CVE-2011-5062

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check qop values, which might allow remote attackers to bypass intended integrity-protection requirements via a qop=auth value, a different vulnerability than CVE-2011-1184.

Affected Software

Name	Vendor	Start Version	End Version
Tomcat	Apache	5.5.0 (including)	5.5.0 (including)
Tomcat	Apache	5.5.1 (including)	5.5.1 (including)
Tomcat	Apache	5.5.2 (including)	5.5.2 (including)
Tomcat	Apache	5.5.3 (including)	5.5.3 (including)
Tomcat	Apache	5.5.4 (including)	5.5.4 (including)
Tomcat	Apache	5.5.5 (including)	5.5.5 (including)
Tomcat	Apache	5.5.6 (including)	5.5.6 (including)
Tomcat	Apache	5.5.7 (including)	5.5.7 (including)
Tomcat	Apache	5.5.8 (including)	5.5.8 (including)
Tomcat	Apache	5.5.9 (including)	5.5.9 (including)
Tomcat	Apache	5.5.10 (including)	5.5.10 (including)
Tomcat	Apache	5.5.11 (including)	5.5.11 (including)
Tomcat	Apache	5.5.12 (including)	5.5.12 (including)
Tomcat	Apache	5.5.13 (including)	5.5.13 (including)
Tomcat	Apache	5.5.14 (including)	5.5.14 (including)
Tomcat	Apache	5.5.15 (including)	5.5.15 (including)
Tomcat	Apache	5.5.16 (including)	5.5.16 (including)
Tomcat	Apache	5.5.17 (including)	5.5.17 (including)
Tomcat	Apache	5.5.18 (including)	5.5.18 (including)
Tomcat	Apache	5.5.19 (including)	5.5.19 (including)
Tomcat	Apache	5.5.20 (including)	5.5.20 (including)
Tomcat	Apache	5.5.21 (including)	5.5.21 (including)
Tomcat	Apache	5.5.22 (including)	5.5.22 (including)
Tomcat	Apache	5.5.23 (including)	5.5.23 (including)
Tomcat	Apache	5.5.24 (including)	5.5.24 (including)
Tomcat	Apache	5.5.25 (including)	5.5.25 (including)
Tomcat	Apache	5.5.26 (including)	5.5.26 (including)
Tomcat	Apache	5.5.27 (including)	5.5.27 (including)
Tomcat	Apache	5.5.28 (including)	5.5.28 (including)
Tomcat	Apache	5.5.29 (including)	5.5.29 (including)
Tomcat	Apache	5.5.30 (including)	5.5.30 (including)
Tomcat	Apache	5.5.31 (including)	5.5.31 (including)
Tomcat	Apache	5.5.32 (including)	5.5.32 (including)
Tomcat	Apache	5.5.33 (including)	5.5.33 (including)
JBEWP 5 for RHEL 5	RedHat	jbossweb-0:2.1.12-3_patch_03.2.ep5.el5	*
JBEWP 5 for RHEL 6	RedHat	jbossweb-0:2.1.12-3_patch_03.2.ep5.el6	*
JBoss Communications Platform 5.1	RedHat		*
JBoss Enterprise BRMS Platform 5.1	RedHat		*
Red Hat Enterprise Linux 5	RedHat	tomcat5-0:5.5.23-0jpp.22.el5_7	*
Red Hat Enterprise Linux 6	RedHat	tomcat6-0:6.0.24-35.el6_1	*
Red Hat JBoss Enterprise Application Platform 4.3	RedHat		*
Red Hat JBoss Enterprise Application Platform 5.1	RedHat		*
Red Hat JBoss Enterprise Application Platform 5 for RHEL 4	RedHat	jbossweb-0:2.1.12-3_patch_03.2.ep5.el4	*
Red Hat JBoss Enterprise Application Platform 5 for RHEL 5	RedHat	jbossweb-0:2.1.12-3_patch_03.2.ep5.el5	*
Red Hat JBoss Enterprise Application Platform 5 for RHEL 6	RedHat	jbossweb-0:2.1.12-3_patch_03.2.ep5.el6	*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5	RedHat	tomcat5-0:5.5.33-27_patch_07.ep5.el5	*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5	RedHat	tomcat6-0:6.0.32-24_patch_07.ep5.el5	*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6	RedHat	tomcat5-0:5.5.33-28_patch_07.ep5.el6	*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6	RedHat	tomcat6-0:6.0.32-24_patch_07.ep5.el6	*
Red Hat JBoss Portal 4.3	RedHat		*
Red Hat JBoss Portal 5.2	RedHat		*
Red Hat JBoss SOA Platform 5.2	RedHat		*
Red Hat JBoss Web Platform 5.1	RedHat		*
Red Hat JBoss Web Server 1.0	RedHat		*
Red Hat JBoss Web Server 1.0	RedHat		*
Tomcat5.5	Ubuntu	hardy	*
Tomcat6	Ubuntu	devel	*
Tomcat6	Ubuntu	lucid	*
Tomcat6	Ubuntu	maverick	*
Tomcat6	Ubuntu	natty	*
Tomcat6	Ubuntu	oneiric	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2011-5062
CWE	https://cwe.mitre.org/data/definitions/264.html

Affected Software

References