Описание
The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.
| Релиз | Статус | Примечание |
|---|---|---|
| artful | DNE | |
| bionic | DNE | |
| cosmic | DNE | |
| devel | DNE | |
| esm-apps/xenial | released | 6.0.45+dfsg-1ubuntu0.1 |
| esm-infra-legacy/trusty | not-affected | 6.0.39-1ubuntu0.1 |
| esm-infra/focal | DNE | |
| focal | DNE | |
| precise | released | 6.0.35-1ubuntu3.9 |
| precise/esm | not-affected | 6.0.35-1ubuntu3.9 |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| artful | ignored | end of life |
| bionic | not-affected | |
| cosmic | not-affected | |
| devel | DNE | |
| esm-apps/bionic | not-affected | |
| esm-apps/xenial | released | 7.0.68-1ubuntu0.3 |
| esm-infra-legacy/trusty | not-affected | 7.0.52-1ubuntu0.7 |
| esm-infra/focal | DNE | |
| focal | DNE | |
| precise | ignored | end of life |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| artful | not-affected | 8.0.38-2 |
| bionic | not-affected | 8.0.38-2 |
| cosmic | not-affected | 8.0.38-2 |
| devel | DNE | |
| esm-apps/bionic | not-affected | 8.0.38-2 |
| esm-infra-legacy/trusty | DNE | |
| esm-infra/focal | DNE | |
| esm-infra/xenial | not-affected | 8.0.32-1ubuntu1.3 |
| focal | DNE | |
| precise | DNE |
Показывать по
4.3 Medium
CVSS2
5.9 Medium
CVSS3
Связанные уязвимости
The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.
The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.
The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0. ...
Уязвимость реализации Realm сервера приложений Apache Tomcat, связанная с раскрытием информации через несоответствие, позволяющая нарушителю определить все существующие имена пользователей
4.3 Medium
CVSS2
5.9 Medium
CVSS3