Описание
The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.
Ссылки
- Third Party Advisory
- Third Party Advisory
- Broken Link
- Broken Link
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
Уязвимые конфигурации
Одно из
Одно из
Одно из
Одно из
EPSS
5.9 Medium
CVSS3
4.3 Medium
CVSS2
Дефекты
Связанные уязвимости
The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.
The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.
The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0. ...
Уязвимость реализации Realm сервера приложений Apache Tomcat, связанная с раскрытием информации через несоответствие, позволяющая нарушителю определить все существующие имена пользователей
EPSS
5.9 Medium
CVSS3
4.3 Medium
CVSS2