org/security-6.html"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2011/dsa-2207"
    },
    {
      "type": "WEB",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html"
    },
    {
      "type": "WEB",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html"
    },
    {
      "type": "WEB",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50930"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/tomcat"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Exposure of Sensitive Information in Apache Tomcat"
}

cve-2009-0580

Vulnerability from cvelistv5

Published

2009-06-05 15:25

Modified

2024-08-07 04:40

Severity

Summary

References

URL	Tags
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9101	vdb-entry, signature, x_refsource_OVAL
http://tomcat.apache.org/security-4.html	x_refsource_CONFIRM
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18915	vdb-entry, signature, x_refsource_OVAL
http://marc.info/?l=bugtraq&m=127420533226623&w=2	vendor-advisory, x_refsource_HP
http://secunia.com/advisories/35326	third-party-advisory, x_refsource_SECUNIA
http://www.mandriva.com/security/advisories?name=MDVSA-2009:138	vendor-advisory, x_refsource_MANDRIVA
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html	vendor-advisory, x_refsource_FEDORA
http://www.debian.org/security/2011/dsa-2207	vendor-advisory, x_refsource_DEBIAN
http://www.securityfocus.com/bid/35196	vdb-entry, x_refsource_BID
http://secunia.com/advisories/35344	third-party-advisory, x_refsource_SECUNIA
http://marc.info/?l=bugtraq&m=136485229118404&w=2	vendor-advisory, x_refsource_HP
http://secunia.com/advisories/37460	third-party-advisory, x_refsource_SECUNIA
http://www.vupen.com/english/advisories/2010/3056	vdb-entry, x_refsource_VUPEN
http://www.vmware.com/security/advisories/VMSA-2009-0016.html	x_refsource_CONFIRM
http://secunia.com/advisories/35788	third-party-advisory, x_refsource_SECUNIA
http://www.securityfocus.com/archive/1/504125/100/0/threaded	mailing-list, x_refsource_BUGTRAQ
http://marc.info/?l=bugtraq&m=127420533226623&w=2	vendor-advisory, x_refsource_HP
http://svn.apache.org/viewvc?rev=747840&view=rev	x_refsource_CONFIRM
http://www.securityfocus.com/archive/1/504045/100/0/threaded	mailing-list, x_refsource_BUGTRAQ
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html	vendor-advisory, x_refsource_APPLE
http://www.vupen.com/english/advisories/2009/1496	vdb-entry, x_refsource_VUPEN
http://marc.info/?l=bugtraq&m=133469267822771&w=2	vendor-advisory, x_refsource_HP
http://www.securityfocus.com/archive/1/504108/100/0/threaded	mailing-list, x_refsource_BUGTRAQ
http://svn.apache.org/viewvc?rev=781382&view=rev	x_refsource_CONFIRM
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6628	vdb-entry, signature, x_refsource_OVAL
http://www.vupen.com/english/advisories/2009/1856	vdb-entry, x_refsource_VUPEN
http://securitytracker.com/id?1022332	vdb-entry, x_refsource_SECTRACK
http://www.mandriva.com/security/advisories?name=MDVSA-2010:176	vendor-advisory, x_refsource_MANDRIVA
http://www.securityfocus.com/archive/1/507985/100/0/threaded	mailing-list, x_refsource_BUGTRAQ
http://secunia.com/advisories/42368	third-party-advisory, x_refsource_SECUNIA
http://tomcat.apache.org/security-6.html	x_refsource_CONFIRM
http://support.apple.com/kb/HT4077	x_refsource_CONFIRM
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html	vendor-advisory, x_refsource_FEDORA
http://secunia.com/advisories/35685	third-party-advisory, x_refsource_SECUNIA
http://marc.info/?l=bugtraq&m=133469267822771&w=2	vendor-advisory, x_refsource_HP
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html	vendor-advisory, x_refsource_FEDORA
http://tomcat.apache.org/security-5.html	x_refsource_CONFIRM
http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html	vendor-advisory, x_refsource_SUSE
http://marc.info/?l=bugtraq&m=129070310906557&w=2	vendor-advisory, x_refsource_HP
https://exchange.xforce.ibmcloud.com/vulnerabilities/50930	vdb-entry, x_refsource_XF
http://svn.apache.org/viewvc?rev=781379&view=rev	x_refsource_CONFIRM
http://marc.info/?l=bugtraq&m=136485229118404&w=2	vendor-advisory, x_refsource_HP
http://www.mandriva.com/security/advisories?name=MDVSA-2009:136	vendor-advisory, x_refsource_MANDRIVA
http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1	vendor-advisory, x_refsource_SUNALERT
http://marc.info/?l=bugtraq&m=129070310906557&w=2	vendor-advisory, x_refsource_HP
http://www.vupen.com/english/advisories/2009/3316	vdb-entry, x_refsource_VUPEN
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST

Impacted products

Vendor	Product
n/a	n/a

Show details on NVD website