{ "threat_severity" : "Moderate", "public_date" : "2011-09-26T00:00:00Z", "bugzilla" : { "description" : "tomcat: Multiple weaknesses in HTTP DIGEST authentication", "id" : "741401", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=741401" }, "cvss" : { "cvss_base_score" : "4.3", "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status" : "verified" }, "details" : [ "DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184." ], "affected_release" : [ { "product_name" : "JBEWP 5 for RHEL 5", "release_date" : "2012-01-31T00:00:00Z", "advisory" : "RHSA-2012:0076", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_platform:5::el5", "package" : "jbossweb-0:2.1.12-3_patch_03.2.ep5.el5" }, { "product_name" : "JBEWP 5 for RHEL 6", "release_date" : "2012-01-31T00:00:00Z", "advisory" : "RHSA-2012:0076", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_platform:5::el6", "package" : "jbossweb-0:2.1.12-3_patch_03.2.ep5.el6" }, { "product_name" : "JBoss Communications Platform 5.1", "release_date" : "2012-01-31T00:00:00Z", "advisory" : "RHSA-2012:0078", "cpe" : "cpe:/a:redhat:jboss_communications_platform:5.1" }, { "product_name" : "JBoss Enterprise BRMS Platform 5.1", "release_date" : "2012-02-22T00:00:00Z", "advisory" : "RHSA-2012:0325", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5.1" }, { "product_name" : "Red Hat Enterprise Linux 5", "release_date" : "2011-12-20T00:00:00Z", "advisory" : "RHSA-2011:1845", "cpe" : "cpe:/o:redhat:enterprise_linux:5", "package" : "tomcat5-0:5.5.23-0jpp.22.el5_7" }, { "product_name" : "Red Hat Enterprise Linux 6", "release_date" : "2011-12-05T00:00:00Z", "advisory" : "RHSA-2011:1780", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "package" : "tomcat6-0:6.0.24-35.el6_1" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 4.3", "release_date" : "2012-01-19T00:00:00Z", "advisory" : "RHSA-2012:0041", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:4.3" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5.1", "release_date" : "2012-01-31T00:00:00Z", "advisory" : "RHSA-2012:0075", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5.1" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5 for RHEL 4", "release_date" : "2012-01-31T00:00:00Z", "advisory" : "RHSA-2012:0074", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5::el4", "package" : "jbossweb-0:2.1.12-3_patch_03.2.ep5.el4" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5 for RHEL 5", "release_date" : "2012-01-31T00:00:00Z", "advisory" : "RHSA-2012:0074", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5::el5", "package" : "jbossweb-0:2.1.12-3_patch_03.2.ep5.el5" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5 for RHEL 6", "release_date" : "2012-01-31T00:00:00Z", "advisory" : "RHSA-2012:0074", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5::el6", "package" : "jbossweb-0:2.1.12-3_patch_03.2.ep5.el6" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 1 for RHEL 5", "release_date" : "2012-05-21T00:00:00Z", "advisory" : "RHSA-2012:0680", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el5", "package" : "tomcat5-0:5.5.33-27_patch_07.ep5.el5" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 1 for RHEL 5", "release_date" : "2012-05-21T00:00:00Z", "advisory" : "RHSA-2012:0682", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el5", "package" : "tomcat6-0:6.0.32-24_patch_07.ep5.el5" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 1 for RHEL 6", "release_date" : "2012-05-21T00:00:00Z", "advisory" : "RHSA-2012:0680", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el6", "package" : "tomcat5-0:5.5.33-28_patch_07.ep5.el6" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 1 for RHEL 6", "release_date" : "2012-05-21T00:00:00Z", "advisory" : "RHSA-2012:0682", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el6", "package" : "tomcat6-0:6.0.32-24_patch_07.ep5.el6" }, { "product_name" : "Red Hat JBoss Portal 4.3", "release_date" : "2012-02-02T00:00:00Z", "advisory" : "RHSA-2012:0091", "cpe" : "cpe:/a:redhat:jboss_enterprise_portal_platform:4.3" }, { "product_name" : "Red Hat JBoss Portal 5.2", "release_date" : "2012-02-22T00:00:00Z", "advisory" : "RHSA-2012:0325", "cpe" : "cpe:/a:redhat:jboss_enterprise_portal_platform:5.2" }, { "product_name" : "Red Hat JBoss SOA Platform 5.2", "release_date" : "2012-02-22T00:00:00Z", "advisory" : "RHSA-2012:0325", "cpe" : "cpe:/a:redhat:jboss_soa_platform:5.2" }, { "product_name" : "Red Hat JBoss Web Platform 5.1", "release_date" : "2012-01-31T00:00:00Z", "advisory" : "RHSA-2012:0077", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_platform:5.1" }, { "product_name" : "Red Hat JBoss Web Server 1.0", "release_date" : "2012-05-21T00:00:00Z", "advisory" : "RHSA-2012:0679", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1.0" }, { "product_name" : "Red Hat JBoss Web Server 1.0", "release_date" : "2012-05-21T00:00:00Z", "advisory" : "RHSA-2012:0681", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1.0" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2011-5064\nhttps://nvd.nist.gov/vuln/detail/CVE-2011-5064" ], "name" : "CVE-2011-5064", "csaw" : false }