DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0. Older unsupported versions any also be affect Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
The error classified as CWE-592 (Authentication Bypass Issues) concerns the implementation of digest authentication in Apache Tomcat. A remote unauthenticated attacker can exploit the vulnerability over the network without user interaction and without meeting any additional conditions (vector AV:N/AC:L/PR:N/UI:N). The detailed technical mechanism has not been disclosed in the public description — however, it concerns irregularities in the handling of the digest authentication process.
An attacker can gain unauthorized access to resources protected by digest authentication mechanism, resulting in violation of confidentiality, integrity and availability of data (CVSS rating C:H/I:H/A:H).
Apache Tomcat should be immediately updated to version 11.0.22, 10.1.55 or 9.0.118, which contain the patch. For branches 8.5.x and 7.x, the manufacturer has not indicated patched versions — migration to a supported branch is recommended. As a temporary workaround, consider disabling the digest authentication mechanism or replacing it with another authentication method.
Apache Tomcat in versions: 11.0.0-M1 to 11.0.21, 10.1.0-M1 to 10.1.54, 9.0.0.M1 to 9.0.117, 8.5.0 to 8.5.100 and versions older than 7.0.0 (including older, unsupported versions of the 7.x and earlier branches)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Tomcat
APPApache7.0.0 – 7.0.1098.5.0 – 8.5.1009.0.0 – 9.0.118 (bez)10.1.0 – 10.1.55 (bez)11.0.0 – 11.0.22 (bez)
Related vulnerabilities
Apache Tomcat: Path Equivalence prowadzący do RCE i ujawnienia danych
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache To...
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5....
Detection of Error Condition Without Action vulnerability in Apache Tomcat when configuring CRLs for a FFM bas...
Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty...