CVE-2011-5064

Use of Hard-coded Cryptographic Key in Apache Tomcat in maven/org.apache.tomcat/tomcat

Identifiers

GHSA-6cr4-7c7p-p3xv, CVE-2011-5064

Package Slug

maven/org.apache.tomcat/tomcat

Vulnerability

Use of Hard-coded Cryptographic Key in Apache Tomcat

Description

DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184.

Affected Versions

All versions starting from 5.5.0 before 5.5.34, all versions starting from 6.0.0 before 6.0.33, all versions starting from 7.0.0 before 7.0.12

Solution

Upgrade to versions 5.5.34, 6.0.33, 7.0.12 or above.

Last Modified

2022-07-25

source