CVE-2012-3546

Authentication Bypass in Apache Tomcat in maven/org.apache.tomcat/tomcat

Identifiers

GHSA-jgm2-m5cg-f66g, CVE-2012-3546

Package Slug

maven/org.apache.tomcat/tomcat

Vulnerability

Authentication Bypass in Apache Tomcat

Description

org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote attackers to bypass security-constraint checks by leveraging a previous setUserPrincipal call and then placing /jsecuritycheck at the end of a URI.

Affected Versions

All versions starting from 6.0.0 before 6.0.36, all versions starting from 7.0.0 before 7.0.30

Solution

Upgrade to versions 6.0.36, 7.0.30 or above.

Last Modified

2022-07-25

source