CVE-2011-5062 — Improper Authentication in Apache Tomcat

Description

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check qop values, which might allow remote attackers to bypass intended integrity-protection requirements via a qop=auth value, a different vulnerability than CVE-2011-1184.

How to fix CVE-2011-5062

To remediate CVE-2011-5062, upgrade the affected package to a fixed version below.

Maven/org.apache.tomcat:tomcat—upgrade to 5.5.34 or later

Is CVE-2011-5062 being exploited?

Moderate — EPSS is 5.3%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

>= 5.5.0, < 5.5.34

References (22)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2011-5062
PATCHgithub.com/apache/tomcat
WEBlists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html
WEBlists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html
WEB